An international law enforcement operation raided and destroyed RaidForums, one of the world’s largest hacking forums notorious for selling access to users’ hacked personal information.
The seizure of the cybercrime website, dubbed the Tourniquet, involved authorities from the US, UK, Sweden, Portugal and Romania, with criminal investigations leading to the arrest of the forum’s administrator at his home in Croydon, England last month.
The three confiscated domains linked to the illegal marketplace include raidforums[.]com”, “Rf[.]ws” and “Raid[.]lol.”
Diogo Santos Coelho (aka “Omnipotent”), the said founder and chief administrator, was arrested in the UK on January 31st and faces extradition to the US. Santos Coelho was charged with conspiracy, access device fraud and aggravated identity theft.
In addition to describing Santos Coelho’s central role in developing and managing the software and computing infrastructure, the US Department of Justice (DoJ) accused the 21-year-old Portuguese of operating a fee-based intermediary to facilitate transactions on the platform.
“In particular, to instill trust between transaction parties, the Official Middleman Service enabled buyers and sellers to verify the tendered tender and smuggling records prior to executing the transaction,” the DoJ said.
Europol, which called it the “culmination of a year of meticulous planning,” said RaidForums had more than 500,000 users since its launch in January 2015, with the showcase offering for sale databases of stolen data containing more than 10 billion unique records of individuals include the US and abroad.
These databases, which served as a repository for personal information, contained credit card details, bank account numbers and routing information, social security numbers, and the usernames and associated passwords needed to access online accounts.
“This marketplace had made a name for itself by selling access to high-profile database leaks owned by a number of US companies across multiple industries,” the agency said. “These sets of data come from data breaches and other exploits that have taken place over the last few years.”
Interestingly, “raid” in RaidForums is a nod to its early beginnings as a hub for organizing various forms of electronic harassment – such as “raiding,” which refers to a form of targeted harassment by sending an overwhelming amount of messages to a victim.
The dismantling of RaidForums is said to have taken place on February 25th, 2022 when the online marketplace mysteriously went offline almost two weeks after being plagued by database errors and failures between February 7th and 12th, implying that Law enforcement officers had access to the infrastructure for several weeks.
“Prior to the alleged seizure, Omnipotent allegedly went on vacation between January 31 and February 7, the date of the most recent outage, according to his Telegram bio,” cybersecurity firm Flashpoint noted at the time.
“After the site came back up on February 12th, Omnipotent has not commented on the outage. Also, it appears that the owner of the site was not active on the site until the alleged seizure on February 25.”
Aside from acting as an online venue for illegal activities, RaidForums relied on various subscription tiers (i.e. Free, VIP, MVP, and God) to profit from selling confidential and sensitive information. Another monetization technique involved using member credits to unlock privileged access to the compromised databases.
Additionally, RaidForums enabled cybercriminals to earn credit through other means, such as posting instructions on how to commit illegitimate acts, the DoJ added.
The demise of RaidForums comes amid a series of ongoing steps law enforcement agencies have taken over the past year to tackle cybercrime. Last week, German and US authorities shut down Hydra, a Russia-based, longest-running dark web marketplace linked to $5 billion in transactions since 2015.
“Disruption has always been a key technique to deal with threat actors online, so attacking forums hosting massive amounts of stolen data keeps criminals on their toes,” said Edvardas Šileris, head of Europol’s European Cybercrime Center, in a statement.