Cybercrime Marketplace Cracked Appears to Be Back | #cybercrime | #infosec

See Also: Why Cyberattackers Love ‘Living Off the Land’

Cracked went offline three months ago, when authorities announced that as part of “Operation Talent,” they’d disrupted the infrastructure and operations of the online cybercrime marketplaces Cracked and Nulled, which collectively sported more than 10 million users (see: Law Enforcement Sweeps Up Cybercrime Forums).

Launched in March 2018 and modeled on Raid Forums – later the inspiration for BreachForums – Cracked sold hacking tools, rented servers for hosting malware and stolen data, and advertised stolen credentials, ultimately counting over 4 million users and 28 million posts devoted to advertising stolen data and offensive cybertools. It generated at least $4 million in illicit revenue via the site, according to seizure documents unsealed in January in U.S. federal court.

As part of Operation Talent, authorities seized 12 domains used to host the platforms, Cracked’s financial processor Sellix, plus a bulletproof hosting service, StarkRDP, run by suspected Cracked and Nulled operators. After the seizure, Cracked’s operators confirmed the disruption via their Telegram channel, calling it “a sad day indeed for our community.”

As so often happens following cybercrime forum seizures, Cracked’s administrators appear to have rebooted their illicit operation using new infrastructure and fresh domain names. Formerly located at Cracked.io, the new iteration of the forum launched on April 14 as Cracked.sh, using the top-level domain created for the British Overseas Territory of Saint Helena, Ascension and Tristan da Cunha – with at least one more domain name mirroring the whole site. In a post to the site, new administrator “Liars” said administrators restored a Jan. 25 backup of the previous site to create the new one.

“Cracked’s team claims seized servers were encrypted, preventing law enforcement from accessing user data,” threat intelligence firm Kela said in a Sunday report not available online. “The revived site lists 4.7 million users at the moment of writing and has introduced new payment options and support for affected transactions.”

Using credentials that worked with the previous iteration of Cracked, Kela said its researchers successfully logged into the new version, which suggests that the new iteration may indeed be a legitimate relaunch.

If so, that means the international law enforcement operation targeting the marketplace achieved only a limited disruption.

The Nulled marketplace, seized at the same time, remains offline. One key difference: Spanish police in January arrested two individuals, a man and a woman, with U.S. authorities identifying one of them as suspected Nulled administrator Lucas Sohn, 29, who’s an Argentinian national.

In the case of Cracked, authorities reported no arrests, meaning the management team appears to remain at large.

Even when cybercrime forums do appear to restart, telling truth from lies can be difficult. Take the venerable English-language cybercrime marketplace BreachForums, which has been offline since Tuesday.

A group calling itself “Dark Storm Team” claimed in posts to social platform Telegram that it knocked BreachForums offline through distributed denial-of-service attacks.

The latest disruption could be a repeat takedown by law enforcement, which most recently targeted the site in May 2024, after which it reappeared just weeks later, advertising customer data stolen from Live Nations’ venue ticket intermediary Ticketmaster. Supposedly, BreachForums’ administrator Intelbroker has also been arrested.

Whether the site might have been seized by law enforcement or seriously disrupted by Dark Storm Team remains unclear. Researchers at cybersecurity firm SOCRadar said “it’s best to stay skeptical,” not least because the group “sells a DDoS tool, so these claims may also double as marketing stunts” designed to promote their own wares.

A site purporting to be a new version of BreachForums launched Saturday, only to resolve to a “currently closed” message Sunday and a promise that a fully functioning version of the site was due to launch by May 26.

“We are doing everything we can to restore the forum as quickly as possible,” posted someone using the handle “Anastasia,” listed as being the “owner” of Breached.fi. “Every day we will add an update here with the process before the forum is launched. We are at the final stage.” No explanation was given for the delays.

Debate rages on multiple Telegram channels about whether BreachForums is relaunching. Someone claiming to be the real Anastasia, who’s purportedly a BreachForums admin, has claimed the new site “is fake and not affiliated with the original BreachForums community,” Kela said.

Existing BreachForums credentials don’t work for logging into the new site, Kela said. This could mean the new site is simply “not ready yet,” or potentially that it’s a criminal scam or even a law enforcement sting operation.