Global law enforcement seizes 12 domains including Sellix, Cracked and Nulled, €300,000 in cash and cryptocurrencies, and multiple…

Global law enforcement seizes 12 domains including Sellix, Cracked and Nulled, €300,000 in cash and cryptocurrencies, and multiple servers in a coordinated raid targeting cybercrime networks.

As reported by Hackread.com on January 29, 2025, a significant international law enforcement operation, dubbed Operation Talent, disrupted two notorious online cybercrime marketplaces, dealing a blow to the facilitators of digital illicit activities.

The operation, involving agencies from the United States, Romania, Australia, France, Germany, Spain, Italy, and Greece, targeted the notorious platforms Cracked and Nulled, which served as central marketplaces for trading stolen credentials, hacking tools, and other cybercrime activities. 

Now, the Justice Department’s press release has confirmed the seizure, highlighting the central role of the FBI in the investigation. Working with international partners, the FBI identified the servers hosting these marketplaces and the individuals operating them. In the case of Nulled, the Justice Department unsealed charges against an administrator, Lucas Sohn, for his alleged involvement in the platform’s operations.

Seizure notice on Nulled.to, Cracked.to, and Sellix.io (Screenshot credit: Hackread.com)

Executed between January 28th and 30th, Operation Talent resulted in arresting of two individuals in Spain, searches of seven properties, and the seizure of seventeen servers, more than fifty electronic devices, and approximately 300,000 euros in cash and cryptocurrencies. Twelve domains associated with Cracked and Nulled were seized, effectively shutting down these platforms.

Furthermore, related services, including Sellix, a financial processing service used by Cracked, and StarkRDP, a hosting service promoted on both platforms and operated by the same individuals, were also taken offline.

The scope of the operation is substantial, with Cracked alone boasting over four million users and listing more than 28 million posts advertising cybercrime tools and stolen information. Nulled, had over five million users and listed over 43 million posts advertising similar illicit goods and services.

Beyond mere discussions and knowledge sharing, Cracked and Nulled facilitated a “cybercrime-as-a-service” model where users could acquire stolen data, malicious software, hacking tools, and various other resources necessary to carry out cyberattacks. Investigators estimate that the criminal proceeds generated through these platforms amounted to at least one million euros.

Cracked reportedly generated approximately $4 million in revenue and impacted at least 17 million victims in the United States, according to the Justice Department. One particularly concerning product advertised on Cracked offered access to “billions of leaked websites,” enabling users to search for stolen login credentials.

The Justice Department highlighted a case in the Western District of New York where this tool was allegedly used for cyberstalking and harassment, demonstrating the real-world harm these marketplaces facilitate.

Operating since 2016, Nulled generated approximately $1 million in yearly revenue, offering stolen login credentials, identification documents, and hacking tools. A disturbing example cited by the Justice Department is a product advertised on Nulled that purportedly contained the names and social security numbers of 500,000 American citizens.

The crackdown on Cracked and Nulled marks a significant victory over cybercriminals. Operation Talent’s collaborative nature demonstrates the fruitfulness of international cooperation in combating cybercrime, and their commitment to holding cybercriminals accountable regardless of their location.

Operation Talent: Two Arrested as Authorities Dismantle Cracked and Nulled

Massive Pakistani cybercrime network HeartSender has been shut down in a joint US-Dutch operation. Learn how their phishing…

Massive Pakistani cybercrime network HeartSender has been shut down in a joint US-Dutch operation. Learn how their phishing kits and other tools caused millions in losses and impacted countless victims.

U.S. and Dutch law enforcement have taken down a major Pakistani cybercrime network known as HeartSender, or Saim Raza. The takedown was part of Operation Heart Blocker in which authorities seized multiple domains and servers used by the group including Heartsender(.)com and Botsdetector(.)com.

Visitors to these sites are greeted with the following message: “This domain has been seized in accordance with a seizure warrant issued pursuant to 18 U.S.C. § 1030 in the United States District Court for the Southern District of Texas as part of a coordinated law enforcement operation and action by: The U.S. Department of Justice’s Computer Crime & Intellectual Property Section, the Federal Bureau of Investigation, and the Dutch National Police.”

Screenshot credit: Hackread.com

This takedown closely follows another international law enforcement action dubbed Operation Talent resulting in the seizure of two major online cybercrime-as-a-service marketplaces, Cracked and Nulled.

HeartSender specialized in developing and distributing cybercrime tools, including phishing kits for deceptive emails, credential-stealing software, and resources for large-scale spam campaigns. These tools were sold to other cybercriminals, enabling them to carry out a range of attacks. 

The US Department of Justice states that these tools are estimated to have caused over $3 million in losses to victims.  Furthermore, the seizure of HeartSender’s servers yielded millions of records containing sensitive information belonging to their victims.

HeartSender ran multiple online storefronts and used platforms like YouTube to promote its malicious products. The network specialized in offering a full suite of cybercrime tools, enabling criminals to automate and scale large-scale attacks worldwide. HeartSender also provided access to other compromised resources, such as cPanels, SMTP servers, and WordPress accounts, further expanding the scope of their illicit services.

Screenshot from HeartSender’s store – Credit: Hackread.com

The investigation leading to the takedown uncovered a vast trove of stolen data, including millions of victim records. Among them were around 100,000 login credentials belonging to individuals in the Netherlands, highlighting the widespread reach of HeartSender’s cybercrime operations.

Apart from law enforcement, HeartSender has been on the radar of cybersecurity researchers for years. Independent journalist Brian Krebs previously reported on the group’s operational security shortcomings, including malware infections within their own network and significant security vulnerabilities in their services. These vulnerabilities reportedly exposed customer data and internal operations to unauthorized access. 

Krebs notes that the group was called The Manipulators. Krebs reveals that Saim Raza “for the past decade has peddled a popular spamming and phishing service variously called “Fudtools,” “Fudpage,” “Fudsender,” “FudCo,” etc.” Here FUD stands for Fully Un-Detectable.

The dismantling of HeartSender represents yet another victory in the ongoing fight against cybercrime, disrupting a key source of malicious tools and potentially preventing further harm to countless individuals and organizations.

HeartSender Cybercrime Network Dismantled in Joint US-Dutch Operation

Discover how cybercriminals use 'Infrastructure Laundering' to exploit AWS and Azure for scams, phishing, and money laundering. Learn about FUNNULL CDN's tactics and their global impact on businesses and cybersecurity.

Cybersecurity firm Silent Push has identified a new cybercriminal tactic called “Infrastructure Laundering.” Researchers say this technique is becoming more common in the cybercrime world. According to Silent Push’s Threat Analysis team’s investigation, shared with Hackread.com, through this tactic cybercriminals are exploiting mainstream cloud providers like Amazon Web Services (AWS) and Microsoft Azure.

This method allows threat actors to mask their illicit activities by renting IP addresses from these legitimate providers and linking them to their criminal websites. The FUNNULL content delivery network (CDN) extensively uses this tactic, revealing a direct connection to money laundering, retail phishing schemes, and various online scams.

For your information, infrastructure laundering is a form of cybercrime that involves criminals blending their malicious activities with legitimate web traffic, making it difficult for defenders to block access without disrupting legitimate users. This differs from traditional “bulletproof hosting” services, which operate in lax regulations.

FUNNULL’s operation involves renting thousands of IP addresses from major cloud providers, and then constantly cycling through them to stay ahead of detection.  FUNNULL, reportedly, rented over 1,200 IPs from Amazon and nearly 200 from Microsoft. Most of these have already been taken down, but new IPs are continually acquired. 

Silent Push observed that FUNNULL likely uses stolen or fraudulent accounts to secure these IPs, a process that remains largely invisible to outside observers. The connection between FUNNULL and money laundering services, retail phishing, and “pig butchering” scams, all hosted via this infrastructure laundering, emphasizes the real-world impact of this cybercrime tactic.

A supply chain attack earlier this year, where FUNNULL compromised the popular JavaScript library polyfillio, impacting over 110,000 websites, showcases the sophisticated methods employed by these criminal networks.

Further probing revealed a large cluster of malicious infrastructure, facilitating extensive cybercriminal activities, many orchestrated by Chinese Triad groups. This aligns with the UNODC’s 2024 Report on Transnational Organized Crime, which highlights “the convergence of cyber-enabled fraud, underground banking, and technological innovation in Southeast Asia,” researchers noted.

Moreover, the FUNNULL network of scam/money laundering websites is hosted on a combination of Western IP addresses owned by US companies and Asian hosting providers.

“FUNNULL CDN has been identified as hosting over 200,000 unique hostnames, of which approximately 95% are generated through Domain Generation Algorithms (DGAs),” Silent Push’s blog post revealed.

Infrastructure of the entire campaign (left) – b69885com hosted on Microsoft infrastructure (Via Silent Push)

Researchers noted that Bwin, an online gambling portal, is being abused by FUNNULL with dozens of “Bwin-impersonated sites” found on Microsoft infrastructure. A spokesperson from Bwin’s parent company Entain has confirmed that these are fake sites. However, around a dozen other major online gambling brands’ trademarks are also being abused across tens of thousands of shell gambling websites.

Silent Push investigation into fraudulent IP rentals and the ease with which organizations like FUNNULL can repeatedly rent new IPs despite being linked to known malicious activity raises concerns. Researchers suggest that providers must track the specific CNAME chains used by FUNNULL and actively monitor newly rented IPs being mapped to those CNAMEs to effectively combat this tactic

Amazon, in a public statement, acknowledged the issue and confirmed they were suspending fraudulently acquired accounts. They refuted claims of enabling or profiting from such activity, emphasizing their commitment to investigating and stopping abuse.

FUNNULL Unmasked: AWS, Azure Abused for Global Cybercrime Operations

DeepSeek, a Chinese AI startup, exposed sensitive data by leaving a database open. Wiz Research found chat logs, keys, and backend details accessible.

DeepSeek, a Chinese AI company, has made a name for itself with its AI models that rival OpenAI’s systems. But along with its rise came a serious security issue as researchers at Wiz found that a database tied to the company was left publicly accessible, exposing over a million log entries, backend details, software keys, and more.

****How It Happened****

During a routine security assessment, researchers at Wiz discovered that DeepSeek had an unprotected ClickHouse database, open to anyone with internet access. This database wasn’t just visible; it allowed full control over stored data, meaning an attacker could manipulate or extract critical information without restriction.

The exposed database was linked to multiple subdomains, including:

dev.deepseek.com:9000

oauth2callback.deepseek.com:9000

ClickHouse is an open-source, columnar database management system designed to process analytical queries on large datasets quickly. Originally developed by Yandex, it’s widely used for real-time data analytics, log processing, and business intelligence.

According to Wiz’s blog post, its researchers were able to query the system without authentication, revealing a massive volume of logs containing:

*   **API keys**
*   **Chat histories**
*   **Backend service details**
*   **System operational metadata**

This wasn’t just a minor misconfiguration. The database contained detailed logs of internal system activity, exposing how DeepSeek’s AI tools operate and communicate. Worse yet, the exposure meant attackers could execute commands and extract even more sensitive data directly from the server.

****What Was at Risk?****

DeepSeek’s AI services process large amounts of user-generated data, meaning chat logs could have included personal or proprietary information. The database also stored API keys, which, in the wrong hands, could allow attackers to impersonate DeepSeek’s services or access further internal systems.

Given the expansion of AI startups, security often takes a backseat to development speed. In this case, a simple security lapse exposed valuable internal data, which could have been exploited by cybercriminals.

****DeepSeek’s Response****

Once notified by Wiz, DeepSeek moved quickly to lock down the database and remove public access. However, it remains unclear whether any unauthorized parties accessed the information before it was secured.

****DeepSeek: Privacy and Cybersecurity Concerns****

DeepSeek’s Chinese ownership has already raised concerns among Western governments, with some critics arguing that the chatbot collects excessive personal data, posing privacy risks. Adding to these worries, DeepSeek recently reported a “large malicious attack” that forced the company to suspend new user registrations. Now, with a publicly exposed database compromising sensitive information, the company faces yet another cybersecurity setback.

****Expert Opinion****

Gunter Ollmann, CTO at Cobalt, notes that situations like the DeepSeek issue happen often because the process of getting the product up and running takes priority over security. Also, since DeepSeek has taken a prominent place in the world of AI, the impact could have been huge for companies and individual users.

“The DeepSeek exposure highlights a critical and recurring issue—organizations, especially those innovating rapidly in AI, often prioritize speed over security.” Explained Gunter. “Wiz’s discovery reinforces the importance of proactive security testing, particularly as attack surfaces expand with cloud-based infrastructure and publicly accessible APIs.”

DeepSeek AI Leaks Over a Million Chat Logs and Sensitive Data Online

San Francisco, United States / California, 30th January 2025, CyberNewsWire

**San Francisco, United States / California, January 30th, 2025, CyberNewsWire**

Doppler, the leading provider of secrets management solutions, announced a new integration with Datadog, a cloud application monitoring and security platform. This collaboration provides engineering and operations teams with an integrated solution for securely managing sensitive credentials and gaining insights into cloud environments through real-time monitoring.

In an era of rapid cloud adoption, DevOps and security teams face mounting challenges in safeguarding sensitive data across distributed systems. By combining Doppler’s automated secrets management capabilities with Datadog’s comprehensive monitoring platform, this integration enables teams to enhance their security practices while maintaining operational visibility. Doppler’s automated secrets storage and rotation, paired with Datadog’s continuous monitoring, empowers teams to mitigate risks of secret sprawl and prevent unauthorized access in a scalable, automated fashion.

**Streamlining security and visibility across cloud environments**

Many DevOps teams need help maintaining consistent security practices as secrets are often scattered across environments, increasing the risk of misconfigurations. The Doppler integration with Datadog addresses this issue head-on by creating a centralized workflow for managing secrets and monitoring activity across all environments. With Datadog’s alerts and Doppler’s automated security measures, teams can detect and respond to suspicious activity, helping to ensure security and compliance.

> “We are thrilled to integrate with Datadog to combine our secrets management capabilities with their monitoring platform,” said Brian Vallelunga, CEO and Founder of Doppler. “This integration simplifies security for developers and gives organizations the ability to manage secrets at scale, gaining visibility and control over sensitive information across the entire cloud environment. Together, we’re helping teams protect their data while allowing them to stay focused on building great software.”

**How the Doppler-Datadog Integration Solves Key Security Challenges**

*   **Automated secrets management**: Doppler’s platform automates the rotation, storage, and encryption of secrets, minimizing the risk of human error and unauthorized access.
*   **Real-time monitoring and alerts**: Datadog’s continuous monitoring enables teams to track secret usage, receive alerts for suspicious access, and respond quickly to any anomalies.
*   **Security across hybrid environments**: This integration unifies secrets management and monitoring, providing consistency in security practices across hybrid and multi-cloud setups.

**Centralized deployment for DevOps and Security teams**

The integration allows teams to centralize secrets management in Doppler while benefiting from Datadog’s secret usage observability. This provides a simplified solution for both managing and monitoring sensitive information. This approach enhances security without disrupting workflows, helping organizations to meet compliance requirements, reduce risk, and modernize their operations.

**Availability**

The integration is available now. For more information on how this integration can improve users’ security posture and improve secrets management, users can visit the Datadog Integration Documentation.

**About Doppler**

Doppler is a leader in secrets management, providing a centralized, secure solution that automates handling sensitive information such as API keys, tokens, and credentials. Thousands of development teams worldwide trust Doppler to simplify secrets management, improve operational efficiency, and prevent data breaches.

**Contact**

**Doppler Press**  
**\[email protected\]**

Doppler announces integration with Datadog to streamline security and monitoring

Palo Alto, USA, 30th January 2025, CyberNewsWire

**Palo Alto, USA, January 30th, 2025, CyberNewsWire**

SquareX discloses a new attack technique that shows how malicious extensions can be used to completely hijack the browser, and eventually, the whole device.

**PALO ALTO, Calif., Jan. 30, 2025** — Browser extensions have been under the spotlight in enterprise security news recently due to the wave of OAuth attacks on Chrome extension developers and data exfiltration attacks. However, until now, due to the limitations browser vendors place on the extension subsystem and extensions, it was thought to be impossible for extensions to gain full control of the browser, much less the device.

SquareX researchers Dakshitaa Babu, Arpit Gupta, Sunkugari Tejeswara Reddy and Pankaj Sharma debunked this belief by demonstrating how attackers can use malicious extensions to escalate privileges to conduct a full browser and device takeover, all with minimal user interaction. Critically, the malicious extension only requires read/write capabilities present in the majority of browser extensions on the Chrome Store, including common productivity tools like Grammarly, Calendly and Loom, desensitizing users from granting these permissions. This revelation suggests that virtually any browser extension could potentially serve as an attack vector if created or taken over by an attacker. To the best of our understanding, extensions submitted to the Chrome Store requesting these capabilities are not put through additional security scrutiny at the time of this writing.

The browser syncjacking attack can be broken up into three parts: how the extension silently adds a profile managed by the attacker, hijacks the browser and eventually gains full control of the device.

**Profile Hijacking**

The attack begins with an employee installing any browser extension – this could involve publishing one that masquerades as an AI tool or taking over existing popular extensions that may have up to millions of installations in aggregate. The extension then “silently” authenticates the victim into a Chrome profile managed by the attacker’s Google Workspace. This is all done in an automated manner in a background window, making the whole process almost imperceptible to the victim. Once this authentication occurs, the attacker has full control over the newly managed profile in the victim’s browser, allowing them to push automated policies such as disabling safe browsing and other security features.

Using a very clever social engineering attack that exploits trusted domains, the adversary can then further escalate the profile hijacking attack to steal passwords from the victim’s browser. For example, the malicious extension can open and modify Google’s official support page on how to sync user accounts to prompt the victim to perform the sync with just a few clicks. Once the profile is synced, attackers have full access to all credentials and browsing history stored locally. As this attack only leverages legitimate sites and has no visible sign that it has been modified by the extension, it will not trigger any alarm bells in any security solutions monitoring the network traffic.

**Browser Takeover**

To achieve a full browser takeover, the attacker essentially needs to convert the victim’s Chrome browser into a managed browser. The same extension monitors and intercepts a legitimate download, such as a Zoom update, and replaces it with the attacker’s executable, which contains an enrollment token and registry entry to turn the victim’s Chrome browser into a managed browser. Thinking that they downloaded a Zoom updater, the victim executes the file, which ends up installing a registry entry that instructs the browser to become managed by the attacker’s Google Workspace. This allows the attacker to gain full control over the victim’s browser to disable security features, install additional malicious extensions, exfiltrate data and even silently redirect users to phishing sites. This attack is extremely potent as there is no visual difference between a managed and unmanaged browser. For a regular user, there is no telltale sign that a privilege escalation has occurred unless the victim is highly security aware and goes out of their way to regularly inspect their browser settings and look for associations with an unfamiliar Google Workspace account.

**Device Hijacking**

With the same downloaded file above, the attacker can additionally insert registry entries required for the malicious extension to message native apps. This allows the extension to directly interact with local apps without further authentication. Once the connection is established, attackers can use the extension in conjunction with the local shell and other available native applications to secretly turn on the device camera, capture audio, record screens and install malicious software – essentially providing full access to all applications and confidential data on the device.

The browser syncjacking attack exposes a fundamental flaw in the way remote-managed profiles and browsers are managed. Today, anyone can create a managed workspace account tied to a new domain and a browser extension without any form of identity verification, making it impossible to attribute these attacks. Unfortunately, most enterprises currently have zero visibility into the browser – most do not have managed browsers or profiles, nor any visibility to the extensions employees are installing often based on trending tools and social media recommendations.

What makes this attack particularly dangerous is that it operates with minimal permissions and nearly no user interaction, requiring only a subtle social engineering step using trusted websites – making it almost impossible for employees to detect. While recent incidents like the Cyberhaven breach have already compromised hundreds, if not thousands of organizations, those attacks required relatively complex social engineering to operate. The devastatingly subtle nature of this attack – with an extremely low threshold of user interaction – not only makes this attack extremely potent, but also sheds light on the terrifying possibility that adversaries are already using this technique to compromise enterprises today.

Unless an organization chooses to completely block browser extensions via managed browsers, the browser syncjacking attack will completely bypass existing blacklists and permissions-based policies. SquareX’s founder Vivek Ramachandran says “This research exposes a critical blind spot in enterprise security. Traditional security tools simply can’t see or stop these sophisticated browser-based attacks. What makes this discovery particularly alarming is how it weaponizes seemingly innocent browser extensions into complete device takeover tools, all while flying under the radar of conventional security measures like EDRs and SASE/SSE Secure Web Gateways. A Browser Detection-Response solution isn’t just an option anymore – it’s a necessity. Without visibility and control at the browser level, organizations are essentially leaving their front door wide open to attackers. This attack technique demonstrates why security needs to ‘shift up’ to where the threats are actually happening: in the browser itself.”

SquareX has been conducting pioneering security research on browser extensions, including the DEF CON 32 talk Sneaky Extensions: The MV3 Escape Artists that revealed multiple MV3 compliant malicious extensions. This research team was also the first to discover and disclose the OAuth attack on Chrome extension developers one week before the Cyberhaven breach. SquareX was also responsible for the discovery of Last Mile Reassembly attacks, a new class of client-side attacks that exploits architectural flaws and completely bypasses all Secure Web Gateway solutions. Based on this research, SquareX’s industry-first Browser Detection and Response solution protects enterprises against advanced extension-based attacks including device hijacking attempts by conducting dynamic analysis on all browser extension activity at runtime, providing a risk score to all active extensions across the enterprise and further identifying any attacks that they may be vulnerable to.

For more information about the browser syncjacking attack, additional findings from this research are available at **sqrx.com/research**.

**About SquareX**

SquareX helps organizations detect, mitigate and threat-hunt client-side web attacks happening against their users in real time.

SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware and other web attacks encompassing malicious files, websites, scripts, and compromised networks.

Additionally, with SquareX, enterprises can provide contractors and remote workers with secure access to internal applications, enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Discloses “Browser Syncjacking” , a New Attack Technique that Provides Full Browser and Device Control, Putting Millions at Risk

**SquareX discloses a new attack technique that shows how malicious extensions can be used to completely hijack the browser, and eventually, the whole device.**

**PALO ALTO, Calif., Jan. 30, 2025** — Browser extensions have been under the spotlight in enterprise security news recently due to the wave of OAuth attacks on Chrome extension developers and data exfiltration attacks. However, until now, due to the limitations browser vendors place on the extension subsystem and extensions, it was thought to be impossible for extensions to gain full control of the browser, much less the device.

SquareX researchers Dakshitaa Babu, Arpit Gupta, Sunkugari Tejeswara Reddy and Pankaj Sharma debunked this belief by demonstrating how attackers can use malicious extensions to escalate privileges to conduct a full browser and device takeover, all with minimal user interaction. Critically, the malicious extension only requires read/write capabilities present in the majority of browser extensions on the Chrome Store, including common productivity tools like Grammarly, Calendly and Loom, desensitizing users from granting these permissions. This revelation suggests that virtually any browser extension could potentially serve as an attack vector if created or taken over by an attacker. To the best of our understanding, extensions submitted to the Chrome Store requesting these capabilities are not put through additional security scrutiny at the time of this writing.

The browser syncjacking attack can be broken up into three parts: how the extension silently adds a profile managed by the attacker, hijacks the browser and eventually gains full control of the device.

**Profile Hijacking**

The attack begins with an employee installing any browser extension – this could involve publishing one that masquerades as an AI tool or taking over existing popular extensions that may have up to millions of installations in aggregate. The extension then “silently” authenticates the victim into a Chrome profile managed by the attacker’s Google Workspace. This is all done in an automated manner in a background window, making the whole process almost imperceptible to the victim. Once this authentication occurs, the attacker has full control over the newly managed profile in the victim’s browser, allowing them to push automated policies such as disabling safe browsing and other security features.

Using a very clever social engineering attack that exploits trusted domains, the adversary can then further escalate the profile hijacking attack to steal passwords from the victim’s browser. For example, the malicious extension can open and modify Google’s official support page on how to sync user accounts to prompt the victim to perform the sync with just a few clicks. Once the profile is synced, attackers have full access to all credentials and browsing history stored locally. As this attack only leverages legitimate sites and has no visible sign that it has been modified by the extension, it will not trigger any alarm bells in any security solutions monitoring the network traffic.

**Browser Takeover**

To achieve a full browser takeover, the attacker essentially needs to convert the victim’s Chrome browser into a managed browser. The same extension monitors and intercepts a legitimate download, such as a Zoom update, and replaces it with the attacker’s executable, which contains an enrollment token and registry entry to turn the victim’s Chrome browser into a managed browser. Thinking that they downloaded a Zoom updater, the victim executes the file, which ends up installing a registry entry that instructs the browser to become managed by the attacker’s Google Workspace. This allows the attacker to gain full control over the victim’s browser to disable security features, install additional malicious extensions, exfiltrate data and even silently redirect users to phishing sites. This attack is extremely potent as there is no visual difference between a managed and unmanaged browser. For a regular user, there is no telltale sign that a privilege escalation has occurred unless the victim is highly security aware and goes out of their way to regularly inspect their browser settings and look for associations with an unfamiliar Google Workspace account.

**Device Hijacking**

With the same downloaded file above, the attacker can additionally insert registry entries required for the malicious extension to message native apps. This allows the extension to directly interact with local apps without further authentication. Once the connection is established, attackers can use the extension in conjunction with the local shell and other available native applications to secretly turn on the device camera, capture audio, record screens and install malicious software – essentially providing full access to all applications and confidential data on the device.

The browser syncjacking attack exposes a fundamental flaw in the way remote-managed profiles and browsers are managed. Today, anyone can create a managed workspace account tied to a new domain and a browser extension without any form of identity verification, making it impossible to attribute these attacks. Unfortunately, most enterprises currently have zero visibility into the browser – most do not have managed browsers or profiles, nor any visibility to the extensions employees are installing often based on trending tools and social media recommendations.

What makes this attack particularly dangerous is that it operates with minimal permissions and nearly no user interaction, requiring only a subtle social engineering step using trusted websites – making it almost impossible for employees to detect. While recent incidents like the Cyberhaven breach have already compromised hundreds, if not thousands of organizations, those attacks required relatively complex social engineering to operate. The devastatingly subtle nature of this attack – with an extremely low threshold of user interaction – not only makes this attack extremely potent, but also sheds light on the terrifying possibility that adversaries are already using this technique to compromise enterprises today.

Unless an organization chooses to completely block browser extensions via managed browsers, the browser syncjacking attack will completely bypass existing blacklists and permissions-based policies. SquareX’s founder Vivek Ramachandran says “This research exposes a critical blind spot in enterprise security. Traditional security tools simply can’t see or stop these sophisticated browser-based attacks. What makes this discovery particularly alarming is how it weaponizes seemingly innocent browser extensions into complete device takeover tools, all while flying under the radar of conventional security measures like EDRs and SASE/SSE Secure Web Gateways. A Browser Detection-Response solution isn’t just an option anymore – it’s a necessity. Without visibility and control at the browser level, organizations are essentially leaving their front door wide open to attackers. This attack technique demonstrates why security needs to ‘shift up’ to where the threats are actually happening: in the browser itself.”

SquareX has been conducting pioneering security research on browser extensions, including the DEF CON 32 talk Sneaky Extensions: The MV3 Escape Artists that revealed multiple MV3 compliant malicious extensions. This research team was also the first to discover and disclose the OAuth attack on Chrome extension developers one week before the Cyberhaven breach. SquareX was also responsible for the discovery of Last Mile Reassembly attacks, a new class of client-side attacks that exploits architectural flaws and completely bypasses all Secure Web Gateway solutions. Based on this research, SquareX’s industry-first Browser Detection and Response solution protects enterprises against advanced extension-based attacks including device hijacking attempts by conducting dynamic analysis on all browser extension activity at runtime, providing a risk score to all active extensions across the enterprise and further identifying any attacks that they may be vulnerable to.

For more information about the browser syncjacking attack, additional findings from this research are available at **sqrx.com/research**.

**About SquareX**

SquareX helps organizations detect, mitigate and threat-hunt client-side web attacks happening against their users in real time.

SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware and other web attacks encompassing malicious files, websites, scripts, and compromised networks.

Additionally, with SquareX, enterprises can provide contractors and remote workers with secure access to internal applications, enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Unveils “Browser Syncjacking” Attack Granting Full Browser and Device Control

The FBI has seized Nulled.to, Cracked.to, Sellix.io, and StarkRDP.io in Operation Talent, targeting cybercrime forums and illicit marketplaces.…

The FBI has seized Nulled.to, Cracked.to, Sellix.io, and StarkRDP.io in Operation Talent, targeting cybercrime forums and illicit marketplaces. No arrests confirmed yet.

On January 29, 2025, **reports emerged that** the FBI had seized three major cybercrime and hacking forums: Nulled.to, Cracked.to, and Cracked.io as part of an ongoing operation targeting cybercrime facilitators. Authorities also took down three other domains: StarkRDP.io, Sellix.io, and MySellix.io and pointed their DNS records to FBI servers.

At the time, there was no official confirmation from the FBI about the seizure, nor were there any seizure notices on the affected sites. However, Hackread.com can now confirm that some of these sites are now displaying seizure notices, indicating that they were taken down as part of an operation called Operation Talent.

Those visiting these websites can see a banner displaying the _“_This website has been seized_“_ message.

_“_Operation Talent – This website, as well as the information on the customers and victims of the website, has been seized by international law enforcement partners,_“_ says the seizure notice on Nulled.to and Cracked.to.

Seizure notice on the seized sites (Screenshot credit: Hackread.com)

****What is Operation Talent?****

Operation Talent is an international law enforcement initiative led by the FBI targeting cybercrime forums and associated websites. On January 29, 2025, the operation resulted in the seizure of several domains, including Cracked.io, Nulled.to, StarkRDP.io, Sellix.io, and MySellix.io. These platforms were known for facilitating various cybercriminal activities, such as the distribution of cracked software, stolen credentials, and hacking tools.

The operation was conducted by the FBI along with its international partners including the European Union Agency for Law Enforcement Cooperation (Europol), the Australian Federal Police, Germany’s Federal Criminal Police Office, and others, highlighting the collaborative nature of this operation.

****Seizure of StarkRDP.io, Sellix.io, and MySellix.io********StarkRDP.io****

StarkRDP.io was a virtual hosting provider specializing in Windows and Linux virtual servers, offering various hosting packages with features like instant deployment and dedicated IP addresses. Their services were marketed for automatic deployment within five minutes of payment confirmation. However, the platform was also misused by malicious actors to host scams and facilitate cybercrime activities, ultimately leading to its seizure.

****Sellix.io and MySellix.io****

Sellix SRL is a gateway system that brands itself as a “Cross-Border Finance” service, operating **out of** Bologna, Italy. Hackread.com’s research reveals that the Cracked.to forum **utilized** MySellix.io’s payment services for invoicing and other payment-related transactions, indicating a connection between the two platforms in facilitating financial operations.

DNS records on Sellix.io and MySellix.io have been changed to the ones owned by the FBI (Screenshot credit: Hackread.com)

****Cracked.to’s Statement****

Cracked.to’s administrators have confirmed the seizure on their Telegram channel, calling the event “A sad day indeed for our community.”

“Now that everyone has more clarity on the situation, Cracked.io has been seized under Operation Talent with specific reasons being undisclosed. We are still waiting for the official court documentation from the data centre and the domain host. We will inform you guys further on those details once we have it,” the **announcement** said.

At the time of writing, it remains unclear whether any arrests have been made. However, since Cracked.to’s administrators are still active, it suggests that the forum may resurface under a different domain in the near future.

As of now, neither the FBI nor any U.S. law enforcement agency has issued an official press release regarding the seizures. Hackread.com has reached out to authorities for comment and will provide updates as soon as a response is received. Stay tuned.

1.  **Finnish Dark Web Marketplace PIILOPUOTI Seized**
2.  **Nulled.IO Hacking Forum Hacked, Trove of Data Stolen**
3.  **NetWire Malware Site and Server Seized, Admin Arrested**
4.  **Genesis Market’s Clearnet domain seized; Dark Web site online**
5.  **WT1SHOP Cybercrime Market Seized by US, Portuguese Authorities**

Operation Talent: FBI Seizes Nulled.to, Cracked.to, Sellix.io and more

UAC-0063: A Russian-linked threat actor targeting Central Asia and Europe with sophisticated cyberespionage campaigns, including weaponized documents, data…

UAC-0063: A Russian-linked threat actor targeting Central Asia and Europe with sophisticated cyberespionage campaigns, including weaponized documents, data exfiltration, and advanced malware.

Bitdefender has shared its latest research with Hackread.com ahead of its release, revealing an active espionage campaign by Russia APT28-linked threat actor UAC-0063. According to Bitdefender’s investigation, the actor is specifically targeting high-value entities in Central Asia and European countries like Germany, the UK, Romania, and the Netherlands in a multi-stage attack process involving various malware components and techniques.

UAC-0063 has been active since at least 2021 and has targeted a variety of organizations, including government entities, diplomatic missions, and private companies. In this campaign, the actor employs malicious Microsoft Word documents, a HATVIBE malware loader, and custom-built malware to infiltrate networks. Their operations are characterized by persistence, focusing on maintaining long-term access to compromised systems.

The attack starts with compromised Microsoft Word documents containing malicious macros that, when enabled by the user, deliver the initial malware payload (HATVIBE loader). HATVIBE is an HTA (HTML Application) script that downloads and executes further malicious code from the attacker’s command-and-control (C2) server.

A blurred malicious MS Word document used in the attack prompts users to enable macros to reveal its contents. However, once enabled, it also allows attackers to deploy a malicious payload. (Via Bitdefender)

DownExPyer is used extensively throughout the UAC-0063 attack chain. It is deployed after the initial infection stage, likely by the HATVIBE loader or other malware components. This Python-based malware establishes persistent communication with the C2 server, receives commands, and executes malicious actions on the infected system. 

PyPlunderPlug is a separate script designed to collect files from removable drives connected to the infected system. It focuses on specific file types and copies them to a staging location for potential exfiltration.

The attackers also deploy keyloggers to capture keystrokes entered by the victim, potentially revealing sensitive information like passwords and login credentials. The stolen data is then compressed into smaller archives to facilitate exfiltration and evade detection.

Researchers noted that the actor leverages previously compromised victims to spread the infection. This means the weaponised documents exfiltrated from one victim are used to attack other targets. Moreover, they create scheduled tasks to ensure the persistence of their malware on the compromised system. These tasks automatically execute the malicious code at regular intervals.

Researchers hinted at the involvement of the Russian government in this campaign.

UAC-0063’s arsenal “featuring sophisticated implants like DownExPyer and PyPlunderPlug, combined with well-crafted TTPs, demonstrates a clear focus on espionage and intelligence gathering. The targeting of government entities within specific regions aligns with _potential Russian strategic interests_,” Bitdefender researchers wrote in the blog post.

To mitigate the risks posed by UAC-0063, organizations should enhance their threat intelligence by continuously monitoring feeds from reputable sources, tracking C2 domains and implementing DNS-based blocking mechanisms to prevent network traffic from reaching these malicious domains. Implementing application whitelisting policies and deploying Intrusion Detection and Prevention Systems (IDPS) are crucial for strengthening endpoint and network security. 

1.  **Ukrainian Hackers Breach Email of APT28 Leader**
2.  **Russian Hackers Exploit Firefox 0-Days to Deploy Backdoor**
3.  **Russian Hackers Hit Mail Servers in Europe for Military Intel**
4.  **Russian APT28 Exploiting Windows Flaw with GooseEgg Tool**
5.  **Russian Hackers Shift Tactics, Target Victims with Paid Malware**

Russian UAC-0063 Targets Europe and Central Asia with Advanced Malware

Nulled.to and Cracked.to, major hacking forums, appear seized by the FBI as DNS records point to FBI servers.…

Nulled.to and Cracked.to, major hacking forums, appear seized by the FBI as DNS records point to FBI servers. No official confirmation yet. Cybersecurity experts await updates.

Today, two of the most prominent hacking and cybercrime forums, Nulled.to and Cracked.to, appear to have been seized by the FBI, as indicated by recent changes in their DNS records. However, no official press release or announcement has been made by the agency, leaving both cybercrime and the cybersecurity community speculating about the situation.

****DNS Records Indicate FBI Takeover****

According to publicly available WHOIS and DNS records, both **Nulled.to** and **Cracked.to** have had their **name servers changed to FBI-controlled domains** earlier today, specifically:

****DNS Records for Nulled.to****

*   **Domain Created:** March 5, 2022
*   **Last Edited:** January 30, 2025
*   **Expires:** March 5, 2026
*   **Primary Name Server:** ns1.fbi.seized.gov
*   **Secondary Name Server:** ns2.fbi.seized.gov

****DNS Records for Cracked.to****

*   **Domain Created:** July 27, 2020
*   **Last Edited:** January 30, 2025
*   **Expires:** March 17, 2028
*   **Primary Name Server:** ns1.fbi.seized.gov
*   **Secondary Name Server:** ns2.fbi.seized.gov

These changes indicate a government seizure. However, as of now, no seizure banner is displayed on the websites, and no official press release has been issued by the FBI or any U.S. law enforcement agency.

Screenshot: Hackread.com

****What Were Nulled.to and Cracked.to?****

Both forums were widely known for facilitating various cybercrime activities, including account breaches, where leaked credentials for platforms like Netflix, Steam, and banking accounts were bought and sold. They also served as hubs for cracked software, offering pirated programs and game cheats.

Additionally, discussions on fraud and carding were prevalent, covering illegal financial activities such as credit card fraud and identity theft. Furthermore, users exchanged information and tools related to hacking and exploits, including malware, botnets, and ransomware, making these platforms a major threat to cybersecurity.

****Lack of Official Statement Echos Breach Forums Take Down****

While the DNS changes suggest law enforcement action, the lack of an official announcement brings to mind the failed seizure of BreachForums. On May 15, 2024, the FBI took control of its domain and placed a seizure notice on the homepage but never officially confirmed the action or issued a press release.

On May 17, 2024, the admin and owner of the forum, linked to the ShinyHunters hacker group, boasted about reclaiming the seized domain right under the FBI’s nose. To make things worse for the agency, by May 22, 2024, the forum was fully restored using its original domains. To this day, the FBI has not issued any statement or acknowledged its failure to retain control of the domain.

Nevertheless, historically, when the FBI seizes a website, it displays a seizure notice, as seen in the takedowns of RaidForums, BreachForums (V1), and WeLeakInfo. The absence of such a banner suggests that further action may be in progress.

Hackread.com has reached out to authorities for comment. We will provide updates as soon as we receive a response. Stay tuned.

1.  **Finnish Dark Web Marketplace PIILOPUOTI Seized**
2.  **Nulled.IO Hacking Forum Hacked, Trove of Data Stolen**
3.  **NetWire Malware Site and Server Seized, Admin Arrested**
4.  **Genesis Market’s Clearnet domain seized; Dark Web site online**
5.  **WT1SHOP Cybercrime Market Seized by US, Portuguese Authorities**

Source

HackRead