#19: Cracked.io Takedown, X and Visa Digital Wallet, Phishing Clicks 3x in 2024
This week, we’re covering a major takedown of cybercriminal marketplaces, Elon Musk’s push for X to become a financial giant, and alarming data on the continued rise of phishing attacks. Let’s dive in.
NATE'S TAKE - FEBRUARY 4, 2025
Top Three This Week
- Cracked.io Takedown: A Cybercrime Playground Gets Shut Down
- X and Visa Are Building a Digital Wallet—What Could Possibly Go Wrong?
- Phishing Click Rates Tripled in 2024—Why Aren’t Users Learning?
1. Cracked.io Takedown: A Cybercrime Playground Gets Shut Down
Last week, law enforcement finally took down Cracked.io, a cybercrime marketplace that had been operating in the open since 2018. According to the DOJ, the site had over 4 million users, 28 million posts advertising stolen credentials and hacking tools, and raked in about $4 million in revenue. The numbers are staggering: 17 million victims in the U.S. alone had their data exposed through the platform.
I shared my take on LinkedIn after the news dropped that while this is a win for law enforcement, it hasn’t exactly shaken up the fraud world. Cracked.io had long been considered an entry-level playground for beginner fraudsters, while the more sophisticated cybercriminals moved to private chat apps, invite-only forums, and foreign-language exploit sites. If you were hoping this would put a dent in credential theft, you’ll be disappointed. There’s no shortage of alternatives filling the gap.
What this takedown really highlights is how accessible cybercrime has become. Fraudsters no longer need deep connections or technical skills to buy stolen data or hacking tools—they can just log in and grab what they need. For fraud teams, that means stolen credentials are always in circulation, and we can’t rely on static defenses to stop ATOs. Continuous monitoring, behavioral analytics, and dark web intelligence are must-haves to stay ahead.
Cracked may be gone, but the fraud it fueled is alive and well. Let’s keep pushing back.
2. X and Visa Are Building a Digital Wallet—What Could Possibly Go Wrong?
Elon Musk has made no secret of his ambition to turn X (formerly Twitter) into a full-scale financial platform, and his latest move—a partnership with Visa to roll out a digital wallet—is a big step in that direction. The feature is set to launch in mid-2024, allowing peer-to-peer payments, merchant transactions, and even potential crypto integrations.
I shared my thoughts back when Zelle (FIF14) and Cash App (FIF17) faced legal scrutiny for fraud reimbursement issues, and this move by X raises some of the same concerns. Payments are a magnet for fraud, and with X still struggling with impersonation and identity verification issues, it’s fair to ask: How secure will this platform really be?
According to reports, X has secured money transmitter licenses in 14 states, signaling a serious push into financial services. But building a secure, fraud-resistant payments platform is easier said than done. Social platforms have historically struggled with payment scams, account takeovers, and fraudulent merchant activity, and X will need to prove it can balance security with scale.
Visa’s involvement adds legitimacy, but it remains to be seen how X will handle fraud prevention, identity verification, and customer dispute resolution. If X doesn’t learn from the fraud issues that have plagued other peer-to-peer payment platforms, this could turn into a prime target for scammers.
For fraud fighters, this is one to watch closely. The merging of social media and payments comes with high risks, and fraud prevention needs to be built in from the start—not as an afterthought.
3. Phishing Click Rates Tripled in 2024—Why Aren’t Users Learning?
A new report reveals a shocking statistic: phishing click rates tripled in 2024, despite widespread user training efforts. The study analyzed over 600 million emails and found that a staggering 14% of recipients clicked on phishing links, even in organizations that regularly conduct security awareness training.
These findings suggest that awareness alone isn’t stopping phishing attacks. Cybercriminals are evolving their tactics, using more personalized lures, urgency-driven messaging, and AI-generated content to make scams harder to detect. Attackers are also leveraging trusted platforms like Google Drive and Microsoft OneDrive to deliver phishing payloads, bypassing traditional email security filters.
This aligns with trends we’ve covered in FIF18, where scammers used legitimate Google security prompts to manipulate users into granting account access. The problem isn’t just that people fall for phishing—it’s that attackers are weaponizing trusted processes and services to make detection even harder.
As phishing attacks become more convincing and automated, fraud defenses must move beyond training and focus on early detection and mitigation.
===
That’s all for this week! For more insights, follow us on LinkedIn or X, and if you want to learn more about what we do, visit www.specprotected.com.
Ready to get started with Spec?
Nate Kharrl, CEO and co-founder at Spec, has built leading solutions for application security and fraud challenges since the early days of the cloud era. Drawing from his cyber experience at Akamai, ThreatMetrix, and eBay, Nate helped found Spec to focus on the needs of businesses operating in a landscape of increasing AI risks. Under Nate’s leadership, Spec grew from its mid-pandemic founding to raise $30M in venture-backed funding to build solutions used by Fortune 500 companies transacting billions in online commerce. Spec’s service offerings today include protective measures for websites and APIs that specialize in defending against attacks designed to bypass bot defenses and risk assessment platforms.
Frequently Asked Questions
“With Spec, we can mitigate fraudulent activity, protect our revenue, and create a better user experience so that Indiegogo can remain a trusted crowdsourcing platform.”
Payments Manager
