An international law enforcement operation has dismantled the domains associated with various online platforms linked to cybercrime such as Cracked, Nulled, Sellix, and StarkRDP.
The effort, which took place between January 28 & 30, 2025, targeted the following domains –
- www.cracked.io
- www.nulled.to
- www.mysellix.io
- www.sellix.io
- www.starkrdp.io
Banner
Visitors to these websites are now greeted by a ‘seizure banner’ that says they were confiscated as part of Operation Talent that involved authorities from Australia, France, Greece, Italy, Romania, Spain, & the US, along with Europol.
“This website, as well as the information on the customers & victims of the website, has been seized by international law enforcement partners,” the message reads.
Operational since at 2015 & 2018, both Nulled & Cracked have been used to peddle various hack tools, such as ScrubCrypt, a malware obfuscation engine that has been observed delivering stealer malware in the past.
Court Documentation
The maintainers of Cracked confirmed the development on their Telegram channel, stating they are “still waiting for the official court documentation.”
“A sad day indeed for our community,” they added.
According to Europol, Cracked & Nulled had more than 10m users in total, acting as underground marketplaces for illegal goods & crimeware solutions, such as stolen data, malware or hacking tools. The websites are estimated to have made €1m ($1.04m) in profits.
Suspects
Concurrent to the takedowns, 2 suspects – a man & a woman, per the National Police of Spain – have been apprehended, 7 properties were searched, & 17 servers & over 50 electronic devices were seized. Approximately €300,000 in cash & cryptocurrency were also appropriated.
“Other associated services were also taken down; including a financial processor named Sellix which was used by Cracked, & a hosting service called StarkRDP, which was promoted on both of the platforms & run by the same suspects,” Europol noted.
AI-Based Tools
Dismantling cybercrime hubs has been a major focus of law enforcement in recent years, hoping to cripple malicious actors looking to profit off their illicit warez & help even less technically skilled individuals to conduct attacks at scale.
“These 2 forums also offered AI-based tools & scripts to automatically scan for security vulnerabilities & optimise attacks,” the agency added. “Advanced phishing techniques are frequently developed & shared on these platforms, sometimes employing AI to create more personalised & convincing messages.”
German Federal
The German Federal Criminal Police Office (aka Bundeskriminalamt or BKA), in a co-ordinated announcement, said a total of 8 people were identified as directly involved in the operation of the criminal services, including 2 German citizens aged 29 & 32 who reside in the district of Segeberg & Valencia. The other defendants are aged between 21 & 29.
As many as 17m victims from the US have been impacted by tools & data sold on Cracked, the Department of Justice (DoJ) stated. Among the products sold was a tool that offered access to “billions of leaked websites,” allowing its customers to search for stolen login credentials.
Argentinian National
“Cracked had over 4m users, listed over 28m posts advertising cybercrime tools & stolen information, generated approximately $4m in revenue,” the US DoJ said, adding “Nulled had over 5m users, listed over 43m posts advertising cybercrime tools & stolen information, & generated approximately $1m in yearly revenue.”
The US Justice Department has also unsealed charges against one of Nulled’s administrators, a 29-year-old Argentinian national living in Spain named Lucas Sohn, for his role as a facilitator of cyber-crime by permitting Nulled’s customers to complete illicit transactions.
Traffic in Passwords
Sohn has been charged with conspiracy to traffic in passwords & similar information through which computers may be accessed without authorisation; & conspiracy to solicit another person for the purpose of offering an access device or selling information regarding an access device.
He has also been charged with a conspiracy to possess, transfer, or use a means of identification of another person with the intent to commit or to aid & abet or in connection with any unlawful activity that is a violation of US Federal law.
If convicted, the defendant faces a maximum penalty of 5 years in prison for conspiracy to traffic in passwords, 10 years in prison for access device fraud, & 15 years in prison for identity fraud.
