DoJ Shutters Cybercrime Forums Behind Attacks on 17M AmericansDoJ Shutters Cybercrime Forums Behind Attacks on 17M Americans

The US Department of Justice Department (DoJ) has partnered with international law enforcement to crack down on Dark Web cybercrime forums, with a pair of operations that disrupted underground markets linked to attacks on millions of victims globally. It's unclear what the long-term effects of the efforts will be, however.

In the first action, the DoJ, in coordination with the Dutch National Police, seized 39 domains operated by a Pakistani group known as Saim Raza (aka HeartSender).

According to a DoJ announcement on Jan. 31, Saim Raza has been operating since 2020, slinging phishing kits and fraud tools to the highest bidder across a network of underground sites. The cybercriminals buying the tools are responsible for global business email compromise (BEC) attacks and other nefarious scams, including against victims in the US who were collectively swindled out of $3 million.

"Not only did Saim Raza make these tools widely available on the open Internet, it also trained end users on how to use the tools against victims by linking to instructional YouTube videos on how to execute schemes using these malicious programs, making them accessible to criminal actors that lacked this technical criminal expertise," the agency said in its announcement. "The group also advertised its tools as 'fully undetectable' by antispam software."

Related:7 Tips for Strategically Saying 'No' in Cybersecurity

"Cracked" & "Nulled" Dark Web Markets Are … Cracked & Nulled

In a separate action, the DoJ participated in "Operation Talent," a Europol-backed international operation that disrupted the Cracked and Nulled Dark Web marketplaces. Together, the forums have been linked to cybercrimes against at least 17 million US victims.

According to the DoJ, the Cracked marketplace emerged in 2018, boasted 4 million users, made $4 million in revenue, and hosted more than 28 million cybercrime ads over the course of its reign.

Reflective of its name, one service on offer on the Cracked forum gave users a password search tool to find stolen credentials for millions of accounts and services. In one case, a stalker allegedly sextorted and harassed a woman in the Buffalo, NY, area after using the service to break into one of her accounts and access sensitive materials.

The Nulled website domain seizure meanwhile came in tandem with the unsealing of charges against one of its administrators, Lucas Sohn, an Argentinian national living in Spain. Nulled had been around since 2016, had 5 million users, raked in $1 million per year, and listed more than 43 million ads.

Nulled specialized in selling stolen login credentials, stolen identification documents, and hacking tools, according to the DoJ. If convicted, Sohn faces a maximum penalty of five years in prison for conspiracy to traffic in passwords, 10 years in prison for access device fraud, and 15 years in prison for identity fraud.

Related:IT-Harvest Launches HarvestIQ.ai

Law Enforcement Takedowns: Do They Deter Cybercrime?

The actions are just the latest in a flurry of efforts by US law enforcement to take down the infrastructure that powers cybercrime.

Just last week for example, the DoJ announced a partial disruption of North Korea's tech worker scam efforts. And in January, it wrapped up an eradication effort against the notorious PlugX malware. Other recent operations have included arresting actors behind the LockBit ransomware gang and teenaged members of Scattered Spider.

However, law-enforcement disruptions can be a game of whack-a-mole, with new threats popping up, or old ones re-emerging or taking a different shape, in the wake of takedowns. For instance, just two weeks after the DoJ shuttered the infamous BreachForums cybercrime forum last May, it sprang back to life with listings for Ticketmaster breach data. Fast forward several months, and the site is back to enjoying high-traffic status, with cybercriminals using it as a go-to for offering data breach information for sale.

Related:MITRE's Latest ATT&CK Simulations Tackle Cloud Defenses

"Arrests can cause actors to move away from a code base or campaigns that were formerly a notable threat," explains Ken Dunham, cyber threat director at Qualys Threat Research Unit. "In other situations, actors adapt, like cockroaches that simply move to another room when you move the couch, when pressure is applied, taking on new codes and tactics to further nefarious means and motives."

It's important to offer a full-court press against the most virulent threats to have even a scintilla of hope to root them out entirely, according to Derek Manky, global vice president of threat intelligence at Fortinet.

"Turning the tide against cybercrime necessitates a culture of collaboration, transparency, and accountability on a larger scale," he explains. "No single organization can effectively stop cybercrime alone. Public-private partnerships can influence the disruption of large-scale cybercrime activities, leading to a safer, more resilient society. Every organization has a place in the chain of disruption against cyberthreats."

Taken on their own though, it's useful to think of the disruption efforts as an important thorn in cybercriminals' sides, at the very least.

"Historically attackers can more easily obtain information and tools than defenders, giving them a perpetual advantage," Evan Dornbush, former National Security Agency (NSA) cybersecurity expert, said in an emailed statement. "Actions like this make it more expensive for cyber criminals to operate, and ultimately this is a good thing. Lesser players who rely on purchasing tools and network access from these two marketplaces won't be able to get started, raising the barrier to entry for their criminal enterprise aspirations."