An international law enforcement operation has dismantled the domains associated with various online platforms linked to cybercrime such as Cracked, Nulled, Sellix, and StarkRDP.
The effort, which took place between January 28 and 30, 2025, targeted the following domains –
- www.cracked.io
- www.nulled.to
- www.mysellix.io
- www.sellix.io
- www.starkrdp.io
Visitors to these websites are now greeted by a seizure banner that says they were confiscated as part of Operation Talent that involved authorities from Australia, France, Greece, Italy, Romania, Spain, and the United States, along with Europol.
“This website, as well as the information on the customers and victims of the website, has been seized by international law enforcement partners,” the message reads.
Operational since at 2015 and 2018, both Nulled and Cracked have been used to peddle various hack tools, such as ScrubCrypt, a malware obfuscation engine that has been observed delivering stealer malware in the past.
The maintainers of Cracked confirmed the development on their Telegram channel, stating they are “still waiting for the official court documentation.”
“A sad day indeed for our community,” they added.
According to Europol, Cracked and Nulled had more than 10 million users in total, acting as underground marketplaces for illegal goods and crimeware solutions, such as stolen data, malware or hacking tools. The websites are estimated to have made €1 million ($1.04 million) in profits.
Concurrent to the takedowns, two suspects – a man and a woman, per the National Police of Spain – have been apprehended, seven properties were searched, and 17 servers and over 50 electronic devices were seized. Approximately €300,000 in cash and cryptocurrency were also appropriated.
“Other associated services were also taken down; including a financial processor named Sellix which was used by Cracked, and a hosting service called StarkRDP, which was promoted on both of the platforms and run by the same suspects,” Europol noted.
Dismantling cybercrime hubs has been a major focus of law enforcement in recent years, hoping to cripple malicious actors looking to profit off their illicit warez and help even less technically-skilled individuals to carry out attacks at scale.
“These two forums also offered AI-based tools and scripts to automatically scan for security vulnerabilities and optimize attacks,” the agency added. “Advanced phishing techniques are frequently developed and shared on these platforms, sometimes employing AI to create more personalised and convincing messages.”
The Federal Criminal Police Office (aka Bundeskriminalamt or BKA), in a coordinated announcement, said a total of eight people were identified as directly involved in the operation of the criminal services, including two German citizens aged 29 and 32 who reside in the district of Segeberg and Valencia. The other defendants are aged between 21 and 29.
As many as 17 million victims from the United States have been impacted by tools and data sold on Cracked, the Department of Justice (DoJ) said. Among the products sold was a tool that offered access to “billions of leaked websites,” allowing its customers to search for stolen login credentials.
“Cracked had over four million users, listed over 28 million posts advertising cybercrime tools and stolen information, generated approximately $4 million in revenue,” the DoJ said, adding “Nulled had over five million users, listed over 43 million posts advertising cybercrime tools and stolen information, and generated approximately $1 million in yearly revenue.”
The Justice Department has also unsealed charges against one of Nulled’s administrators, a 29-year-old Argentinian national residing in Spain named Lucas Sohn, for his role as a facilitator of cybercrime by permitting Nulled’s customers to complete illicit transactions.
Sohn has been charged with conspiracy to traffic in passwords and similar information through which computers may be accessed without authorization; and conspiracy to solicit another person for the purpose of offering an access device or selling information regarding an access device.
He has also been charged with a conspiracy to possess, transfer, or use a means of identification of another person with the intent to commit or to aid and abet or in connection with any unlawful activity that is a violation of federal law.
If convicted, the defendant faces a maximum penalty of five years in prison for conspiracy to traffic in passwords, 10 years in prison for access device fraud, and 15 years in prison for identity fraud.