The FBI joined authorities across Europe last week in seizing domain names for Cracked and Nulled, English-language cybercrime forums with millions of users that trafficked in stolen data, hacking tools and malware. An investigation into the history of these communities shows their apparent co-founders quite openly operate an Internet service provider and a pair of e-commerce platforms catering to buyers and sellers on both forums.

In this 2019 post from Cracked, a forum moderator told the author of the post (Buddie) that the owner of the RDP service was the founder of Nulled, a.k.a. “Finndev.” Image: Ke-la.com.

On Jan. 30, the U.S. Department of Justice said it seized eight domain names that were used to operate Cracked, a cybercrime forum that sprang up in 2018 and attracted more than four million users. The DOJ said the law enforcement action, dubbed Operation Talent, also seized domains tied to Sellix, Cracked’s payment processor.

In addition, the government seized the domain names for two popular anonymity services that were heavily advertised on Cracked and Nulled and allowed customers to rent virtual servers: StarkRDP[.]io, and rdp[.]sh.

Those archived webpages show both RDP services were owned by an entity called 1337 Services Gmbh. According to corporate records compiled by Northdata.com, 1337 Services GmbH is also known as AS210558 and is incorporated in Hamburg, Germany.

The Cracked forum administrator went by the nicknames “FlorainN” and “StarkRDP” on multiple cybercrime forums. Meanwhile, a LinkedIn profile for a Florian M. from Germany refers to this person as the co-founder of Sellix and founder of 1337 Services GmbH.

Northdata’s business profile for 1337 Services GmbH shows the company is controlled by two individuals: 32-year-old Florian Marzahl and Finn Alexander Grimpe, 28.

An organization chart showing the owners of 1337 Services GmbH as Florian Marzahl and Finn Grimpe. Image: Northdata.com.

Neither Marzahl nor Grimpe responded to requests for comment. But Grimpe’s first name is interesting because it corresponds to the nickname chosen by the founder of Nulled, who goes by the monikers “Finn” and “Finndev.” NorthData reveals that Grimpe was the founder of a German entity called DreamDrive GmbH, which rented out high-end sports cars and motorcycles.

According to the cyber intelligence firm Intel 471, a user named Finndev registered on multiple cybercrime forums, including Raidforums [seized by the FBI in 2022], Void[.]to, and vDOS, a DDoS-for-hire service that was shut down in 2016 after its founders were arrested.

The email address used for those accounts was f.grimpe@gmail.com. DomainTools.com reports f.grimpe@gmail.com was used to register at least nine domain names, including nulled[.]lol and nulled[.]it. Neither of these domains were among those seized in Operation Talent.

Intel471 finds the user FlorainN registered across multiple cybercrime forums using the email address olivia.messla@outlook.de. The breach tracking service Constella Intelligence says this email address used the same password (and slight variations of it) across many accounts online — including at hacker forums — and that the same password was used in connection with dozens of other email addresses, such as florianmarzahl@hotmail.de, and fmarzahl137@gmail.com.

The Justice Department said the Nulled marketplace had more than five million members, and has been selling stolen login credentials, stolen identification documents and hacking services, as well as tools for carrying out cybercrime and fraud, since 2016.

Perhaps fittingly, both Cracked and Nulled have been hacked over the years, exposing countless private messages between forum users. A review of those messages archived by Intel 471 showed that dozens of early forum members referred privately to Finndev as the owner of shoppy[.]gg, an e-commerce platform that caters to the same clientele as Sellix.

Shoppy was not targeted as part of Operation Talent, and its website remains online. Northdata reports that Shoppy’s business name — Shoppy Ecommerce Ltd. — is registered at an address in Gan-Ner, Israel, but there is no ownership information about this entity. Shoppy did not respond to requests for comment.

Constella found that a user named Shoppy registered on Cracked in 2019 using the email address finn@shoppy[.]gg. Constella says that email address is tied to a Twitter/X account for Shoppy Ecommerce in Israel.

The DOJ said one of the alleged administrators of Nulled, a 29-year-old Argentinian national named Lucas Sohn, was arrested in Spain. The government has not announced any other arrests or charges associated with Operation Talent.

Indeed, both StarkRDP and FloraiN have posted to their accounts on Telegram that there were no charges levied against the proprietors of 1337 Services GmbH. FlorainN told former customers they were in the process of moving to a new name and domain for StarkRDP, where existing accounts and balances would be transferred.

“StarkRDP has always been operating by the law and is not involved in any of these alleged crimes and the legal process will confirm this,” the StarkRDP Telegram account wrote on January 30. “All of your servers are safe and they have not been collected in this operation. The only things that were seized is the website server and our domain. Unfortunately, no one can tell who took it and with whom we can talk about it. Therefore, we will restart operation soon, under a different name, to close the chapter [of] ‘StarkRDP.'”

The FBI and authorities in The Netherlands this week seized dozens of servers and domains for a hugely popular spam and malware dissemination service operating out of Pakistan. The proprietors of the service, who use the collective nickname “The Manipulaters,” have been the subject of three stories published here since 2015. The FBI said the main clientele are organized crime groups that try to trick victim companies into making payments to a third party.

One of several current Fudtools sites run by the principals of The Manipulators.

On January 29, the FBI and the Dutch national police seized the technical infrastructure for a cybercrime service marketed under the brands Heartsender, Fudpage and Fudtools (and many other “fud” variations). The “fud” bit stands for “Fully Un-Detectable,” and it refers to cybercrime resources that will evade detection by security tools like antivirus software or anti-spam appliances.

The Dutch authorities said 39 servers and domains abroad were seized, and that the servers contained millions of records from victims worldwide — including at least 100,000 records pertaining to Dutch citizens.

A statement from the U.S. Department of Justice refers to the cybercrime group as Saim Raza, after a pseudonym The Manipulaters communally used to promote their spam, malware and phishing services on social media.

“The Saim Raza-run websites operated as marketplaces that advertised and facilitated the sale of tools such as phishing kits, scam pages and email extractors often used to build and maintain fraud operations,” the DOJ explained.

The core Manipulaters product is Heartsender, a spam delivery service whose homepage openly advertised phishing kits targeting users of various Internet companies, including Microsoft 365, Yahoo, AOL, Intuit, iCloud and ID.me, to name a few.

The government says transnational organized crime groups that purchased these services primarily used them to run business email compromise (BEC) schemes, wherein the cybercrime actors tricked victim companies into making payments to a third party.

“Those payments would instead be redirected to a financial account the perpetrators controlled, resulting in significant losses to victims,” the DOJ wrote. “These tools were also used to acquire victim user credentials and utilize those credentials to further these fraudulent schemes. The seizure of these domains is intended to disrupt the ongoing activity of these groups and stop the proliferation of these tools within the cybercriminal community.”

Manipulaters advertisement for “Office 365 Private Page with Antibot” phishing kit sold via Heartsender. “Antibot” refers to functionality that attempts to evade automated detection techniques, keeping a phish deployed and accessible as long as possible. Image: DomainTools.

KrebsOnSecurity first wrote about The Manipulaters in May 2015, mainly because their ads at the time were blanketing a number of popular cybercrime forums, and because they were fairly open and brazen about what they were doing — even who they were in real life.

We caught up with The Manipulaters again in 2021, with a story that found the core employees had started a web coding company in Lahore called WeCodeSolutions — presumably as a way to account for their considerable Heartsender income. That piece examined how WeCodeSolutions employees had all doxed themselves on Facebook by posting pictures from company parties each year featuring a large cake with the words FudCo written in icing.

A follow-up story last year about The Manipulaters prompted messages from various WeCodeSolutions employees who pleaded with this publication to remove stories about them. The Saim Raza identity told KrebsOnSecurity they were recently released from jail after being arrested and charged by local police, although they declined to elaborate on the charges.

The Manipulaters never seemed to care much about protecting their own identities, so it’s not surprising that they were unable or unwilling to protect their own customers. In an analysis released last year, DomainTools.com found the web-hosted version of Heartsender leaked an extraordinary amount of user information to unauthenticated users, including customer credentials and email records from Heartsender employees.

Almost every year since their founding, The Manipulaters have posted a picture of a FudCo cake from a company party celebrating its anniversary.

DomainTools also uncovered evidence that the computers used by The Manipulaters were all infected with the same password-stealing malware, and that vast numbers of credentials were stolen from the group and sold online.

“Ironically, the Manipulaters may create more short-term risk to their own customers than law enforcement,” DomainTools wrote. “The data table ‘User Feedbacks’ (sic) exposes what appear to be customer authentication tokens, user identifiers, and even a customer support request that exposes root-level SMTP credentials–all visible by an unauthenticated user on a Manipulaters-controlled domain.”

Police in The Netherlands said the investigation into the owners and customers of the service is ongoing.

“The Cybercrime Team is on the trail of a number of buyers of the tools,” the Dutch national police said. “Presumably, these buyers also include Dutch nationals. The investigation into the makers and buyers of this phishing software has not yet been completed with the seizure of the servers and domains.”

U.S. authorities this week also joined law enforcement in Australia, France, Greece, Italy, Romania and Spain in seizing a number of domains for several long-running cybercrime forums and services, including Cracked and Nulled. According to a statement from the European police agency Europol, the two communities attracted more than 10 million users in total.

Other domains seized as part of “Operation Talent” included Sellix, an e-commerce platform that was frequently used by cybercrime forum members to buy and sell illicit goods and services.

Prince William and Kate Middleton are taking the high road as Meghan Markle continues to make headlines in ritzy Montecito.

British royals expert Hilary Fordwich claimed to Fox News Digital that the Prince and Princess of Wales are putting duty first as the Duchess of Sussex gears up to launch her lifestyle series in March.

"Prince William and Catherine are known to be glad to retain a distance from Meghan Markle, thereby avoiding any potential entanglement in future controversies," Fordwich explained. "Stability and service are paramount to the couple as they anticipate their lives being dedicated to both. There isn’t anything furthering either of those values in Meghan Markle and Prince Harry’s deal with Netflix."

PRINCE HARRY, MEGHAN MARKLE SLAMMED BY JUSTINE BATEMAN FOR BEING 'DISASTER TOURISTS' AMID CALIFORNIA FIRES

Fordwich’s comments came shortly after palace insiders claimed to the U.K.’s Daily Mail that Meghan’s decision to postpone her series was "a final blow" to Queen Elizabeth II.

They claimed that the 43-year-old "didn’t think twice" about delaying the launch of "With Love, Meghan" due to the Los Angeles fires. Meanwhile, the Duke and Duchess of Sussex allowed their explosive interview with Oprah Winfrey to air in 2021 as Prince Philip was ill. Harry’s grandfather died four weeks later.

While Fordwich called the Sussexes "a huge liability" for "what the monarchy stands for," other experts felt Meghan’s decision to delay her series was justifiable.

"What utter nonsense — and just one more indication of how the U.K. tabloid press grasps at straws to crucify Meghan and Harry," Christopher Andersen, author of "The King," told Fox News Digital about the Daily Mail's report.

"There may be plenty of things to criticize about the Sussexes, but this isn't one of them," he said. "Trying to compare the Oprah interview, the release of which the Sussexes had no control over, to their decision to postpone Meghan's lifestyle show because of the LA fires is drawing an egregiously false equivalence. Prince Philip had been frequently hospitalized over the final years of his life; at 99 years of age, going in and out of the hospital had become fairly routine."

"Giving lifestyle and cooking tips while thousands of their neighbors' homes were burning to the ground wouldn't have gone over well, to say the least," Andersen pointed out. "Postponing the roll-out of their new Netflix series was not only the right decision, but it was also the only decision Meghan could make."

CLICK HERE TO SIGN UP FOR THE ENTERTAINMENT NEWSLETTER

Still, Fordwich claimed that the Prince and Princess of Wales are choosing not to give Meghan’s latest project any oxygen. Instead, they’ll be focusing on raising their three young children and supporting King Charles III, who is still seeking treatment for an undisclosed form of cancer.

"For the royal family, this further reinforces Prince William’s instincts to retain the distance from the couple," Fordwich claimed.

It is believed that William’s relationship with his younger brother is nonexistent.

Kinsey Schofield, host of the "To Di For Daily" podcast, claimed to Fox News Digital that it was the streaming giant, not the duchess, who chose to hit the pause button on her series. "With Love, Meghan" was originally scheduled to premiere on Jan. 15.

"My sources tell me that it was Netflix that was eager to postpone Meghan's show to try to avoid harsh criticism," she claimed. "I would not be surprised if they used the entire month and a half… to make some much-needed edits to the final product."

WATCH: MEGHAN MARKLE ‘MOVED ON’ FROM ROYAL FAMILY DRAMA, AUTHOR CLAIMS

"The royal family recognized that Meghan wasn't out for anyone but herself a long time ago," Schofield claimed. "They set boundaries to protect their emotional wellbeing well before Megxit. Meghan constantly prioritizes herself at their expense and the only solution is to keep her at a distance. It's not about being cruel, it's about recognizing that the relationship is toxic and one-sided."

The Duke and Duchess of Sussex stepped back as senior royals in 2020 and moved to California. Since then, they’ve made headlines for airing their grievances. 

After detailing their struggles with royal life to Winfrey, they unveiled their controversial Netflix docuseries, "Harry & Meghan," in late 2022. Then, in early 2023, Harry’s memoir, "Spare," was published. 

Each launch highlighted new allegations about their time as royals.

"With Love, Meghan," promises to take a different approach. It will showcase the mother of two’s love for cooking and gardening alongside her celebrity pals. However, royal expert Richard Fitzwilliams claimed to Fox News Digital that the royal family "has not forgotten" the couple’s past tell-alls.

"The decision to postpone was taken by Netflix," claimed Fitzwilliams. "To show it at this time… was simply impossible. She had no option other than to request that they postpone it. The online reaction to it has been so negative that there’s always the chance it might be postponed again… It is saccharine and contrived."

"… When it comes to timing, the royal family will not have forgotten the shameful fact that the interview on Oprah went ahead when Prince Philip was in the hospital," he claimed. "The couple didn’t know this when it was originally planned, but it went ahead nonetheless… This was an utterly ruthless and shameful episode. The royal family has not forgotten. The royal family obviously has other concerns [today]."

"Their despicable timing of the Oprah interview, which caused Queen Elizabeth II and Prince Philip untold anguish, was totally and utterly unforgivable," Fordwich claimed.

LIKE WHAT YOU’RE READING? CLICK HERE FOR MORE ENTERTAINMENT NEWS

Andersen previously told Fox News Digital that Kate and Meghan were "never close." Following the Duke and Duchess of Sussex’s exit, the Princess of Wales has kept her distance as she serves the crown.

"From the very beginning, Kate and Meghan were hardly what I would call a love match," Andersen explained. "Even before they had their famous, tearful row over the flower girls’ dresses at Harry and Meghan’s wedding, the relationship between the two princesses was frosty. 

"After Megxit, Kate did what she could do to bring brothers Prince Harry and Prince William back together, but that proved impossible once the Sussexes let loose on the royal family during the Oprah interview and then in Harry’s blistering memoir ‘Spare.’

"Kate threw her hands up and essentially walked away, leaving it up to William and Harry to decide when — or even if — they will patch things up," Andersen continued. "All the while, Meghan has sailed above the fray, pursuing her projects in California and showing little interest in repairing relations with her royal in-laws."

Andersen also claimed that the Sussexes have "zero intention of apologizing for anything."

"Zero," he stressed. "They still firmly believe they are the wronged party in this royal saga. And while Kate might be capable of burying the hatchet and moving on, King Charles… and Prince William are not in a forgiving mood. Things have gone too far. The wounds are simply too deep." 

Earlier this month, Kate announced she is in "remission" from cancer and is focused on her future.

"It is a relief to now be in remission and I remain focused on recovery," she wrote. "As anyone who has experienced a cancer diagnosis will know, it takes time to adjust to a new normal. I am, however, looking forward to a fulfilling year ahead. There is much to look forward to."