At the end of January 2025 international law enforcement agencies collaborated to take down two of the most prominent cybercrime marketplace forums on the dark web: Nulled and Cracked. After a combined 13 years of facilitating the sale of hacking tools and stolen data, these platforms—along with several associated domains—were seized, effectively dismantling their infrastructure and disrupting a well-established cybercriminal network. Following the takedown of Breach Forums last year, this latest operation highlights the growing commitment of international authorities in combating online threats. However, it also raises concerns about the long-term effectiveness of these efforts, as forums continue to resurface.

Breaking down Cracked & Nulled

Cracked and Nulled were two prominent cybercrime marketplace forums established in the mid-to-late 2010s. Over a combined 13 years, they amassed 10 million users and over 71 million posts, becoming central hubs for sharing hacking-related information, including cracking tools, tutorials, and leaked credentials. In essence, they served as one-stop shops for hackers, providing resources and tools needed to learn and engage in cybercrime. Beyond providing a knowledge base, they also operated as underground cybercrime-as-a-service marketplaces, offering malware, the direct sale of stolen data, hacking tools and initial access brokers.

Cybercrime-as-a-service has reshaped the landscape of cybercrime, making it easier for individuals with minimal technical expertise to engage in cybercrime. By providing tools and infrastructure, platforms like Nulled and Cracked lowered the barrier to entry, enabling a broader range of cybercriminals to conduct attacks with increased efficiency.

More recently, malicious AI tools began circulating on Nulled and Cracked, which was particularly alarming due to their ability to adapt, learn, and bypass security measures. Capable of automatically scanning for vulnerabilities and optimizing attack strategies, they effectively eliminated the need for human intervention, automating the entire cyberattack process.

In addition, AI-powered phishing tools were also circulating on the forums which enabled bad actors to send more personalized and persuasive messages to victims. By leveraging AI-driven natural language processing tools, writing styles could be mimicked and dynamically adjust messaging based on victim’s responses. They also removed traditional language barriers, allowing cybercriminals to target victims across different regions, using culturally and grammatically accurate phishing attempts.

The takedown

The law enforcement effort to take down Nulled and Cracked was dubbed ‘Operation Talent’ and involved coordinated efforts from agencies in the United States, Italy, Spain, Germany, France, Greece, Australia, and Romania. Over two days in late January 2025, the operation resulted in the arrest of two suspects. Following raids on seven properties, authorities seized 17 servers and 50 electronic devices, along with 300,000 euros in cash and cryptocurrency. A total of 12 domains within the Cracked and Nulled infrastructure were taken down. Notably, Sellix, a cryptocurrency-based financial processor that allowed users to create online stores and sell stolen data, software keys, malware and compromised accounts, was also seized. Another major service taken down was StarkRDP, a Windows RDP virtual hosting provider which was used by cybercriminals for credential stuffing attacks, where attackers use large databases of stolen email/username-password combinations to attempt logins across multiple accounts, exploiting users who reuse credentials across different services.

Law Enforcement taking Action

In recent years, it has become abundantly clear that global law enforcement agencies are intensifying their efforts to combat cybercrime. This commitment extends far beyond just cybercrime forums, with authorities taking decisive action against various forms of illicit online activity. A prime example of this is the FBI-led global operation against the Qakbot botnet in 2023. A botnet is a network of infected computers remotely controlled by a cybercriminal, that can be used to carry out large-scale cyberattacks, like spreading malware or stealing data. This sophisticated botnet, which had been active since 2008, had served as a tool for multiple ransomware groups, including Conti, ProLock, and Revil. Qakbot infected hundreds of thousands of computers worldwide, acting as an initial access broker that allowed cybercriminals to infiltrate networks, deploy ransomware, and commit financial fraud. Through a well-coordinated international effort, law enforcement agencies infiltrated Qakbot’s infrastructure and redirected infected devices to FBI-controlled servers, effectively dismantling the botnet. This takedown demonstrated that even the most entrenched cybercrime operations are vulnerable to unified, global enforcement efforts.

Similarly, significant progress has been made in targeting cybercrime forums. Since 2020, authorities have seized six high-profile cybercrime marketplaces, three of which were rebranded versions of their seized predecessors. These rebrands were swiftly targeted and seized by law enforcement, demonstrating a growing resolve to prevent cybercriminals from rebuilding their operations. The speed and effectiveness of these actions highlight a stronger, more coordinated global response to cybercrime, as authorities continue to collaborate and pool resources to dismantle not just forums, but the entire ecosystem of cybercriminal activity.

The Future of Cybercrime Marketplaces

While international law enforcement agencies are increasingly collaborating and prioritizing the dismantling of cybercrime marketplaces and networks, the reality is that these efforts usually lead to temporary disruptions rather than permanent eradication. A prime example of this is the seizure of Breach Forums, one of the largest stolen data marketplaces of recent times. Despite being seized in May 2024, a new iteration of Breach Forums has already emerged. This new forum mirrors the original, continuing to sell stolen data and provide a space for hacking-related discussions. In less than ten months, it has amassed a significant following of 290,000 users. With this said, White Blue Ocean has observed fewer high-profile databases being distributed as well as a reduced pattern of user interaction.

This cycle mirrors the trajectory of other major forums, such as Nulled and Cracked, which took years to reach their peak in the cybercriminal community. Building the trust and reputation needed for such platforms to thrive is a lengthy process, and the ongoing threat posed by law enforcement will only complicate this for future forums. While it is highly likely that new versions of forums such as Nulled or Cracked will emerge in the coming months, they will face significant challenges in rebuilding the user base, trust, and notoriety they once held. While these new platforms may gain traction, it will take much longer for them to re-establish the same level of influence and respect that made their predecessors so significant.

Sources:

https://www.bleepingcomputer.com/news/security/fbi-seizes-crackedio-nulledto-hacking-forums-in-operation-talent/

https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-takes-down-two-largest-cybercrime-forums-in-world

https://www.justice.gov/opa/pr/cracked-and-nulled-marketplaces-disrupted-international-cyber-operation

https://www.bitdefender.com/en-gb/blog/hotforsecurity/fbi-cracked-nulled-hacker

https://www.trmlabs.com/post/global-law-enfocement-agencies-dismantle-cybercrime-services-cracked-and-nulled

https://www.techtarget.com/searchsecurity/news/366618510/German-police-disrupt-Cracked-Nulled-cybercrime-forums

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.