On January 29th, Operation Talent aimed to take down the online cybercrime forums Cracked[.]io and Nulled[.]to as well as other connected services. The operation was carried out by German authorities and supported by Europol, the FBI, and many other foreign adversaries.
Nulled was launched in January of 2015 by the user “finndev”, allowing its users to share combolists, cracking tools, and stolen databases. At the time of the take down, Nulled had over 5M registered users. Finn Grimpe aka “finndev”, was known to be a reverse engineer. He had the reverse engineer role on Nulled for many years. Finn is the founder of Shoppy[.]gg and RDP[.]sh. Launched in 2018 Shoppy was an e-commerce platform practically identical to Sellix. Shoppy allowed its users to setup online stores to sell virtual goods. Many users on Nulled used Shoppy to sell the stolen accounts they would crack for extremely cheap prices. Shoppy was not one of the targeted sites during Operation Talent which leads me to believe that Finn is not a part of the company anymore or he just got lucky.
RDP[.]sh is finndev’s hosting company which launched in April of 2019. In the early days of RDPsh, Finn ran ads on Nulled that said “Visit rdp.sh for cheap RDPs for cracking”. RDPsh was not mentioned in the indictment posted by the DOJ and has not been seized.
Cracked[.]io was launched in late 2018. The founders launched the site as a direct competitor to Nulled, according to an anonymous source. The original staff team included 'floraiN', 'Royals', and 'Jocker'. Jocker was also a moderator for Nulled as early as August 2016.
FloraiN was removed from the staff list (cracked.to/showteam.php) in December of 2018, just a few months after the forum was created. Archived pages of his profile show that he was a very prominent figure in the community receiving “Member of the Month” multiple times. FloraiN would even post to the official Announcements page on Cracked consistently up until mid 2020, just before the forum switched to using the .io domain. It might be a sign that floraiN didn't want to be publicly known as a staff member but would still help run the website in the background.
In the summer of 2019 floraiN launched StarkRDP, a "bulletproof" hosting provider. I use the term bulletproof loosely as the majority of their servers were just resold from OVH. StarkRDP, was used by many cybercriminals to conduct credential stuffing attacks with tools like OpenBullet/SilverBullet. In June of 2019 floraiN posted a thread to Cracked trying to promote his new hosting company. The first promotional material explicitly states “Cracking Allowed”. This is irrefutable evidence that Stark knowingly endorsed cybercrime to take place on their servers. The main StarkRDP domain has since been seized by law enforcement under Operation Talent. Just recently as of February 4th, 2025, Stark has rebranded to LakeVPS[.]io. Update: Just 2 days later on February 6th, they have since gone back to their old branding with Starkrdp.net.
FloraiN Marzhal aka ‘floraiN’ along with Finn Grimpe aka 'finndev' are the founders of 1337 Services Gmbh aka AS210558. FloraiN used 1337 Services to register his second company Sellix in 2020. Sellix is a very popular payment provider among the Cracked/Nulled community. Sellix allows its users to set up shops to sell online goods. Many video game cheat providers used Sellix to sell subscriptions to their cheats. Individuals would also use Sellix in order to sell stolen accounts to various websites like Papa Johns, Hilton Hotels, and even PayPal.
Lucas Sohn aka 'Lucas', a 29 year old Argentinian man who was living in Spain at the time, was arrested during Operation Talent for his involvement with Nulled. He was a moderator as early as mid 2017 and then became the forum admin later on. He created his Nulled account on April 22, 2015. He was the only public admin of the site until it's seizure. Lucas never had any ownership in the forums but was just an administrator. Lucas also had a shoppy store which he promoted publicly in his bio where he would sell stolen Netflix accounts.
It's been two weeks since the shutdown at the time of writing, the Sellix platform is still seized and offline, they are apparently working with authorities to come back online. StarkRDP has since re-launched under a new different domain and has continued business as usual.
The 1337 Services GmbH, FloraiN and finndev seem to be unaffected by Operation Talent at this point of time, no arrests have been made and no other seizures at the company have taken place. FloraiN has created a new discord account and is actively providing support for his StarkRDP customers.
It’s unclear why the authorities seized the StarkRDP website domain and servers, but didn’t intervene in any other way with the 1337 Services GmbH, for people in the cyber industry, this seems very unusual. Whether there was a miscommunication between the authorities or tactical reasons for the reluctance remains unclear at this time.
Florian provided a brief written statement in the StarkRDP support discord, stating, “We firmly believe that Operation Talent will demonstrate our lack of involvement in any alleged crimes and confirm that we have always operated within the bounds of the law.”
In addition to that, he stated “We have been assured by the German authorities that they have no issues with our operations, and we continue to maintain a transparent and lawful business.”
Both platforms, Cracked and Nulled are still offline at this time and no new domains have been created in trying to circumvent the takedown.
Thanks for reading :)