The FBI collaborated with law enforcement across Europe last week to confiscate domain names associated with Cracked and Nulled, English-based cybercrime forums that hosted millions of users engaged in the trade of stolen data, hacking tools, and malware. An exploration into the background of these groups reveals that their visible co-founders operate an Internet service provider and two e-commerce websites catering to users on both platforms.

On January 30, the U.S. Department of Justice announced it had confiscated eight domain names utilized for operating Cracked, a cybercrime forum that emerged in 2018 and garnered over four million users. The DOJ indicated that this law enforcement operation, dubbed Operation Talent, also acquired domains related to Sellix, Cracked’s payment facilitator.

Furthermore, authorities seized domain names for two prominent anonymity services that were prominently promoted on both Cracked and Nulled, enabling users to rent virtual servers: StarkRDP[.]io and rdp[.]sh.

Archived web pages indicate that both RDP services were operated by an organization called 1337 Services Gmbh. As per corporate documentation gathered by Northdata.com, 1337 Services GmbH is also recognized as AS210558 and is registered in Hamburg, Germany.

The Cracked forum’s administrator used the aliases “FlorainN” and “StarkRDP” across various cybercrime forums. In parallel, a LinkedIn profile belonging to a Florian M. from Germany identifies this individual as a co-founder of Sellix and founder of 1337 Services GmbH.

According to Northdata’s business profile for 1337 Services GmbH, the company is steered by two individuals: 32-year-old Florian Marzahl and Finn Alexander Grimpe, aged 28.

Neither Marzahl nor Grimpe replied to inquiries for comment. However, the significance of Grimpe’s first name is notable as it aligns with the nickname adopted by the founder of Nulled, who is known by the names “Finn” and “Finndev.” NorthData indicates Grimpe was the founder of a German entity named DreamDrive GmbH, which specialized in renting out luxury sports cars and motorcycles.

According to the cyber intelligence agency Intel 471, a user known as Finndev has registered on various cybercrime forums, encompassing Raidforums [seized by the FBI in 2022], Void[.]to, and vDOS, a DDoS-for-hire service that was discontinued in 2016 after its founders were apprehended.

The email address linked to those accounts was [email protected]. DomainTools.com reveals that [email protected] was utilized to register at least nine domain names, including nulled[.]lol and nulled[.]it. Neither of these domains was included among those confiscated in Operation Talent.

Intel471 discovered the user FlorainN registered across several cybercrime forums using the email [email protected]. The breach monitoring service Constella Intelligence indicates this email address employed the same password (with minor variations) across many online accounts — including on hacker forums — and this same password was associated with numerous other email addresses, such as [email protected] and [email protected].

The Justice Department stated that the Nulled marketplace had over five million members and has been offering stolen login credentials, false identification documents, hacking services, and tools for executing cybercrime and fraud since 2016.

Ironically, both Cracked and Nulled have fallen victim to hacking over the years, revealing a multitude of private conversations between forum participants. A review of those exchanges archived by Intel 471 indicated that numerous early forum users privately referred to Finndev as the operator of shoppy[.]gg, an e-commerce platform that serves similar clientele as Sellix.

Shoppy was not targeted during Operation Talent, and its website remains active. Northdata reports that Shoppy’s business name — Shoppy Ecommerce Ltd. — is registered at an address in Gan-Ner, Israel, but there is no information available regarding this organization’s ownership. Shoppy did not reply to requests for comment.

Constella found that a user named Shoppy registered on Cracked in 2019 using the email address finn@shoppy[.]gg. Constella states that this email address is associated with a Twitter/X account for Shoppy Ecommerce in Israel.

The DOJ announced that one of the purported administrators of Nulled, a 29-year-old Argentinian named Lucas Sohn, was apprehended in Spain. The government has yet to announce any additional arrests or charges related to Operation Talent.

In fact, both StarkRDP and FloraiN have communicated through their Telegram accounts that no charges have been brought against the owners of 1337 Services GmbH. FlorainN informed previous customers that they were in the process of transitioning to a new name and domain for StarkRDP, where existing accounts and balances would be retained.

“StarkRDP has consistently operated within legal boundaries and is not implicated in any of these alleged offenses, a fact that will be verified through the legal proceedings,” the StarkRDP Telegram account stated on January 30. “All of your servers are secure and have not been seized in this operation. The only items confiscated are the website server and our domain. Unfortunately, there’s no way to ascertain who took it, nor with whom we can engage to resolve this matter. Therefore, we aim to resume operations soon under a different name to close the chapter of ‘StarkRDP.’”