Satori Quick Hit: Cybercriminals just lost some of their most popular forums–will it actually slow them down?
Satori Threat Intelligence and Research Team
On January 29, 2025, the Federal Bureau of Investigation, in cooperation with other international law enforcement agencies seized several forums linked to cybercrime. These forums included cracked[.]io, nulled[.[to and sellix[.]io. These forums were hubs for stolen credentials, attack tools such as checkers and brute-forcers, and services that cybercriminals used to carry out automated attacks like account takeover (ATO) and fake account creation. Threat actors also used these shops as a marketplace for advertising bypasses for many bot mitigation services.
Why these forums mattered
The three seized forums weren’t exclusive, invite-only hangouts for seasoned cybercriminals. They were remarkably easy to access, requiring no specialized software or significant fees. As a result, they attracted a broad user base, including novices and others with minimal skills looking to purchase tools or configs.
Configs are utilities designed to automate attacks like ATO and credential stuffing, letting even novice attackers operate at scale. By lowering the barrier to entry, these forums contributed to the commoditization of cybercrime.
Human Security’s Satori Threat Intelligence team taps into forums and marketplaces like these to gather intel on malicious tools and services. We fold that intel into the HUMAN Security platform, building detections that keep us ahead of emerging threats. Even if specific forums shut down, our visibility remains strong—we follow threat actors to other marketplaces so we can adapt and protect our customers. All Human Security products and services come with Satori Threat Intelligence built right in.
Do takedowns like this affect the larger threat landscape?
So now that these forums have been seized and the domains are under the control of the FBI, what does this mean for the bot defense landscape? Does this takedown significantly reduce the risk of bot-based attacks?
It’s tempting to assume that takedowns like this are major setbacks for cybercriminals trading in stolen credentials and attack tools. But these takedowns typically don’t eliminate the problem—threat actors will move their business elsewhere while the forum operators rebrand and reemerge. Here’s why bot-driven threats remain a concern:
There are plenty of other cybercrime marketplaces
These are just a few of the many forums and marketplaces out there for cybercriminals. While they are some of the most well-known, high-profile players, they are not the sole places where purveyors of illicit goods can operate. There are still many others currently operating selling the same types of goods.
Threat actors pivot quickly
Cybercriminal threat actors are persistent, and when an existing tool or technique no longer works, they pivot and adapt their techniques to keep making money. In this case, we will likely see buyers move to other marketplaces and the forum operators retool and create a new offering. BreachForums was taken down by the FBI in 2024, and it came back online just a few weeks later. For threat actors, takedowns appear to be just a temporary setback.
Existing threat inventory is still in circulation
There is still a lot of “inventory” in the hands of threat actors. Inventory can be configs, bypasses, credentials or tools–really anything sold on these forums or marketplaces that threat actors use to enable or conduct bot-based attacks. The credentials and tools that threat actors have already purchased have not disappeared, and these utilities can still be used to target organizations. Bot attacks can and will continue using this previously purchased inventory in addition to what threat actors are able to acquire from still-live marketplaces and those that will emerge in the absence of those most recently seized by the FBI.
What’s next?
These are just a few of the reasons that bot defense remains a critical piece of an organization’s defensive approach. Over the next few days and weeks, we will likely see continued change in the forum and marketplace landscape in response to these takedowns, but exactly what that is remains to be seen. However, what we do know is that bot-based attacks, including ATO, scraping, fake account creation and more will not go away.
For a deeper understanding, check out these resources: