Federal agents dismantled two of the world’s largest cybercrime marketplaces this week, pulling the plug on platforms where 10 million users bought and sold stolen data, hacking tools, and personal information from millions of Americans.
The FBI seized control of Nulled.to and Cracked.io on January 29, redirecting their domains to government servers as part of Operation Talent, a multinational law enforcement action spanning eight countries. German authorities led the raids, backed by Europol and agencies from the United States, Spain, France, Italy, Greece, Romania, and Australia.
Table of Contents
17 Million Americans Affected
Cracked.io had 4 million users and generated $4 million in revenue since its 2018 launch, according to the U.S. Department of Justice. The forum’s 28 million posts advertised everything from credential stuffing tools to complete databases of compromised accounts.
Nulled.to ran longer and larger. Operating since 2016, the marketplace served 5 million users through 43 million posts, pulling in roughly $1 million per year. One listing advertised the names and Social Security numbers of 500,000 Americans.
The damage extended far beyond stolen passwords. Tools and data sold on Cracked alone reached at least 17 million U.S. victims, prosecutors said.
A woman in New York became a target after someone used a Cracked.io tool promising access to “billions of leaked websites.” The attacker entered her username, pulled her login credentials, and launched a campaign of cyberstalking and extortion. Federal prosecutors in the Western District of New York are handling that case.
Two Arrested, More Investigations Underway
Spanish police arrested two suspects during raids conducted between January 28 and 30. Authorities searched seven properties, seizing 17 servers, more than 50 electronic devices, and €300,000 in cash and cryptocurrency.
The Justice Department unsealed charges against Lucas Sohn, a 29-year-old Argentinian living in Spain. Prosecutors identified him as a Nulled administrator facing three federal counts: conspiracy to traffic in passwords, access device fraud, and identity fraud. He could receive up to 30 years in prison if convicted.
Investigators now hold extensive records from the seized servers. Email addresses, IP logs, and transaction histories will fuel additional cases against sellers and buyers who used the forums.
How the Forums Operated
Both platforms functioned as full-service cybercrime marketplaces. Users traded stolen credentials, malware, phishing kits, and “combo lists,” which are databases pairing usernames with passwords for credential stuffing attacks.
The forums also sold tools like ScrubCrypt, a malware obfuscation engine that helps hackers hide malicious code from antivirus software. Cracked.io hosted configs for OpenBullet and SilverBullet, programs designed specifically for credential stuffing attacks.
Administrators didn’t just host discussions. They facilitated transactions through integrated payment systems and provided infrastructure that kept operations running smoothly.
Supporting Infrastructure Taken Down
Operation Talent extended beyond the forums themselves. Authorities seized related services that kept the cybercrime economy functioning:
Sellix.io and MySellix.io processed payments for Cracked, handling financial transactions for stolen data and hacking tools while marketing themselves as legitimate cross-border payment platforms. The Bologna, Italy-based company saw its domains seized alongside the forums.
StarkRDP.io provided Windows remote desktop hosting that threat actors used to mask their locations during attacks. The service, promoted heavily on both forums, gave criminals anonymous access to systems for launching credential stuffing campaigns and distributing malware.
Sites Now Display Seizure Notices
Anyone visiting the affected domains sees a banner: “This website, as well as the information on the customers and victims of the website, has been seized by international law enforcement partners.”
The FBI changed the nameservers to ns1.fbi.seized.gov and ns2.fbi.seized.gov, standard procedure for domain seizures.
Cracked.io administrators initially dismissed the outage as a data center problem. “There is an active issue in our data center which the staff is working on,” they told users on Telegram that morning. Hours later, they acknowledged the truth: “Cracked.io has been seized under Operation Talent with specific reasons being undisclosed. A sad day indeed for our community.”
Pattern of Forum Takedowns Continues
The FBI seized BreachForums in May 2024 using similar tactics. That forum, known for leaking stolen corporate data, had already been taken down once in 2023 before reemerging under new management.
Operation Endgame in 2024 targeted malware distribution networks, resulting in four arrests and the identification of eight fugitives.
Europol described the forums as enabling “cybercrime-as-a-service,” where people with minimal technical skills can purchase tools and data to conduct attacks. The agency warned this model increases both the volume and sophistication of cyber threats facing businesses and individuals.
What Happens Next
Forum members face real risk now. The seized data gives investigators a roadmap to identify buyers, sellers, and administrators across multiple jurisdictions. International cooperation means arrests can happen anywhere.
New forums will likely emerge. They always do. But Operation Talent accomplished something beyond temporary disruption. It captured years of transaction records, user communications, and financial trails that will generate investigations for months or years to come.
The FBI has not announced additional arrests, but federal prosecutors rarely move this aggressively without plans for follow-up actions.
