RaidForums, a popular site that hosted the trading of vast volumes of stolen data, was recently seized in an international effort led by the U.S. government. The forum’s founder-administrator has also been arrested and indicted.
Dubbed Tourniquet, the law enforcement operation involved the participation of Europol and other agencies and resulted in the takedown of the RaidForums site and also the seizure of a database containing the details of all users and visitors.
RaidForums is an English-language forum founded in 2015. As per reports, the site facilitated the sale of approximately 10 billion personal data records of U.S-based and international individuals. This data was obtained (read: stolen) in some high-profile data breaches since 2015.
Erick GalinkinOpens a new window , a principal AI researcher at Rapid7, told Toolbox, “There was some inclination that this was coming. Since late February, there was chatter on Telegram about a seizure and the forum went down briefly at the end of February.â€
The first indictment against the founder of RaidForums was filed on May 6, 2021 (but opened only yesterday). This indicates that law enforcement authorities have been planning the forum’s takedown for some time now.
On February 7, access to the RaidForums website became problematic. Users began facing database errors until February 12. This fueled suspicion on Telegram and other channels as to who exactly caused the glitches and, more importantly, who resolved the glitches on February 12.
Flashpoint discovered an interesting timelineOpens a new window concerning RaidForums’ seizure, hinting at the involvement of Russians. For one, members and users of the site openly displayed an anti-Russia rhetoric.
- Kristina, a RaidForums member, dumped data on the site, allegedly containing documents, emails, and passwords of the Russian military, on January 19
- An unknown user then posted a 2 TB array of Russian databases that possibly contained Russian personal information (full names, dates of birth, passport numbers, and tax information) on February 3
- Another unknown user posted 61 million Russian phone numbers on February 15
- RaidForums user Kozak888 posted a database belonging to a Russian express delivery and logistics company with 800 million records on February 25. The logistics company reportedly serves the Russian federal government.
While posting, Kozak888 said the leak was in response to Russia’s invasion of Ukraine. But the last and perhaps the biggest straw could’ve been the fact that RaidForums announced on February 24, the day of Russia’s military invasion of Ukraine, that they would be banning all users found to have Russian IPs, thus taking an open stance, like many other cybercriminals, in the geopolitical turmoil.
Neither the DoJ, the FBI, Europol, nor other agencies have confirmed if they received any tip from the Russians.
See More: Darknet Megamarket Hydra Gets Dismantled, but Russian-Speaking Admins Still at Large
RaidForums’ takedown comes just a week after Hydra, the world’s largest darknet marketplace, was seized, indicating a solid resolve by law enforcement to disrupt the cybercriminal infrastructure. But unlike Hydra, which facilitated the sale of narcotics, financial information and other illegal items, RaidForums primarily dealt with the sale of stolen data and credentials. Also, RaidForums is built on the open web instead of the dark web.
Fascinating to see this finally unravel. RaidForums became the de facto standard for selling and exchanging data breaches. The amount of personal info (including yours and mine) that propagated through that site **running on the clear web** is unfathomable
— Troy Hunt (@troyhunt) April 12, 2022Opens a new window
“The takedown of this online market for the resale of hacked or stolen data disrupts one of the major ways cybercriminals profit from the large-scale theft of sensitive personal and financial information,†saidOpens a new window assistant attorney general Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division.
The stolen data, now in the hands of law enforcement agencies, may include financial information (bank accounts, credit card data, etc.), usernames and passwords or other personally identifiable information.
According to Europol, RaidForums has over half a million registered membersOpens a new window . Recorded Future pegged the number at 530,000 (with 20,000 active users). Depending on the tier, a membership granted users access to chatrooms and the exchange of cybercriminal data. For example, the God tier offered greater access and pricier features than low-tiered ones.
RaidForums also sold credits for privileged access to the site, enabling members to unlock and download stolen financial information, means of identification, and data from compromised databases. Credits could, in turn, be earned by teaching illegal acts, among other things.
RaidForums’ operations included electronic harassment, including by ‘raiding,’ i.e., overwhelming a target/victim with messages, or ‘swatting,’ which is the practice of making false reports to law enforcement about situations that would necessitate an armed response.
RaidForums was popular mainly among low to mid-level cyber-criminals. It was founded by Diego Santos Coelho, a 21-year-old individual from Portugal who was arrested in the U.K. on January 31 this year.
Coelho, who goes by the alias ‘Omnipotent’ on RaidForums, was indicted by the U.S. Department of Justice on six counts. Charges include conspiracy, access device fraud, and aggravated identity theft in connection with his role as the chief administrator of RaidForums between January 1, 2015, and January 31, 2022.
Coelho also personally sold stolen data on RaidForums and acted as an ‘Official Middleman,’ facilitating illegal transactions as an intermediary. He reportedly sold data to an undercover officer as well.
See More: Russia’s Takedown of REvil Sends Shock Waves Across the Cybercriminal Community
The infrastructure of RaidForums, such as raidforums[.]com, Rf[.]ws, and Raid[.]lol, have all been seized under Operation Tourniquet. Visiting these domains displays the following message now:
However, experts, including Galinkin, suggest this may not be over yet. There’s a possibility that RaidForums, like Hydra, could be resurrected elsewhere. Galinkin explained, “Though the crackdowns on forums like this are beneficial to the community at large — increasing the barrier to entry and the cost of doing business is important for security — cybercriminals will likely react the way they always do: by finding a new home.â€
Galinkin further added, “The Breached Forum began touting itself as the successor to Raid forums weeks ago, and we will likely see many of the users move on to Breached and others.â€
Based on the chatter on RaidForums’ Telegram channel, Flashpoint said other cybercriminal forums could be Exploit or XSS. But considering both are Russian-language hacking forums, it is unlikely that a significant portion of the RaidForums’ users would migrate there.
“Law enforcement collaboration with cybersecurity practitioners and service providers, like we’ve seen with various exploit kits, botnets, and hacking groups, continues to be a powerful tool for shutting down large swaths of criminal activity all at once,†concluded Galinkin.
To seize RaidForums, the FBI, Secret Service, and Department of Justice coordinated with Europol and other law enforcement agencies from Portugal, the UK, Germany, Romania, and Sweden. Coelho, whose Twitter accountOpens a new window has also been suspended, will remain behind bars until his extradition to the U.S. and the subsequent trial.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!