Pakistan-based cybercrime network dismantled by US, Dutch authorities

U.S. and Dutch law enforcement agencies have seized dozens of domains linked to a Pakistan-based cybercrime network operated by a group known as Saim Raza.

The group, also tracked under the name HeartSender, has been using these websites since at least 2020 to sell hacking tools — including phishing kits, scam pages and email extractors — to thousands of customers worldwide, according to a statement from the Justice Department.

“A cybercriminal can use these tools to send large amounts of spam or phishing emails or to steal someone’s login credentials,” the Dutch police said, adding that Saim Raza’s marketplaces also sold access to compromised infrastructure, including email servers, WordPress accounts, and web hosting control panels such as cPanel.

“With stolen cPanel or WordPress accounts, criminals can take control of a website or server’s management system,” the police warned.

Saim Raza’s customers primarily used these tools to carry out business email compromise (BEC) schemes, deceiving companies into transferring funds to accounts controlled by hackers. The group’s operations in the U.S. alone resulted in more than $3 million in losses, authorities said.

“The criminal group behind HeartSender operated very professionally,” the Dutch police noted. 

Beyond selling hacking tools, they also provided instructional YouTube videos, training users with little technical expertise on how to deploy the tools against victims. The group marketed its offerings as “fully undetectable” by antivirus software.

Law enforcement agencies have not disclosed whether any suspects were identified or arrested in the operation targeting Saim Raza. U.S. authorities said the domain seizures were intended “to disrupt the ongoing activity of these groups and stop the proliferation of these tools within the cybercriminal community.”

Independent journalist Brian Krebs first exposed Saim Raza’s operation in 2021. After his story was published, one of the group’s operators pleaded with him to take it down, Krebs said.

According to research by U.S. cybersecurity firm DomainTools, the group has been active for nearly a decade. It was among the first phishing-focused marketplaces to expand operations across multiple separately branded shops, integrating various cybercriminal services.

Despite its reach, the group has also suffered from significant security lapses. 

“A series of operational security failures call into question the integrity of their criminal enterprise and may even suggest some of their customers are also targets,” DomainTools researchers said.