Major Cybercrime Ring Busted: Heartsender Mastermind & 20 Others Arrested in Pakistan!

A group of 21 individuals has been arrested in Pakistan on charges related to the creation and prolonged operation of Heartsender—one of the largest known cybercriminal services specializing in the dissemination of malware and spam. For over a decade, the platform catered to criminal syndicates across the globe, providing tools for email-based attacks, particularly within business email compromise (BEC) schemes. Its clientele included transnational networks that posed as legitimate enterprises to deceive victims and siphon substantial sums of money.

According to Pakistan’s National Cyber Crime Investigation Agency (NCCIA), the arrests took place on May 15 and 16, 2025, in the cities of Lahore and Multan, with operations focused around the Bahria Town district, where part of the suspects’ office infrastructure was located. NCCIA officials estimate that the platform caused damages exceeding $50 million in the United States alone, with an additional 63 cases under investigation across Europe exhibiting similar patterns. Authorities emphasized that this was not merely a technical service, but a “cybercrime university”—a turnkey solution provider for fraudsters worldwide.

Heartsender was promoted via a public-facing website that openly advertised phishing kits targeting users of major online platforms, including Microsoft 365, Yahoo, AOL, Intuit, iCloud, and ID.me. In addition to its flagship name, the same group operated under various brands such as Fudpage, Fudtools, and numerous others bearing the term “fud”—an abbreviation for “Fully Un-Detectable,” a term in the cybercriminal lexicon signifying evasion of antivirus detection and spam filters.

In January 2025, U.S. law enforcement agencies, in coordination with Dutch police, conducted a joint operation to seize the technical infrastructure of Heartsender. The investigation revealed that the platform’s primary functionality was heavily exploited in BEC campaigns, wherein attackers infiltrated business email threads, altered invoices, and tricked companies into wiring funds to accounts under their control.

At the center of the investigation is Ramiz Shahzad, the alleged mastermind behind Heartsender, who also previously led operations under the banners of The Manipulaters and WeCodeSolutions. In 2021, cybersecurity journalist Brian Krebs identified Shahzad after the hacker inadvertently infected his own systems with spyware, revealing his true identity and linked Facebook profile. Operating under the alias Saim Raza, Shahzad repeatedly contacted KrebsOnSecurity demanding the removal of articles. The last such email, received in November 2024, claimed he had exited the cybercrime business following a confrontation with law enforcement.

The Manipulaters, the precursor to Heartsender, had a brazen public presence during the mid-2010s, advertising services openly on popular cybercrime forums. This changed in 2019, when administrators failed to renew the domain manipulaters[.]com, allowing U.S.-based threat intelligence firm Scylla Intel to seize it. As a result, Scylla began receiving all inbound communications intended for the group, enabling analysts to reconstruct their operations in granular detail.

By 2024, Heartsender made another critical blunder: its web interface leaked a vast trove of data without requiring authentication. Analysts at DomainTools observed the site exposing internal staff credentials, client logins, private correspondence, and business operation blueprints. Further analysis of infected employee machines revealed egregious security lapses, including the local storage of sensitive client data and infrastructure details on workstations.

Among those arrested alongside Ramiz Shahzad was his father, Muhammad Aslam. The remaining detainees are believed to have been involved in technical operations, customer support, service promotion, and possibly the orchestration of cyberattacks. The investigation remains active, with international law enforcement anticipating additional prosecutions in other jurisdictions based on the wealth of intelligence recovered—offering a rare opportunity to dismantle a criminal ecosystem that had flourished in the shadows for over a decade, impacting hundreds of organizations worldwide.