FBI, Europol Seize RaidForums Hacker Forum and Arrest Admin

An international law enforcement operation raided and took down
RaidForums, one of the world’s largest hacking forums notorious for
selling access to hacked personal information belonging to
users.

Dubbed Tourniquet, the seizure of the cybercrime website
involved authorities from the U.S., U.K., Sweden, Portugal, and
Romania, with the criminal investigation resulting in the arrest^[1]
of the forum’s administrator at his home last month in Croydon,
England.

The three confiscated domains associated with the illicit
marketplace include “raidforums[.]com,” “Rf[.]ws,” and
“Raid[.]lol.”

Diogo Santos Coelho (aka “Omnipotent”), the said founder and
chief administrator, was apprehended in the U.K. on January 31 and
is pending extradition to the U.S. Santos Coelho has been charged
with conspiracy, access device fraud, and aggravated identity
theft.

In addition to detailing Santos Coelho’s central role in
designing and administering the software and computer
infrastructure, the U.S. Justice Department (DoJ) accused the
21-year-old Portuguese national of operating a fee-based middleman service^[2] to facilitate the
transactions on the platform.

“Notably, to create confidence amongst transacting parties, the
Official Middleman service enabled purchasers and sellers to verify
the means of payment and contraband files being sold prior to
executing the transaction,” the DoJ said^[3].

Europol, which called it a “culmination of a year of meticulous
planning,” said RaidForums had more than 500,000 users since its
launch in January 2015, with the storefront offering for sale
databases of pilfered data comprising more than 10 billion unique
records of individuals in the U.S. and abroad.

These databases, which served as a repository of personal data,
contained credit card details, bank account numbers and routing
information, social security numbers, and the usernames and
associated passwords needed to access online accounts.

“This marketplace had made a name for itself by selling access
to high-profile database leaks belonging to a number of U.S.
corporations across different industries,” the agency said^[4]. “These datasets were
obtained from data breaches and other exploits carried out in
recent years.”

Interestingly, the “Raid” in RaidForums is a nod to its early
beginnings as a hub for organizing various forms of electronic
harassment — like “raiding,” which refers to a form of targeted
harassment by posting an overwhelming volume of messages to a
victim.

The dismantling of RaidForums is said to have occurred on
February 25, 2022, when the online marketplace became mysteriously
offline nearly two weeks after it was plagued by database errors
and outages between February 7 and 12, implying that law
enforcement officials had access to the infrastructure for several
weeks.

“Prior to the alleged seizure, Omnipotent purportedly went on a
vacation between January 31 and February 7, the day of the recent
outage, according to his Telegram bio,” cybersecurity company
Flashpoint noted^[5]
at the time.

“After the site was back up on February 12, Omnipotent did not
comment on the outage. Furthermore, the site’s owner was not
apparently active on the site up until the alleged seizure on
February 25.”

Besides functioning as an online venue for illegal activity,
RaidForums relied on different subscription tiers (i.e., free, VIP,
MVP, and God) to profit from the sales of confidential and
sensitive information. Another monetization technique entailed the
use of credits for members to unlock privileged access to the
compromised databases.

What’s more, RaidForums enabled cybercriminals to earn credits
in other ways, such as through posting instructions on how to
commit illegitimate acts, the DoJ added.

The demise of RaidForums comes amid a series of ongoing steps
taken by law enforcement to crack down on cybercrime over the past
year. Last week, German and U.S. authorities shuttered Hydra^[6], a Russia-based
longest-running dark web marketplace that has been connected to $5
billion in transactions since 2015.

“Disruption has always been a key technique in operating against
threat actors online, so targeting forums that host huge amounts of
stolen data keeps criminals on their toes,” Edvardas Šileris, head
of Europol’s European Cybercrime Centre, said in a statement.