Multiple arrests in disabling RaidForums
The underground RaidForums marketplace was shut down and its infrastructure confiscated in a multinational police operation involving forces from Germany, Portugal, Romania, Sweden, the UK and the US. Several people, including a site administrator named Diogo Santos Coelho and an unnamed Croydon man, were taken into custody.
According to the US Department of Justice, Coelho, a 21-year-old Portuguese man, was arrested in the UK on January 31 at the request of the US and is now in custody awaiting extradition to the US. A six-count indictment unsealed in a Virginia court today charges him with conspiracy, access device fraud and aggravated identity theft.
Coelho allegedly served as the controller and chief admin of RaidForums, playing a role in the design and operation of the platform’s software and computing infrastructure, setting and enforcing rules for forum users, and managing sections of the site that sold contraband, including leaked data . He is also said to have personally sold stolen data on RaidForums and acted as a middleman in various transactions for a fee.
“The seizure of the RaidForums website — which enabled the sale of stolen data from millions of people around the world — and the indictments against the marketplace administrator are a testament to the strength of the FBI’s international partnerships,” said Steven D’Antuono, Assistant director of the FBI’s Washington field office.
“Cybercrime transcends borders, so the FBI is committed to working with our partners to bring cybercriminals to justice – no matter where in the world they live or what device they try to hide behind.”
The prominent RaidForums service, which dates back to 2015, specializes in selling stolen or leaked personal data to cybercriminals for use in fraud and other forms of digitally-enabled crime. It operated a membership program where users paid varying amounts to access chat rooms where they could exchange links and other cybercrime-related material. This system worked on a sliding scale based on price, including a “god” membership status and a credits earned system.
The service disruption apparently began towards the end of February 2022, leading to speculation that a law enforcement operation was at play.
“RaidForums had grown into one of the largest hacking forums online, where hacking tips and stolen data were shared frequently,” said a spokesman for the National Crime Agency (NCA). “Data from some of the most notorious hacking incidents in recent years could be found on the site, and often the victims – real people – were vulnerable to further crimes such as fraud.
“The NCA works with international partners to identify, disrupt and apprehend those who profit from cybercrime and is committed to combating this threat as it evolves.”
Edvardas Šileris, Head of Europol’s European Cybercrime Centre, added: “Disruptions have always been a key technique to deal with threat actors online, so targeting forums containing vast amounts of stolen data keeps criminals on their toes. Europol will continue to work with its international partners to make committing cybercrime more difficult – and riskier.”
The second arrest in Croydon that Computer Weekly says actually happened in March allegedly involves another RaidForums site controller or administrator. The NCA also seized £5,000 in cash and an undisclosed amount in US dollars and froze more than $500,000 worth of cryptocurrency assets. The unnamed person has since been released under investigation.
The NCA suspects this administrator helped Coelho manage RaidForums’ membership and launder payments through what appears to be a legitimate side business.