Full Report
U.S. and Dutch law enforcement agencies have announced that they have dismantled 39 domains and their associated servers as part of efforts to disrupt a network of online marketplaces originating from Pakistan. The action, which took place on January 29, 2025, has been codenamed Operation Heart Blocker. The vast array of sites in question peddled phishing toolkits and fraud-enabling tools and
Analysis Summary
# Incident Report: Dismantling of HeartSender BEC Fraud Network
## Executive Summary
U.S. and Dutch law enforcement agencies successfully dismantled a large-scale cybercrime operation, codenamed Operation Heart Blocker, which facilitated Business Email Compromise (BEC) fraud. The network, run by Saim Raza (HeartSender) and based in Pakistan, sold phishing toolkits and fraud-enabling services, leading to over \$3 million in documented losses to victims, primarily in the United States. The operation resulted in the seizure of 39 malicious domains used to distribute these attack resources.
## Incident Details
- Discovery Date: Not explicitly stated, but takedown occurred January 29, 2025.
- Incident Date: The network was operational since at least 2020.
- Affected Organization: Various transnational organizations targeted by BEC schemes; law enforcement agencies in the US and Netherlands were the primary actors on the response side.
- Sector: Cybercrime Infrastructure Sales / Financial Fraud Facilitation.
- Geography: Origin of the operation appeared to be Pakistan; victims were located internationally, including the United States.
## Timeline of Events
### Initial Access
- Date/Time: Since at least 2020.
- Vector: Acquisition of tools/services from the HeartSender (Saim Raza) online marketplaces.
- Details: Marketplaces advertised and sold phishing kits, scam pages, and email extractors designed for digital fraud operations.
### Lateral Movement
* Not applicable in the traditional sense, as this incident deals with the *distribution* of tools used by third parties, rather than the investigation of a single network intrusion. The tools themselves facilitated credential harvesting and phishing campaigns against end-victims.
### Data Exfiltration/Impact
- Data harvested via supplied tools included victim user credentials.
- Financial impact from associated BEC schemes totaled over \$3 million.
### Detection & Response
- **Detection:** Unspecified, but led to a joint operation.
- **Response actions taken:** U.S. and Dutch law enforcement coordinated action (Operation Heart Blocker) resulting in the seizure of 39 associated domains and servers on January 29, 2025.
## Attack Methodology
- **Initial Access:** Domain seizure targeted the infrastructure distributing the tools. Attackers (end-users of the service) gained access via purchased phishing kits and subscription services.
- **Persistence:** The network relied on established domains for continuous service provision before takedown.
- **Privilege Escalation:** Not applicable to the infrastructure provider, but the end-user tools facilitated credential harvesting.
- **Defense Evasion:** N/A (The infrastructure facilitated evasion for the end-user).
- **Credential Access:** Sold tools enabled victims' credentials to be harvested via phishing pages/extractors.
- **Discovery:** Marketplaces provided instructional YouTube videos, effectively lowering the technical bar for new criminal actors to execute complex schemes.
- **Lateral Movement:** N/A (Facilitated for downstream actors).
- **Collection:** Email extractors were sold to gather target data.
- **Exfiltration:** N/A (Facilitated for downstream actors).
- **Impact:** Facilitation of large-scale BEC schemes resulting in financial losses.
## Impact Assessment
- **Financial:** Over \$3 million in losses associated with BEC schemes enabled by the sold toolkits.
- **Data Breach:** Victim user credentials were successfully harvested by the crime groups utilizing the sold tools.
- **Operational:** Disruption of access to fraud-enabling toolsets for thousands of estimated customers.
- **Reputational:** Significant blow to the organized crime groups utilizing this specific marketplace infrastructure.
## Indicators of Compromise
* **Network indicators (defanged):** 39 seized domains (specific names redacted/not provided in summary).
* **File indicators:** Phishing toolkits, scam pages, email extractors (specific hashes/filenames unavailable).
* **Behavioral indicators:** Use of platforms advertising fraud tools and customer support via instructional videos.
## Response Actions
- **Containment measures:** Seizure and take-down of 39 domains associated with the HeartSender network infrastructure.
- **Eradication steps:** Dismantling of the online marketplaces operated by Saim Raza.
- **Recovery actions:** Dutch police provided a URL for potentially impacted users to check for credential theft: www[.]politie[.]nl/checkjehack.
## Lessons Learned
- **Key takeaways:** Hosting and selling readily available crimeware tools significantly lowers the barrier to entry for sophisticated crimes like BEC, enabling less technically skilled actors to inflict major financial damage. International cooperation (US DOJ and Dutch Police) is effective in dismantling complex, transnational cybercrime support infrastructure.
- **What could have been done better:** Proactive monitoring and disruption of these tool-selling forums earlier than the reported enforcement action date may have prevented millions in accumulated losses since 2020.
## Recommendations
- **Prevention measures for similar incidents:** Increased surveillance of underground forums and marketplaces selling phishing kits and BEC-enabling software. Continued international collaboration to target the supply chain of cybercrime tools, not just the end-users. Organizations should implement robust email security awareness training tailored to identify sophisticated BEC attempts facilitated by such kits.