Always strive to learn something useful. --Sophocles

GO, PAKISTAN!

It's always lovely to see these arrests take place in countries where you don't expect them to happen.

This particular ring, who operated the Heartsender malware service, are accused of stealing more than $50mil from U.S. businesses over the last decade and are under investigation in the EU for more theft. Their package was advertised as undetectable to malware/anti-virus systems and used to trick businesses to make money transfers to criminals.

Great malware, lousy opsec (operational security).

The guys apparently thought that Pakistan was totally fine with their running a big cybercrime operation with no consequences. And perhaps they were, I don't know if other countries 'encouraged' Pakistan to get serious about shutting down people like this or what.

This is where it starts getting good...

"Mr. Shahzad ['alleged' head of the group] was named and pictured in a 2021 KrebsOnSecurity story about a series of remarkable operational security mistakes that exposed their identities and Facebook pages showing employees posing for group photos and socializing at work-related outings.

...

Sometime in 2019, The Manipulaters failed to renew their core domain name — manipulaters[.]com — the same one tied to so many of the company’s business operations. That domain was quickly scooped up by Scylla Intel, a cyber intelligence firm that specializes in connecting cybercriminals to their real-life identities. Soon after, Scylla started receiving large amounts of email correspondence intended for the group’s owners."

Like I said, sloppy opsec.

https://krebsonsecurity.com/2025/05/pakistan-arrests-21-in-heartsender-malware-service/

The twerp hacked Vastaamo Psychotherapy Center and stole all their patient files, which included notes taken during therapy sessions. The center refused to pay a six-figure ransom, so he switched to trying to extort the individual patients for 500 Euro each. That didn't prove a revenue generator either, so he dumped all the files on a dark web site. This was October 2020.

In February 2023 he was arrested by French police when the man, 6'3" and green-eyed, presented Romanian identification which proved false. His attorneys asked for his release during the trial as he had already been jailed for eight months. The judge declared that he was still a flight risk and ordered him held for the duration of the trial.

https://krebsonsecurity.com/2023/11/alleged-extortioner-of-psychotherapy-patients-faces-trial/

We are, of course, talking about major nation-state activities, such as what Russia has been trying to do in Ukraine since their invasion and annexation of Crimea continuing with their invasion and war against all of Ukraine.

There are some very interesting things in this article, such as some countries that will not extradite to the USA such as Switzerland and Ecuador, do cooperate with the ICC/Hague. And these investigations don't just target the people on the keyboards/pulling the triggers, they go up the command chain, potentially to the very top!

https://arstechnica.com/information-technology/2023/09/the-international-criminal-court-will-now-prosecute-cyberwar-crimes/

Amongst your first thoughts might have been along the line of 'Finnish hacker? Who cares!' Oh, just read on! Almost guaranteed laugh to come.

This is a great story. So this dweeb did all the usual horrible stuff: DDoSes, SWATting, breaking into corporate computers and such. His gang had an exploit that let them get into servers running Cold Fusion, and that got them into some places they probably shouldn't have gotten in to because it brought high level attention to his activities.. And then he did a VERY bad thing.

He broke into a Finnish psychotherapy practice and stole patient treatment records. Stuff that is considered utmost sacrosanct - notes between a therapist and their patients.

He threatened to dump them on the dark web if the practice didn't pay a ransom demand. They didn't pay. He actually went and published them. The ransom demand was in six figures. After the practice stopped talking to him, he tried extorting individual patients for 500 Euros. He apparently didn't have any luck with that, and then released the records.

Except he had one very major operational security fail. Somehow he screwed up and included his computer's HOME DIRECTORY IN THE DUMP!

Oops. Major faux pas.

This gave investigators all sorts of information on him concerning not only him personally, but additional crimes that he'd committed and the tools that he had used.

He was arrested Friday morning around 7am when "authorities in Courbevoie responded to a domestic violence report". He'd been out drinking, brought a woman home, they got into a fight, neighbors called the cops. A roommate or someone let the police in and found him sleeping. When they woke him and asked him for ID, he claimed to be Romanian. Police were "Yeah, pull the other one, it's got bells on it" and started pulling up photos of foreign criminals that were wanted, and found out who he was.

He had previously been convicted in court of FIFTY THOUSAND cybercrimes, but as he was 17 at the time, he was given a two year suspended sentence and had to pay 6500 Euros in restitution.

He's been on the run since October of last year after failing to show up for a court appearance and was charged in absentia. For some reason I don't think a two year suspended sentence is in his future, perhaps something a bit more stiff.

https://krebsonsecurity.com/2023/02/finlands-most-wanted-hacker-nabbed-in-france/