An international operation has brought down the infrastructure of online cybercrime marketplaces that affected millions of American citizens, according to a recent report from the U.S. Department of Justice (DOJ).
Cracked has been active since at least March 2018, boasted more than four million users, made roughly $4 million in revenues, and allegedly hosted more than 28 million posts that advertised cybercrime tools and stolen info.
A product advertised on Cracked claimed to give users access to “billions of leaked websites,” allowing them to obtain stolen login credentials.
“This product was recently allegedly used to sextort and harass a woman in the Western District of New York. Specifically, a cybercriminal entered the victim’s username into the tool and obtained the victim’s credentials for an online account,” the DOJ said.
“Using the victim’s credentials, the subject then cyberstalked the victim and sent sexually demeaning and threatening messages to the victim. The seizure of these marketplaces is intended to disrupt this type of cybercrime and the proliferation of these tools in the cybercrime community.”
The FBI, together with its foreign partners, identified several domains and servers used to host the Cracked marketplace and its payment processor, Sellix. All domain names and servers have been seized.
Nulled, which operated similarly to Cracked, allegedly engaged in the sale of cybercrime tools and stolen data, hosting more than 43 million posts that advertised related content. Active since 2016, it had more than 5 million users and made around $1 million in annual revenues.
One product advertised on the platform claimed to have the names and social security numbers of half a million U.S. citizens.
The domain and servers related to Nulled were seized. The DOJ announced charges against one of Nulled’s alleged administrators, 29-year-old Lucas Sohn, an Argentinian national living in Spain.
If convicted, Sohn faces a maximum of 15 years in prison for identity fraud, 10 years for access device fraud, and five years for conspiracy to traffic in passwords.
US Data Under Threat
Americans are facing a higher level of risk of being targeted by cybercrimes than other nationalities.In terms of victims per million internet users, the United States was in the second spot at 1,568 victims, way above third-placed Canada, which had 180. The UK was at the top of the list with 4,419 victims.
In October 2024, the company revealed that the incident compromised the data of 100 million U.S. citizens. The company’s CEO said that the breach could have resulted in sensitive health information of customers being leaked to the dark web.
“Use only end-to-end encrypted communications,” said the CISA guidance.
Such encryption makes communicated information unreadable for people other than the sender and the receiver. Apps that have end-to-end encryption include Signal, WhatsApp, and iMessage.
Highly targeted individuals “should assume that all communications between mobile devices—including government and personal devices—and internet services are at risk of interception or manipulation,” the guidance said.
