“`html
Officials in Pakistan have apprehended 21 individuals suspected of managing “Heartsender,” a previously prominent spam and malware distribution service that functioned for over a decade. The primary clientele for HeartSender were organized crime syndicates that sought to deceive victimized companies into remitting payments to a third party, and its purported owners were publicly exposed by KrebsOnSecurity in 2021 after they accidentally infected their computers with malware.
Some of the principal developers and sellers of Heartsender posing at a work event in 2021. WeCodeSolutions chief Rameez Shahzad (in sunglasses) is at the center of this group picture, which was shared by employee Burhan Ul Haq, seen just to the right of Shahzad.
A report from the Pakistani news source Dawn indicates that authorities have detained 21 individuals believed to have operated Heartsender, a spam distribution service whose website explicitly promoted phishing kits aimed at users of various online platforms, including Microsoft 365, Yahoo, AOL, Intuit, iCloud, and ID.me. The nation’s National Cyber Crime Investigation Agency (NCCIA) reportedly executed raids in Lahore’s Bahria Town and Multan on May 15 and 16.
The NCCIA informed journalists that the group’s instruments were linked to over $50m in damages in the United States alone, with European investigators looking into 63 additional cases.
“This was not merely a scam operation – it functioned as a cybercrime academy that empowered fraudsters on a global scale,” NCCIA Director Abdul Ghaffar remarked at a press conference.
In January 2025, the FBI and Dutch Police seized the technical framework for the cybercrime operation, which was promoted under the names Heartsender, Fudpage, and Fudtools (along with numerous other “fud” variations). The “fud” portion signifies “Fully Un-Detectable,” referring to cybercrime tools designed to avoid detection by security measures like antivirus software or anti-spam solutions.
The FBI states that transnational organized crime groups that purchased these services primarily utilized them to implement business email compromise (BEC) schemes, in which the cybercriminals deceived victimized companies into forwarding payments to a third party.
Dawn reported that among those detained was Rameez Shahzad, the presumed mastermind of the Heartsender cybercrime operation, which last operated under the Pakistani front company WeCodeSolutions. Mr. Shahzad was named and featured in a 2021 KrebsOnSecurity article about a series of significant operational security blunders that revealed their identities and Facebook pages showing employees posing for group photos and socializing during work-related events.
Before shutting down their operations behind WeCodeSolutions, Shahzad and the others arrested this month operated as a web hosting entity known as The Manipulaters. KrebsOnSecurity first reported on The Manipulaters in May 2015, primarily because their advertisements at that time were pervasive across several popular cybercrime forums, and because they were quite open and brazen about their actions — even their real identities.
In 2019, The Manipulaters neglected to renew their main domain name — manipulaters[.]com — the same one connected to many of the company’s business activities. That domain was swiftly acquired by Scylla Intel, a cyber intelligence agency that specializes in linking cybercriminals to their real-life identities. Shortly after, Scylla began receiving significant amounts of email correspondence intended for the group’s operators.
In 2024, DomainTools.com discovered that the web-hosted version of Heartsender leaked an astonishing volume of user information to unauthenticated users, including customer credentials and email records from Heartsender staff. DomainTools claims the malware infections on Manipulaters PCs revealed “vast quantities of account-related information along with details of the group’s membership, operations, and position in the wider underground economy.”
Shahzad purportedly adopted the alias “Saim Raza,” a persona that has reached out to KrebsOnSecurity multiple times over the past decade, demanding the removal of published stories about the group. The Saim Raza identity most recently contacted this author in November 2024, asserting they had exited the cybercrime world and turned over a new leaf following a run-in with the Pakistani police.
The detained individuals incorporate Rameez Shahzad, Muhammad Aslam (Rameez’s father), Atif Hussain, Muhammad Umar Irshad, Yasir Ali, Syed Saim Ali Shah, Muhammad Nowsherwan, Burhanul Haq, Adnan Munawar, Abdul Moiz, Hussnain Haider, Bilal Ahmad, Dilbar Hussain, Muhammad Adeel Akram, Awais Rasool, Usama Farooq, Usama Mehmood, and Hamad Nawaz.
“`