Law enforcement agencies from the United States and the Netherlands have dismantled 39 cybercrime domains and associated servers. These domains were a part of a Pakistan-based network of marketplaces selling tools to enable fraud and hacking. The network was operated by a group called Saim Raza, also known as HeartSender. 

The tools sold (such as phishing toolkits) enabled transnational organized crime groups to target numerous U.S. victims, primarily with business email compromise (BEC) attacks. 

Below, security leaders discuss the operation, the takedown, and its implications.

Security leaders weigh in 

J. Stephen Kowski, Field CTO at SlashNext Email Security+:

The takedown of HeartSender reveals how cybercrime has evolved into a sophisticated service industry, where even non-technical criminals can easily purchase and deploy advanced phishing tools to target businesses. While this operation marks a significant victory against BEC infrastructure, the $3 million in documented losses highlights only a fraction of the financial damage these automated phishing operations can inflict on organizations. Real-time detection and blocking of suspicious URLs, combined with AI-powered analysis of communication patterns, remains crucial as cybercriminals will inevitably attempt to fill the void left by this disrupted marketplace. The key to preventing future attacks lies in implementing advanced email security that can identify and stop social engineering attempts before they reach potential victims, especially since BEC attacks continue to evolve and become more sophisticated.

Darren Guccione, CEO and Co-Founder at Keeper Security:

Operation Heart Blocker highlights the ongoing threat of BEC phishing schemes and why proactive cybersecurity measures to protect organizations against social engineering attacks are essential. This takedown disrupted a network of fraud-enabling marketplace that provided phishing kits and credential-stealing tools, fueling large-scale BEC attacks since at least 2020 and causing millions in losses. The fact that these tools were readily available — complete with instructional videos — shows how cybercriminals are making it easier than ever to launch phishing attacks, even for non-technical threat actors.

BEC and other phishing attacks thrive on weak authentication and poor access controls. Organizations should enforce least privilege access and enable Multi-Factor Authentication (MFA) on all accounts that have it available. Implementing Privileged Access Management (PAM) allows organizations to monitor and secure their most sensitive, critical accounts. Cybercriminals exploit phishing, credential stuffing and malware to infiltrate systems, making real-time continuous monitoring another critical component to any cybersecurity defense. To stay ahead, organizations should leverage dark web monitoring to detect compromised credentials, enforce strict authentication policies and continuously update their security frameworks to combat BEC, phishing kits and other evolving cyber threats.

Heath Renfrow, CISO and Co-founder at Fenix24:

While I commend law enforcement and all involved in Operation Heart Blocker for their successful efforts in dismantling a key cybercriminal network, it will have minimal impact on slowing the larger cybercrime epidemic that continues to escalate. For every criminal group disrupted, multiple others remain active or emerge to take their place.

BEC remains one of the most widespread and financially devastating cyber threats, yet it garners far less public attention compared to ransomware. The reason? Unlike ransomware, which creates immediate operational disruptions that force victims to disclose incidents, BEC fraud is often quietly absorbed by organizations as a financial loss. Companies may be reluctant to report these crimes due to reputational concerns or because the stolen funds are often unrecoverable, leaving little incentive for public disclosure.

https://www.securitymagazine.com/articles/101352-39-cybercrime-domains-seized-linked-to-heartsender-cybercrime-group