Full Report
The FBI joined authorities across Europe last week in seizing domain names for Cracked and Nulled, English-language cybercrime forums with millions of users that trafficked in stolen data, hacking tools and malware. An investigation into the history of these communities shows their apparent co-founders quite openly operate an Internet service provider and a pair of e-commerce platforms catering to buyers and sellers on both forums.
Analysis Summary
# Threat Actor: Unattributed Operators (Associated with Cracked and Nulled Forums)
## Attribution & Identity
The primary focus is on the individuals linked to the operation and ownership of the cybercrime forums **Cracked** and **Nulled**, and associated infrastructure providers.
**Key Individuals/Entities Identified:**
* **Florian Marzahl:** Identified as the co-founder of the payment processor **Sellix** and controlled **1337 Services GmbH** (also known as AS210558) based in Hamburg, Germany. Used aliases/usernames: **FlorainN** and **StarkRDP** on various cybercrime forums. Email address associated: `[email protected]`, `[email protected]`, and `[email protected]`.
* **Finn Alexander Grimpe:** Identified as the co-founder of **1337 Services GmbH**. His first name corresponds to the nickname of the Nulled founder, **“Finn”** or **“Finndev.”** Email address associated: `[email protected]`. Founded **DreamDrive GmbH**.
* **"Finndev" / "Finn":** Apparent founder of the **Nulled** forum.
* **"FlorainN" / "StarkRDP":** Administrator/owner of **Cracked** forum and operator of **StarkRDP** RDP service.
* **Lucas Sohn:** 29-year-old Argentinian national, identified as one of the alleged administrators of **Nulled**, arrested in Spain.
* **1337 Services GmbH (AS210558):** German entity operating RDP services heavily advertised on the forums.
* **Shoppy Ecommerce Ltd.:** E-commerce platform mentioned as being potentially linked to "Finn" via the email `[email protected]`.
## Activity Summary
The summary details the international law enforcement action known as **Operation Talent**, led by the FBI and European authorities, resulting in the seizure of domain names for two massive English-language cybercrime forums: **Cracked** (started 2018, >4 million users) and **Nulled** (active since 2016, >5 million members). These forums served as marketplaces for stolen data, hacking tools, and malware. Law enforcement also seized domains associated with their payment processor (**Sellix**) and associated RDP/server rental services (**StarkRDP\[.\]io** and **rdp\[.\]sh**), which were owned by **1337 Services GmbH**.
The operators of 1337 Services GmbH (Marzahl and Grimpe) claim they were not directly charged and plan to relaunch their RDP service under a new name, asserting that their core business (server rentals) was compliant.
## Tactics, Techniques & Procedures
The primary TTPs relate to the facilitation and monetization of cybercrime through underground forums:
* **Forum Operation and Administration:** Maintenance of large-scale cybercrime marketplaces (Cracked, Nulled).
* **Monetization/Service Provision:** Operating RDP rental services (**StarkRDP**, **rdp\[.\]sh**) used by forum members.
* **E-commerce Facilitation:** Operating or being heavily connected to payment processing and e-commerce platforms (**Sellix**, potentially **Shoppy\[.\]gg**).
* **Anonymity:** Heavy advertising and utilization of anonymity services (RDP/VPNs).
* **Credential Reuse:** Evidence suggests high password reuse across user accounts, including on hacker forums, linked to Florian Marzahl's emails.
* **Persistence/Migration:** Immediate post-seizure attempts to migrate infrastructure and operations under new branding via **Telegram**.
* [No specific MITRE ATT&CK IDs were provided in the source text.]
## Targeting
* **Sectors:** Not explicitly stated beyond the nature of the platform (cybercrime/fraud enablement).
* **Geography:** The primary operators/entities were based in **Germany** (1337 Services GmbH, Sellix co-founders). One administrator (**Lucas Sohn**) was arrested in **Spain**. Forum membership appears international, as the forums were English-language.
* **Victims:** Victims are the suppliers of the goods sold, including organizations whose data was stolen (stolen login credentials, stolen identification documents).
## Tools & Infrastructure
* **Malware Families Used:** Hacking tools and malware were trafficked, but specific family names were not listed.
* **Infrastructure (C2, domains, IPs):**
* **Forums:** Cracked, Nulled (domains seized).
* **RDP Services:** StarkRDP\[.\]io, rdp\[.\]sh (domains seized).
* **Payment/E-commerce:** Sellix (payment processor, domains seized), Shoppy\[.\]gg (mentioned association).
* **Associated Companies:** 1337 Services GmbH (Hamburg, Germany), DreamDrive GmbH.
* **Other Forums:** Raidforums, Void\[.\]to, vDOS (platforms where Finndev was active).
## Implications
The disruption of Cracked and Nulled represents a significant blow to the underground economy, impacting vendors and buyers of initial access, credentials, and cybercrime services. The direct link established between forum operations and legitimate-appearing commercial entities (ISP/e-commerce/RDP services) highlights the sophisticated blending of illicit and professional enterprises utilized by cybercriminals for operational security and funding. The immediate intent to relaunch indicates high resilience among these criminal operations.
## Mitigations
* **Infrastructure Monitoring:** Heightened intelligence monitoring of known platform operators (`FlorainN`, `Finndev`) across alternative channels (e.g., Telegram) for indications of service relaunch or migration.
* **Supply Chain Security:** Organizations must assume credentials, PII, and access methods sold on these forums are actively being leveraged. Continuous vetting of third-party vendors (like RDP/hosting providers) linked to these individuals/entities is advisable.
* **Password Hygiene:** Organizations should aggressively enforce strong, unique passwords and multi-factor authentication to mitigate risks from credential leakage advertised on such forums.