Washington/The Hague, February 1, 2025: U.S. and Dutch law enforcement agencies have seized multiple domains linked to a Pakistan-based cybercrime network operated by a group known as Saim Raza, also tracked under the alias HeartSender.
According to a statement from the U.S. Department of Justice (DOJ), the group has been active since at least 2020, selling hacking tools—including phishing kits, scam pages, and email extractors—to thousands of cybercriminals worldwide.
Dutch police revealed that the HeartSender marketplace provided criminals with the means to send large-scale phishing and spam emails and steal sensitive login credentials. In addition, the group sold access to compromised infrastructure, including hacked email servers, WordPress accounts, and web hosting control panels such as cPanel.
“With stolen cPanel or WordPress accounts, criminals can take control of websites and manipulate server management systems,” Dutch authorities warned.
The group’s customers primarily used these tools for business email compromise (BEC) scams, deceiving companies into transferring funds to hacker-controlled accounts. U.S. authorities reported that HeartSender’s operations in the U.S. alone resulted in more than $3 million in financial losses.
Dutch investigators noted that HeartSender operated in a highly professional manner, not only selling hacking tools but also providing training videos on YouTube, guiding even those with minimal technical expertise on how to execute cyberattacks. The group marketed its tools as “fully undetectable” by antivirus software, increasing their appeal to cybercriminals.
While law enforcement agencies have not disclosed whether any suspects were identified or arrested, U.S. authorities emphasized that the seizures aim to disrupt the group’s ongoing activities and curb the spread of cybercrime tools.
Independent journalist Brian Krebs first exposed the HeartSender operation in 2021. Following his report, one of the group’s operators pleaded with him to remove the story, Krebs revealed.
Cybersecurity firm DomainTools has been tracking the network for nearly a decade, noting that it was one of the first phishing-focused marketplaces to expand across multiple separately branded platforms, integrating various cybercriminal services.
Despite its vast reach, HeartSender has suffered from major security lapses, raising concerns about the integrity of its operations.
“A series of operational security failures call into question the reliability of their criminal enterprise and may even suggest that some of their customers are also being targeted,” researchers at DomainTools noted.
The crackdown on HeartSender marks a significant victory in the fight against global cybercrime, though authorities continue to monitor and dismantle similar networks.
