Hackingforum RaidForums seized by police, owner arrested

RaidForums’ hacker forum, mainly used for trading and selling stolen databases, has been closed and its domain seized by US law enforcement officers during Operation TOURNIQUET, a Europol-coordinated action involving law enforcement agencies in several countries.

The administrator of RaidForum and two of his accomplices have been arrested and the infrastructure of the illegal marketplace is now under law enforcement control.

14 year old started RaidForums

The administrator and founder of RaidForums, Diogo Santos Coelho of Portugal, aka Omnipotent, was arrested in the UK on January 31 and faces criminal charges. He has been in pre-trial detention since his arrest, pending the conclusion of his extradition procedure.

The US Department of Justice today says Coelho is 21 years old, meaning he was only 14 when he launched RaidForums in 2015.

Three domains hosting RaidForums have been seized: “raidforums.com”, “Rf.ws”, and “Raid.Lol”.

Authorities seize domains and infrastructure from RaidForums marketplace for stolen databases

According to the DoJ, the marketplace offered more than 10 billion unique records for sale from hundreds of stolen databases that impacted people living in the U.S.

In a separate announcement today, Europol says RaidForums had more than 500,000 users and “was considered one of the world’s largest hacking forums”.

“This marketplace had made a name for itself selling access to high-profile database leaks from a number of US companies in various industries. These contain information for millions of credit cards, bank account numbers and routing information, and the usernames and associated passwords needed to access online accounts” – Europol

The shutdown of the forum and its infrastructure is the culmination of a year of planning between law enforcement agencies in the United States, United Kingdom, Sweden, Portugal and Romania.

It’s unclear how long the investigation lasted, but the collaboration between law enforcement agencies allowed the authorities to paint a clear picture of the roles that various individuals had within RaidForums.

The European law enforcement agency shared few details in its press release, but notes that the people who ran RaidForums worked as administrators, launderers, stole and upload data, and bought the stolen information.

Coelho allegedly controlled RaidForums since January 1, 2015, the indictment shows, and he managed the site with the help of a few administrators and organized the structure to promote the buying and selling of stolen goods.

To make a profit, the forum charged fees for different membership levels and sold credits that gave members access to privileged areas of the site or stolen data dumped on the forum.

Coelho also acted as a trusted intermediary between parties entering into a transaction, giving the confidence that buyers and sellers would honor their agreement.

Members get suspicious in February

Threat actors and security researchers first suspected that RaidForums was seized by law enforcement in February when the site began displaying a login form on every page.

RaidForums phishing page

When attempting to login to the site, the login page simply reappeared.

This led researchers and forum members to believe that the site had been seized and that the login prompt was a phishing attempt by law enforcement to collect credentials from threat actors.

On February 27, 2022, the DNS servers for raidforums.com were suddenly changed to the following servers:

jocelyn.ns.cloudflare.com plato.ns.cloudflare.com

Because these DNS servers were previously used with other sites seized by law enforcement, including weleakinfo.com and doublevpn.com, the researchers felt this provided even more support for the domain’s seizure.

Before RaidForums became the favorite place of hackers to sell stolen data, it had more humble beginnings and was used to stage various types of electronic harassment, including targeting (making false reports leading to armed law enforcement intervention) and “raiding,” which the DoJ describes as “posting or sending an overwhelming amount of contact to a victim’s online communication medium.”

The site rose to prominence in recent years and was often used by ransomware gangs and data extortionists to leak data as a way to pressure victims into paying ransoms, and was used by both the Babuk ransomware gang and the Lapsus$. extortion group in the past.

The marketplace has been operating since 2015 and has long been the shortest route for hackers to sell or share stolen databases with members of the forum.

Sensitive data traded on the forum included personal and financial information such as bank routing and account numbers, credit cards, login details and social security numbers.

While many cybercrime forums focused on Russian-speaking threat actors, RaidForums stood out as the most popular English-speaking hacking forum.

After Russia invaded Ukraine and many threat actors began to take sides, RaidForums announced they were banning any member known to have ties to Russia.

This post Hackingforum RaidForums seized by police, owner arrested

was original published at “https://www.bleepingcomputer.com/news/security/raidforums-hacking-forum-seized-by-police-owner-arrested/”