Full Report
The FBI and authorities in The Netherlands this week seized a number of servers and domains for a hugely popular spam and malware dissemination service operating out of Pakistan. The proprietors of the service, who use the collective nickname "The Manipulaters," have been the subject of three stories published here since 2015. The FBI said the main clientele are organized crime groups that try to trick victim companies into making payments to a third party.
Analysis Summary
# Threat Actor: The Manipulaters (Saim Raza)
## Attribution & Identity
* **Primary Nickname:** The Manipulaters
* **Attributed Pseudonym/Name:** Saim Raza (a name used communally for promotion)
* **Associated Entities/Firms:** WeCodeSolutions (a web coding company in Lahore, Pakistan), FudCo (branding seen on anniversary cakes).
* **Origin:** The operation is strongly associated with Pakistan.
## Activity Summary
The Manipulaters operated a hugely popular, long-running service functioning as a marketplace for cybercrime tools and services, primarily focused on spam, malware dissemination, and phishing infrastructure. The service was seized by the FBI and Dutch police on January 29th. Their core product, **Heartsender**, was used by organized crime groups to facilitate Business Email Compromise (BEC) schemes, tricking victim companies into making fraudulent payments. They have been active since at least 2015, openly advertising their illicit services on cybercrime forums.
## Tactics, Techniques & Procedures
- **Malware Dissemination:** Providing tools for spam and malware delivery.
- **Phishing Kit Provision:** Selling ready-made phishing kits targeting major platforms (e.g., Microsoft 365, Yahoo, iCloud).
- **Evasion Techniques:** Offering "Fudtools" (Fully Un-Detectable) resources, including an "Antibot" feature designed to evade automated security detection.
- **Infrastructure Leasing/Marketplace:** Operating Heartsender as a storefront to advertise and sell tools to cybercriminal clients.
- **Operational Security Failure (OpSec):** Authors of the reporting note the group was brazen about their identity, leading to self-doxxing (e.g., publishing employee photos and company anniversaries online).
- **Data Leakage:** The Heartsender platform itself leaked vast amounts of customer information, including credentials and support requests with root-level SMTP credentials, exposing their own customers' data more readily than external law enforcement efforts.
## Targeting
* **Sectors:** Any organization susceptible to Business Email Compromise (BEC) and credentials harvesting; specific targets listed include users of **Microsoft 365**, **Yahoo**, **AOL**, **Intuit**, **iCloud**, and **ID.me**.
* **Geography:** Global customer base; seizures involved victims worldwide, including **at least 100,000 records pertaining to Dutch citizens**.
* **Victims:** Transnational organized crime groups were the primary *clients* purchasing the tools, which they then used against operational victims in BEC fraud.
## Tools & Infrastructure
* **Malware families used:** Password-stealing malware was reportedly found infecting The Manipulaters' own computers, leading to their credentials being stolen and sold online.
* **Infrastructure (C2, domains, IPs):**
* **Service Brands:** Heartsender (core spam delivery service), Fudpage, Fudtools, FudCo (branding).
* **Infrastructure Seized:** Dozens of servers and domains associated with these brands were seized by law enforcement in the Netherlands and supported by other international partners, as part of "Operation Talent" activities targeting related cybercrime forums.
## Implications
The seizure represents a significant disruption to the sale and distribution of professional-grade, "FUD" cybercrime infrastructure utilized by organized criminal networks, particularly those leveraging BEC scams. The group's failure in basic OpSec provided intelligence not only to law enforcement but also potentially exposed their customers to further risk due to data leakage from the Heartsender platform. The ongoing investigation by Dutch police suggests potential arrests of the buyers utilizing these tools.
## Mitigations
- Enhance email security defenses against sophisticated phishing, focusing on credential harvesting techniques targeting common corporate/cloud services (Microsoft 365, etc.).
- Implement stringent operational security (OpSec) practices across development and corporate communications to prevent self-doxxing or inadvertent exposure of internal network data.
- Organizations relying on the targeted services (M365, etc.) should ensure multi-factor authentication (MFA) is enforced to mitigate credential theft success.