Pakistan-based cybercrime network dismantled by US, Dutch authorities

Avatar

U.S. and Dutch law enforcement agencies have seized dozens of domains linked to a Pakistan-based cybercrime network operated by a group known as Saim Raza.

The group, also tracked under the name HeartSender, has been using these websites since at least 2020 to sell hacking tools — including phishing kits, scam pages and email extractors — to thousands of customers worldwide, according to a statement from the Justice Department.

“A cybercriminal can use these tools to send large amounts of spam or phishing emails or to steal someone’s login credentials,” the Dutch police said, adding that Saim Raza’s marketplaces also sold access to compromised infrastructure, including email servers, WordPress accounts, and web hosting control panels such as cPanel.

“With stolen cPanel or WordPress accounts, criminals can take control of a website or server’s management system,” the police warned.

Saim Raza’s customers primarily used these tools to carry out business email compromise (BEC) schemes, deceiving companies into transferring funds to accounts controlled by hackers. The group’s operations in the U.S. alone resulted in more than $3 million in losses, authorities said.

“The criminal group behind HeartSender operated very professionally,” the Dutch police noted. 

Beyond selling hacking tools, they also provided instructional YouTube videos, training users with little technical expertise on how to deploy the tools against victims. The group marketed its offerings as “fully undetectable” by antivirus software.

Law enforcement agencies have not disclosed whether any suspects were identified or arrested in the operation targeting Saim Raza. U.S. authorities said the domain seizures were intended “to disrupt the ongoing activity of these groups and stop the proliferation of these tools within the cybercriminal community.”

Independent journalist Brian Krebs first exposed Saim Raza’s operation in 2021. After his story was published, one of the group’s operators pleaded with him to take it down, Krebs said.

According to research by U.S. cybersecurity firm DomainTools, the group has been active for nearly a decade. It was among the first phishing-focused marketplaces to expand operations across multiple separately branded shops, integrating various cybercriminal services.

Despite its reach, the group has also suffered from significant security lapses. 

“A series of operational security failures call into question the integrity of their criminal enterprise and may even suggest some of their customers are also targets,” DomainTools researchers said.

NewsCybercrime
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Ransomware attack on New York Blood Center forces workarounds, drive cancellations

Next Post

Hackers use fake wedding invitations to spread Android malware in Southeast Asia

Related Posts

Iran Slows Internet to Prevent Cyber Attacks Amid Escalating Regional Conflict

Iran has throttled internet access in the country in a purported attempt to hamper Israel's ability to conduct covert cyber operations, days after the latter launched an unprecedented attack on the country, escalating geopolitical tensions in the region. Fatemeh Mohajerani, the spokesperson of the Iranian Government, and the Iranian Cyber Police, FATA, said the internet slowdown was designed to
Avatar
Read More

Qilin Ransomware Ranked Highest in April 2025 with Over 45 Data Leak Disclosures

Threat actors with ties to the Qilin ransomware family have leveraged malware known as SmokeLoader along with a previously undocumented .NET compiled loader codenamed NETXLOADER as part of a campaign observed in November 2024. "NETXLOADER is a new .NET-based loader that plays a critical role in cyber attacks," Trend Micro researchers Jacob Santos, Raymart Yambot, John Rainier Navato, Sarah Pearl
Avatar
Read More