During Operation TOURNIQUET, a Europol-coordinated operation involving law enforcement agencies from numerous countries, the RaidForums hacker site, which was primarily used for trading and selling stolen databases, was shut down and its domain seized by US law enforcement.
The administrator of RaidForum and two of his accomplices have been arrested, and law enforcement now has control of the illicit marketplace’s infrastructure.
RaidForums was founded by a 14-year-old
Diogo Santos Coelho, nicknamed Omnipotent, the administrator and founder of RaidForums, was arrested on January 31 in the United Kingdom and is facing criminal accusations. Since his arrest, he has been held in detention pending the outcome of his extradition proceedings.
Coelho is now 21, according to the US Department of Justice, which implies he was only 14 when he founded RaidForums in 2015.
“Raidforums.com,” “Rf.ws,” and “Raid. Lol” are the three domains that host RaidForums.
According to the Department of Justice, the marketplace sold over 10 billion unique records from hundreds of stolen databases that affected persons in the United States.
Europol said RaidForums had more than 500,000 subscribers and was “considered one of the world’s largest hacker forums” in a separate release today.
“This marketplace had created a reputation for itself by selling access to high-profile database leaks from a variety of US firms in various industries. These contained the usernames and passwords for millions of credit cards, bank account numbers and routing information, and the usernames and passwords for online accounts.” Europol is the European police force.
The forum’s and its infrastructure were taken down after a year of planning by law enforcement officials in the United States, the United Kingdom, Sweden, Portugal, and Romania.
It’s unclear how long the investigation took, but officials were able to provide a clear picture of the roles different individuals played inside RaidForums thanks to the cooperation of law enforcement agencies.
In a press release, the European law enforcement agency said that the people who kept RaidForums running worked as administrators, money launderers, stole and uploaded data, and bought stolen information.
According to the indictment, Coelho has been in charge of RaidForums from January 1, 2015, and he ran the site with the support of a few administrators, organizing its structure to promote the purchase and selling of stolen products.
To make money, the forum charged membership fees and offered credits that provided members access to privileged portions of the site or stolen material placed on the forum.
Coelho also served as a trusted intermediary between buyers and sellers, ensuring that both parties would follow through on their agreements.
In February, members start to suspect each other.
When the site began showing a login form on every page in February, threat actors and security researchers assumed that RaidForums had been seized by law enforcement.
When attempting to log into the site, however, it merely returned to the login screen.
Researchers and forum members assumed that the site had been seized and that the login request was a phishing attempt by law authorities to collect threat actors’ credentials.
On February 27th, 2022, raidforums.com’s DNS servers were abruptly changed to the following servers:
jocelyn.ns.cloudflare.com
plato.ns.cloudflare.com
Researchers concluded that the domain was seized because these DNS servers had previously been used with other sites seized by law authorities, such as weleakinfo.com and doublevpn.com.
RaidForums had a humble beginning before becoming the hackers’ favorite place to sell stolen data. It was used for organizing various types of electronic harassment, including swatting targets (false reports that result in armed law enforcement intervention) and “raiding,” which the Department of Justice defines as “posting or sending an overwhelming volume of contact to a victim’s online communications medium.”
The site became well-known in recent years, and it was commonly used by ransomware gangs and data extortionists to leak data as a means of pressuring victims into paying a ransom. It was formerly utilized by the Babuk ransomware gang and the Lapsus$ extortion group.
The marketplace has been operational since 2015, and it was for a long time the quickest way for hackers to sell or share stolen databases with forum users.
Personal and financial information such as bank routing and account numbers, credit cards, login information, and social security numbers were among the sensitive data sold on the site.
Despite the fact that numerous cybercrime forums cater to Russian-speaking threat actors, RaidForums stands out as the most popular English-language hacker forum.
After Russia invaded Ukraine and several threat actors sided with Russia, RaidForums announced that any member known to be affiliated with Russia would be banned.
