The FBI joined authorities across Europe last week in seizing domain names for Cracked and Nulled, English-language cybercrime forums with millions of users that trafficked in stolen data, hacking tools and malware. An investigation into the history of these communities shows their apparent co-founders quite openly operate an Internet service provider and a pair of e-commerce platforms catering to buyers and sellers on both forums.

In this 2019 post from Cracked, a forum moderator told the author of the post (Buddie) that the owner of the RDP service was the founder of Nulled, a.k.a. “Finndev.” Image: Ke-la.com.
On Jan. 30, the U.S. Department of Justice said it seized eight domain names that were used to operate Cracked, a cybercrime forum that sprang up in 2018 and attracted more than four million users. The DOJ said the law enforcement action, dubbed Operation Talent, also seized domains tied to Sellix, Cracked’s payment processor.
In addition, the government seized the domain names for two popular anonymity services that were heavily advertised on Cracked and Nulled and allowed customers to rent virtual servers: StarkRDP[.]io, and rdp[.]sh.
Those archived webpages show both RDP services were owned by an entity called 1337 Services Gmbh. According to corporate records compiled by Northdata.com, 1337 Services GmbH is also known as AS210558 and is incorporated in Hamburg, Germany.
The Cracked forum administrator went by the nicknames “FlorainN” and “StarkRDP” on multiple cybercrime forums. Meanwhile, a LinkedIn profile for a Florian M. from Germany refers to this person as the co-founder of Sellix and founder of 1337 Services GmbH.
Northdata’s business profile for 1337 Services GmbH shows the company is controlled by two individuals: 32-year-old Florian Marzahl and Finn Alexander Grimpe, 28.

An organization chart showing the owners of 1337 Services GmbH as Florian Marzahl and Finn Grimpe. Image: Northdata.com.
Neither Marzahl nor Grimpe responded to requests for comment. But Grimpe’s first name is interesting because it corresponds to the nickname chosen by the founder of Nulled, who goes by the monikers “Finn” and “Finndev.” NorthData reveals that Grimpe was the founder of a German entity called DreamDrive GmbH, which rented out high-end sports cars and motorcycles.
According to the cyber intelligence firm Intel 471, a user named Finndev registered on multiple cybercrime forums, including Raidforums [seized by the FBI in 2022], Void[.]to, and vDOS, a DDoS-for-hire service that was shut down in 2016 after its founders were arrested.
The email address used for those accounts was f.grimpe@gmail.com. DomainTools.com reports f.grimpe@gmail.com was used to register at least nine domain names, including nulled[.]lol and nulled[.]it. Neither of these domains were among those seized in Operation Talent.
Intel471 finds the user FlorainN registered across multiple cybercrime forums using the email address olivia.messla@outlook.de. The breach tracking service Constella Intelligence says this email address used the same password (and slight variations of it) across many accounts online — including at hacker forums — and that the same password was used in connection with dozens of other email addresses, such as florianmarzahl@hotmail.de, and fmarzahl137@gmail.com.
The Justice Department said the Nulled marketplace had more than five million members, and has been selling stolen login credentials, stolen identification documents and hacking services, as well as tools for carrying out cybercrime and fraud, since 2016.
Perhaps fittingly, both Cracked and Nulled have been hacked over the years, exposing countless private messages between forum users. A review of those messages archived by Intel 471 showed that dozens of early forum members referred privately to Finndev as the owner of shoppy[.]gg, an e-commerce platform that caters to the same clientele as Sellix.
Shoppy was not targeted as part of Operation Talent, and its website remains online. Northdata reports that Shoppy’s business name — Shoppy Ecommerce Ltd. — is registered at an address in Gan-Ner, Israel, but there is no ownership information about this entity. Shoppy did not respond to requests for comment.
Constella found that a user named Shoppy registered on Cracked in 2019 using the email address finn@shoppy[.]gg. Constella says that email address is tied to a Twitter/X account for Shoppy Ecommerce in Israel.
The DOJ said one of the alleged administrators of Nulled, a 29-year-old Argentinian national named Lucas Sohn, was arrested in Spain. The government has not announced any other arrests or charges associated with Operation Talent.
Indeed, both StarkRDP and FloraiN have posted to their accounts on Telegram that there were no charges levied against the proprietors of 1337 Services GmbH. FlorainN told former customers they were in the process of moving to a new name and domain for StarkRDP, where existing accounts and balances would be transferred.
“StarkRDP has always been operating by the law and is not involved in any of these alleged crimes and the legal process will confirm this,” the StarkRDP Telegram account wrote on January 30. “All of your servers are safe and they have not been collected in this operation. The only things that were seized is the website server and our domain. Unfortunately, no one can tell who took it and with whom we can talk about it. Therefore, we will restart operation soon, under a different name, to close the chapter [of] ‘StarkRDP.'”
This is sad thank you brian.
nice opsec lawl
.lol, .gag, .etc
‘The .to top-level domain was widely commercialized in 1997 by the San Francisco company Tonic Corp. (founded by Eric Gullichsen and Eric Lyons) which would sell domains at $100 per unit. They operated with the approval of Prince Siaosi, then-Crown Prince of Tonga. Network Solutions was already selling .to domains, but in a very chaotic fashion. Domain requests were processed by the Tongan consulate in San Francisco.’
Historically, this has been a real problem for island nations in the Pacific Region in the past, attracting predatory behaviour from both well intentioned and malicious actors. Apart from Australia, New Zealand and Fiji, there are at least 16 other Sovereign or Territorial Dependent nations that could be targeted in this way. When you have very low GDPs, poor local infrastucture and communities steeped in poverty, it is easy to understand why local officials are not hesitant to accept the vast sums of money offered to them in return for control of their TLDs.
It’s a good point, and $100 a pop from an infinite source of macguffin is pretty easy to part with when you’re an island nation that can use the cash and has no idea what the internet is. And that’s before we start making them up from scratch just to feed the ipv6 beast.
Brian you can also find this Finn Grimpe character has a court case under his company ‘HostPlanet’ from 2016. Looking into this more, it was known since then that he was the owner.
He was likely turned and made it into a honeypot ever since considering he and florian (aka “Jason”) have not been arrested and only a single admin was.
Jason is not Florian, where did that theory even come from? They are completely diffeent people.
Nice try running cover AZ! It’s a known fact that even the communities agreed upon [there are archives proving this and i will dig them up and send them to brian so i hope for your sake you weren’t trying to run cover] if the authorities search the forum even slightly they’ll find the evidence, and the more they do the more it turns from circumstantial into damning. But well, they only arrested an admin since the owners were in on the whole thing.
Opsec is dead. Literally putting your real name into your username and in your email haha.
Time and time again these guys fail in the most spectacular of ways.
The article sheds light on the people behind “Cracked” and “Nulled” forums, exploring their role in online security and the consequences of their actions.
Interesting read! It’s eye-opening to learn about the people behind these forums and how they’ve impacted online security
rdp[.]sh seems to be operational.
These websites did help the fight against cyberthreats due to its broad audience and being on the clearnet, but sure they did also have major flaws to it that is criminal… however it comes with the territory. I know people will forever be on the side who is against these sites, but in my eyes they do help regulars to navigate what security threats there are.
To be on a underground forum which costs around 1000€ or to be invited is harder and you’ll not get the insight in what exists out there.
Another similar forum will popup soon and the cycle will continue.
StarkRDP back in operation. Sellix will soon be too. Europe is not Cuba and the Guantanamo Bay. Sincerely, f**k off.
I have more informations regarding this, and the guy named “Jocker”, figuring as administrator
If you want to know more reach my by email.
Informations regarding the owner of the new
Forum “voided[.]to are available too.
Also some informations regarding KSZ, owner of cracked.to
Reach my via email and I willl snitch on everyone.
Thanks.
John