Beyond the Sanctions List: Exposing Forwarderz Operations with StealthMole

On paper, the story of Forwarderz a.k.a. Secondeye Solution ended in April 2021, when U.S. authorities seized its domains and sanctioned its operators for trafficking in falsified identity documents. The seizure notice suggested finality: the websites were gone, the business dismantled, and the actors exposed.

But digital footprints rarely vanish so neatly. Using StealthMole, we set out to test whether traces of Forwarderz still lingered in underground data. What emerged was more than a few stray credentials. Stealer logs revealed administrator emails, domain accounts, and operator machines repeatedly compromised, with exposures surfacing as recently as 2025, years after the takedown.

These leaks, spanning both organizational infrastructure and personal identifiers, show how a dismantled entity can continue to echo through the criminal ecosystem. More importantly, they demonstrate how StealthMole can stitch together stealer data, leaked credentials, and forum chatter into a cohesive picture, one that challenges the notion that sanctions and seizures erase a group’s digital presence.

Background

Forwarderz (a.k.a. Secondeye Solution) was a Karachi-based operation built around one service: selling falsified identity documents. Passports, driver’s licenses, utility bills, and other counterfeit records were offered to clients across the globe, enabling them to commit fraud, open accounts under false identities, and bypass Know-Your-Customer (KYC) checks. For years, Forwarderz maintained a steady presence in illicit markets, serving as a reliable source for forged identities until its activities came under the scrutiny of U.S. authorities.

In April 2021, the U.S. Department of Justice (DOJ) and the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) launched coordinated actions against the group. The DOJ unsealed indictments charging Forwarderz operators with conspiracy, aggravated identity theft, and document trafficking, while OFAC added the organization to its Specially Designated Nationals (SDN) list.

As part of this action, U.S. authorities seized three of the group’s primary websites:

• secondeyesolution.com
• secondeyesolution.biz
• forwarderz.com

Each domain was replaced with an FBI seizure notice detailing the penalties faced by the operators: up to 15 years in prison for conspiracy and document fraud, 10 years for passport-related offenses, and a mandatory two-year term for aggravated identity theft, along with fines of up to $250,000 or twice the financial gain from the crimes.

On the surface, the action marked the end of Forwarderz. Their storefronts were gone, their names were published in sanction lists, and their infrastructure dismantled. Yet as later sections of this report will show, the group’s digital traces, from compromised credentials to operator aliases, continued to surface long after the takedown, offering rare visibility into how sanctioned actors continue to resurface across leaked data sets years after official takedowns.

Incident Trigger and Initial Investigation

This case did not begin with a breaking breach or a newly emerged criminal marketplace. It started with a dead domain: forwarderz.com, one of the websites seized in 2021 during U.S. actions against Forwarderz a.k.a. Secondeye Solution. On the surface, the story of Forwarderz seemed closed - their sites were down, their names published on sanction lists, and their business erased from the open web.

But the investigation was never about proving they still operated; it was about testing how far StealthMole could go in mapping the hidden remnants of a dismantled service. Could a long-defunct platform still leave footprints strong enough to trace years later?

The first query into forwarderz.com provided an unexpected answer. Instead of fading into obscurity, the domain appeared across multiple compromised credential datasets, tied not just to forgotten customer logins but to internal administrator accounts and operator machines. The logs captured reused emails, service accounts, and even stealer-infected desktops belonging to Forwarderz staff, with leaks stretching as far as 2025.

What began as a simple exercise in testing StealthMole’s indexing capability quickly turned into something more: a chance to reopen the story of Forwarderz and reveal how its digital shadow continues to surface years after the official takedown.

Credential Exposures

The first layer of evidence emerged from compromised credential datasets indexed within StealthMole. When pivoting from the domain forwarderz.com, we quickly uncovered accounts tied not only to customer access but also to internal infrastructure and operator machines. For instance, one entry captured the account i****@forwarderz.com with the password 71*********3, logged from a device labeled B******r-PC. This credential was tied to the administrative email used for managing Forwarderz services, and its compromise highlights exposure at the operator level rather than among customers.

Historical results from Credential Lookout revealed that Forwarderz-linked addresses had been in circulation for over a decade. As early as 2012, i*****@forwarderz.com appeared in a Dropbox credential leak, and in later years, addresses such as i******@forwarderz.com were exposed across additional breaches.

More detailed evidence surfaced in the Compromised Dataset, where logs from operator machines including A*******a-PC, B******r-PC, and J******i were tied directly to Forwarderz infrastructure. These accounts were associated with active access to:

• Webmail: https://m*****.forwarderz.com/
• cPanel/WHM: https://c*****l.forwarderz.com/
• Order system: https://o*****s.forwarderz.com/
• Daily Task panel: https://d*******k.forwarderz.com/
• Absolute subdomain: https://a********e.forwarderz.com/

Credentials for these services showed patterns of password reuse, for example, recurring strings like 75*****B, F******6, and 3F*****p; appeared across multiple datasets. These overlaps confirm that the same operator accounts were used repeatedly across different parts of Forwarderz’s internal infrastructure.

Additional exposures from Combo Binder and ULP Binder extended the timeline well beyond the 2021 seizure. Dozens of records tied to i*****@forwarderz.com were linked to external hosting and domain management services, such as Re********b (https://manage.re******b.com/) and Whois.com (https://shop.wh*****s.com/). Leaks from 2024 and 2025 show that credentials connected to Forwarderz infrastructure continued to be harvested by infostealers years after the takedown, highlighting the persistence of the group’s digital traces.

Taken together, these examples establish that Forwarderz credentials, spanning organizational accounts, operator machines, and service logins, have been compromised continuously for more than a decade, creating a persistent trail of exposures long after the group’s public-facing platforms were seized.

Linking the Operators

While the credential exposures confirmed that Forwarderz accounts remained active in stealer datasets, the more compelling evidence came from the devices behind them. StealthMole logs repeatedly captured credentials originating from machines explicitly labeled with operator names, directly linking individuals to the group’s infrastructure.

One example is A*******a-PC, which appeared across multiple datasets tied to Forwarderz. In September 2020, the machine logged into https://d********k.forwarderz.com/ using administrative credentials, while in the same dataset it also accessed https://c******l.secondeyehost.com/ with the username secondey and password s*****e. This overlap demonstrates that the same operator device was used to manage both Forwarderz and Secondeye Solution infrastructure, providing a direct technical bridge between the two entities.

Another operator device, B******r-PC, surfaced in April 2021 with logins to https://m*****.forwarderz.com/ using i*****@forwarderz.com and to https://w*******.secondeyesolution.com/ with s*********@secondeyesolution.com. Stealer-captured snapshots from this machine revealed active Skype sessions, including an account titled “Forwarderz Secondeye PayPal Solutions”, which listed the domain www.secondeyesolution.su in its profile and maintained contacts with international clients through Gmail and QQ addresses. This machine was recorded under IP 1**.5*.*4.**4, consistent with P*******i allocation, further linking the operator environment to the same regional context as A*******a-PC.

The machine labeled Jamani also appeared in credential logs tied to Forwarderz, with exposures linked to subdomain access such as https://ab*******e.forwarderz.com/. Passwords like ja********9 and variations of common reuse strings confirmed this account as part of the operator cluster.

Additional identifiers reinforced these links. The email account m**********i@gmail.com  - matching the name of Mohsin Raza Amiri, listed in the OFAC sanctions - was compromised in 2020 from the A*******a-PC environment. Stealer snapshots from that compromise showed Mohsin’s personal browsing activity, providing a direct human attribution point. The device in question logged from IP 2**.**2.*0.**5, alongside credentials for Forwarderz and Secondeye infrastructure. More recent exposures from May 2025 tied A*******a-PC, active under IP 1**.**.*9.*2, to Gmail accounts such as A*******a1131990@gmail.com and to a P*****i phone number (+9* 3********0), used across Facebook and OLX accounts with passwords built around the same “A*******a1990” pattern.

Together, these examples demonstrate that Forwarderz and Secondeye Solution were operated by the same small cluster of individuals, whose devices, emails, and even personal identifiers were repeatedly captured in infostealer logs. The blending of professional infrastructure logins with personal accounts highlights poor operational security and provides strong attribution evidence connecting sanctioned entities to named individuals.

Shared Infrastructure Indicators

While much of the investigation centered on Forwarderz-linked accounts and domains, StealthMole’s indexing also revealed overlapping infrastructure that ties multiple individuals to the same digital environment.

The IP address 1**.**.*9.*2 emerged repeatedly in compromised data logs. What makes this significant is its association with multiple distinct user environments:

• A*******a-PC – already tied to Forwarderz infrastructure and domains.
• A****d-PC – compromised credentials show the user identified as A****d from L*****a, S****h, complete with system information and local ZIP code.
• B*****-PC – appearing in the same dataset, connected through the same IP.

This overlap suggests that the Forwarderz ecosystem was not the work of a single isolated operator, but instead relied on shared connectivity where multiple individuals conducted activities through the same IP backbone. Whether this reflects a coordinated operation, shared physical infrastructure, or family/associates working together, it provides a clearer picture of how the network functioned beyond just the seized domains.

Dark Web Mentions and Forwarderz Reputation

Beyond leaked credentials, traces of Forwarderz and Secondeye Solution also appeared in underground discussions and guides, where the group’s services were referenced as trusted resources for identity fraud. These mentions, captured by StealthMole’s dark web tracking, show how the brand remained embedded in cybercrime ecosystems even after its websites were seized.

In July 2023, a fraud tutorial hosted on the onion site http://sh***********************************d.onion/ recommended secondeyesolution.com for identity scans used in the creation of bank drops. The guide described Secondeye as a reliable provider whose documents had successfully passed verification for payment processors, placing it alongside other well-known fraud tools.

That same month, on the forum Cracked.io, a user opened a thread titled “Alternative for secondeyesolution.com ?”. In the post, the author explained that Secondeye had been their go-to service for fake IDs and selfies to unlock stealth PayPal accounts, but noted the site had been “shut down by law enforcement years ago.” The thread, created on 23 July 2023, illustrates both the perceived reliability of Secondeye’s products and the demand that continued even after its official removal.

These references confirm that Secondeye’s reputation extended well beyond its seized domains. Fraud guides pointed to it as a trusted supplier for financial crime, while forum users actively sought replacements after its disruption. This demonstrates how, within the fraud community, Secondeye was viewed not as a minor vendor but as a central provider whose absence left a noticeable gap.

Direct Links to Secondeye Solution

While Forwarderz and Secondeye Solution were listed as aliases in the 2021 OFAC sanctions, StealthMole data provided technical confirmation that the two operated as a single entity.

In September 2020, logs from A*******a-PC captured credentials for https://cpanel.s***********t.com/, where the username s*******y and password s********e were recorded alongside the device’s concurrent access to https://d*******k.forwarderz.com/. This dual activity from the same machine established that the operator managed infrastructure for both brands simultaneously.

Additional exposure from B******r-PC in April 2021 revealed logins to Secondeye service accounts, including s******@secondeyesolution.com and n******@secondeyesolution.com, both tied to https://we******.secondeyesolution.com/. Password strings such as Taj******3 and gt*******5 were observed across multiple datasets, demonstrating continuity of use across the Forwarderz and Secondeye ecosystems.

The overlap extended into official records. The OFAC designation listed both forwarderz.com and secondeyesolution.com domains, as well as secondeyehost.com and variants such as .su, .ch, and .ru. Contact addresses named in the sanctions including i******@forwarderz.com and su******@secondeyesolution.com , are the same ones that appeared repeatedly in infostealer logs captured years later.

These exposures eliminate any distinction between Forwarderz and Secondeye Solution. Shared infrastructure, identical operator devices, and overlapping credential sets confirm that the brands were interchangeable fronts operated by the same individuals, rather than separate entities.

Assessment

The Forwarderz case demonstrates the gap between official enforcement narratives and the reality of how cybercrime operations persist in data ecosystems. In 2021, the group was presented as dismantled: its domains were seized, its operators indicted, and its brand publicly exposed. Yet StealthMole’s analysis shows that the digital residue of Forwarderz did not vanish. Instead, it remained visible through exposed credentials, compromised operator devices, and personal identifiers that continued to appear in stealer logs years later.

This persistence is not evidence of a business relaunch, but of something equally valuable for investigators: operator continuity. Even when public-facing domains disappear, the individuals behind them often reuse machines, recycle passwords, and fail to compartmentalize personal accounts from illicit infrastructure. These habits create recurring points of exposure that can be tracked across time.

By indexing these leaks, StealthMole offers a way to map entities that appear dormant on the surface but continue to surface in underground data. The case illustrates how sanctioned actors can be traced not by waiting for new infrastructure to appear, but by following the residual trails of their compromised accounts and devices. This approach extends visibility well beyond the life of a seized domain, providing investigators with the ability to monitor sanctioned or deactivated platforms long after their takedown has been announced.

Conclusion

Forwarderz, also known as Secondeye Solution, was publicly dismantled in 2021. Its domains were seized, its operators were sanctioned, and its name was placed on international watchlists. On the surface, the story seemed complete.

Yet StealthMole’s analysis demonstrates that enforcement does not erase the underlying infrastructure or the individuals behind it. Credentials tied to Forwarderz accounts, operator machines, and personal identifiers have continued to surface in infostealer logs, with exposures recorded as recently as 2025. These findings do not signal a reactivated business, but they do reveal the enduring visibility of sanctioned actors in underground data.

The case underscores the value of infostealer indexing for investigators. By correlating leaked credentials, device identifiers, and forum mentions, StealthMole provides a lens into how cybercrime operations leave behind persistent digital shadows. Forwarderz serves as a case study in how sanctioned entities can still be tracked, mapped, and understood long after their takedown - not through new websites, but through the compromised systems and habits of the people who once ran them.

Editorial Note

Attribution in cyber investigations is rarely absolute. While infostealer logs, leaked credentials, and dark web references can provide strong indicators of association, they do not always reveal intent, control, or direct ownership. Many of the identifiers referenced in this report including emails, machine names, and personal accounts, are drawn from compromised data sources that capture information indiscriminately. Such evidence can strongly suggest linkage but must be interpreted with caution, especially when considering the potential for false positives or overlapping use by unrelated parties.

This report reflects patterns of exposure as indexed by StealthMole and should be viewed as intelligence rather than conclusive proof of ongoing criminal activity. The presence of Forwarderz and Secondeye identifiers in stealer datasets highlights residual traces that persist beyond official enforcement, but does not, by itself, establish the current status of the operators.

To access the unmasked report or full details, please reach out to us separately.
Contact us: support@stealthmole.com