During a disruption action on January 29, 2025, HeartSender servers and domains were seized by various police services. HeartSender is the name of a group of phishing software makers. The Cybercrime Team of the East Brabant police unit started an investigation at the end of 2022, after phishing software was found on the computer of a suspect in another investigation. An investigation against this group was already underway in the United States. These parallel investigations in the United States and the Netherlands have led to the action ‘Operation Heart Blocker’.
The action of January 29 is the provisional conclusion of complex investigations by the FBI and the Cybercrime Team of the East Brabant police unit. During the action, 39 servers and domains abroad were seized.
The criminal group behind HeartSender operated very professionally. Through many different criminal web shops, which were advertised on YouTube for example, they sold tools to commit digital fraud. ‘Senders’, ‘scampaigns’ and ‘cookie grabbers’ are examples of the tools that were offered. A cybercriminal can use these tools to send large amounts of spam or phishing e-mails or use them to steal someone’s login details. In addition, cybercriminals could also buy access to hacked infrastructure in these criminal web shops, such as cPanels (control panels of web servers), smtp servers (servers used to send e-mail messages) and WordPress accounts (system to manage websites). The group behind HeartSender had thousands of customers worldwide.
Buyers
In the investigation, the Cybercrime Team is on the trail of a number of buyers of the tools. Presumably, these buyers also include Dutch nationals. Further investigation is being conducted into these buyers. The investigation into the makers and buyers of this phishing software has not yet been completed with the seizure of the servers and domains.
Dutch victims
The HeartSender datasets contain millions of data from victims worldwide. The datasets also contain approximately 100,000 Dutch data. These are usernames and passwords that may have been misused by cybercriminals. You can check whether your login details appear in the checked dataset from this investigation via www.politie.nl/checkjehack . You can enter your email address here. If your email address appears in the dataset, you will receive an email with tips and information about what you can do best. If you do not hear anything, you were not among the victims of this network with that email address. With the WordPress accounts, we see that people sometimes use a different username instead of their email address. In those cases, you cannot use Check je Hack to check whether your data has been leaked. That is also why it is a good idea to change your passwords regularly and for these types of systems we definitely advise doing this preventively.
Impact
If your account details are included in the dataset, the impact can be significant. For example, if your username and password for your email account have been leaked, cybercriminals can use this to gain access to your address book. In this way, they can send phishing emails to all your contacts in your name. Your contacts will probably trust the emails because they come from you. In this way, they may also share their own details with criminals via a link in such an email. Criminals can also indicate on web shops that they have lost their password, after which a recovery link is sent to your mailbox. In this way, they can change your password for the web shop. With the stolen cPanel or WordPress accounts, criminals have access to the management system of your website or server, which can then be managed by the criminals.
What do you do if you have become a victim?
Change your passwords as soon as possible and activate two-step login. In addition, always report if you have become a victim of cybercrime! This research shows once again that we are able to significantly disrupt and disrupt the criminal infrastructure of cybercriminals. We are making a big step forward. But we cannot do it alone. Every report contributes to the collection of valuable information that helps track down perpetrators and prevent new victims. This can be done via www.politie.nl or a police station in your area.Watch on YouTube (Dutch).
Source: Politie.nl