In a victory against cybercrime, international law enforcement agencies on January 30, 2025 jointly announced the disruption of Cracked and Nulled, two of the world’s largest cybercrime forums. The multinational effort, named Operation Talent, targeted these forums for their roles as key marketplaces for stolen data, hacking tools, and malware, significantly lowering the barrier to entry for cyber criminals.
A Coordinated Global Effort
Led by German authorities, the effort brought together law enforcement agencies from the United States, Australia, France, Greece, Italy, Romania, and Spain, with vital support from Europol, to dismantle these forums. The European Cybercrime Centre (EC3) at Europol played a central role in facilitating collaboration through the Joint Cybercrime Action Taskforce (J-CAT).
According to Europol and the United States Department of Justice, both forums facilitated large-scale cybercrime operations, including networks of cybercrime-as-a-service. Since March 2018, Cracked functioned as an illicit marketplace where cyber criminals sold stolen login credentials, hacking tools, and services to host malware and stolen data. It also provided cyber criminals with resources and tools to commit fraud. With over four million users, the Cracked marketplace saw twenty-eight million posts advertising cybercrime tools and stolen data and generated four million dollars in revenue. The platform’s activities impacted at least seventeen million victims in the United States.
Similarly, Nulled operated as a hub for cyber criminals to buy and sell stolen login credentials, identification documents, and hacking tools. Operating since 2016, Nulled had over five million users, forty-three million posts, and generated an estimated one million dollars in yearly revenue from illicit activity.
Both platforms functioned “quite openly” as service providers catering to criminals, based on an investigation into the platform history.
Key Takedown Actions
Between January 28 and January 30, law enforcement carried out a sweeping operation. Authorities arrested two suspects, including a 29-year-old Argentinian national living in Spain, who law enforcement identified as an administrator of Nulled. Officials also searched seven properties and seized seventeen servers along with more than fifty electronic devices. Additionally, law enforcement confiscated approximately three hundred thousand euros in cash and cryptocurrencies, further disrupting the financial operations tied to these platforms.
As part of the takedown, authorities shut down twelve domains linked to cyber criminal activities. The FBI, working alongside global law enforcement partners, identified and seized eight domain names used to operate Cracked, as well as infrastructure supporting its payment processor, Sellix, which facilitated cybercrime transactions. Additionally, the operation dismantled StarkRDP, a bulletproof hosting service designed to shield illicit activities from law enforcement detection.
A Strategic Approach to Ransomware Disruption
This operation reflects an increasingly coordinated global approach to targeting ransomware enablers, aligning with key priorities outlined in the 2021 Ransomware Task Force report. Rather than solely focusing on arresting individual cyber criminals—who are often difficult to locate or operate from jurisdictions with little law enforcement cooperation—this effort zeroes in on the services and infrastructure that sustain ransomware operations.
By taking down illicit payment processors, bulletproof hosting providers, and marketplaces for stolen credentials, law enforcement agencies are making it harder for ransomware groups to operate. These actions align with RTF recommendations emphasizing the importance of seizing cryptocurrency tied to ransomware payments (Action 2.1.4), dismantling cybercrime infrastructure (Action 2.2), and improving cross-border law enforcement coordination (Action 2.3.1).
Conclusion
The coordinated action to dismantle Cracked and Nulled is an important step in the ongoing effort to combat cybercrime. While shutting down these platforms disrupts existing operations, cyber criminals often seek alternative forums or rebuild in new locations. Continued law enforcement action, alongside enhanced public-private collaboration and continued focus on national and international policy levers—such as fostering more effective information-sharing between governments and industry—is essential to maintaining pressure on these networks.
By taking decisive action against cybercrime infrastructure, authorities send a clear message: cyber criminals will face increasing barriers to operation, making it more difficult to profit from illicit activities.