During the international operation TOURNIQUET , which was coordinated by Europol, the well-known hacker resource RaidForums, which was mainly used to trade in stolen databases, was closed. The administrator of RaidForums and two of his accomplices have been arrested, and the site’s infrastructure is now under the control of law enforcement agencies.
The operation was reportedly prepared by the authorities of the United States, Great Britain, Sweden, Germany, Portugal and Romania for more than a year.
The US Department of Justice writes that the site administrator, known by the nickname Omnipotent, was arrested on January 31, 2022 in the UK, and he has already been charged. He was in custody from the time of his arrest until the completion of the extradition proceedings.
Since 21-year-old Portuguese citizen Diogo Santos Coelho was hiding behind the pseudonym Omnipotent, it turns out that he launched RaidForums when he was 14 years old, since the site has been running since 2015.
Law enforcers seized the domains hosting RaidForums: raidforums.com, rf.ws and raid.lol.
According to statistics from the US Department of Justice, in total, more than 10 billion unique records from hundreds of hacked databases were put up for sale on the marketplace, including those affecting people living in the United States. In turn, Europol reports that RaidForums had more than 500,000 users and was “one of the largest hacker forums in the world.” It is worth adding here that we are talking about English-language resources.
“This marketplace has made a name for itself by selling access to high-profile database leaks owned by various US corporations from various industries. They contained information about millions of credit cards, bank account numbers and routing information, as well as usernames and associated passwords needed to access online accounts, ”says Europol.
It is not yet known how long the investigation took overall, but law enforcement seems to have managed to get a pretty clear picture of the RaidForums hierarchy. The Europol press release notes that the people who supported the work of RaidForums were engaged in administration, money laundering, stolen and uploaded data to the site, and also bought stolen information.
At the same time, Diogo Santos Coelho, mentioned above, allegedly controlled RaidForums from January 1, 2015, that is, from the very beginning, and managed the site with the support of several administrators, organizing a structure to promote the purchase and sale of stolen data. To make a profit, the forum charged users for various membership levels and sold credits that allowed members to gain access to more privileged areas of the site or to stolen data posted on the forum.
Coelho also acted as an intermediary and guarantor between the parties making transactions, undertaking to see that buyers and sellers would honor the agreements.
Bleeping Computer writes that back in February 2022, criminals and security researchers suspected that RaidForums had been taken over by law enforcement, as the site began displaying a login form on every page. When trying to enter the site, it simply showed the login page again, and many suspected that the site was taken over and this was a phishing attack by law enforcement agencies who are trying to get the attackers’ credentials.
On February 27, 2022, the DNS servers of raidforums.com completely changed to jocelyn.ns.cloudflare.com and plato.ns.cloudflare.com, which only convinced the hackers that they were right. The fact is that in the past these DNS servers were used by other sites seized by the authorities, including weleakinfo.com and doublevpn.com.
RaidForums, which appeared back in 2015, has recently become widely known due to ransomware operators who leaked data stolen from victims to the site in order to force them to pay a ransom. For example, this tactic was previously used by Babuk and Lapsus$ operators.
However, earlier, when the resource was not so popular, its community specialized in swatting (from English swatting: a special forces squad was called to the victims’ homes, reporting false bomb threats, hostage-taking, and so on), as well as raiding (from English raiding), which The US Department of Justice describes it as “publishing or sending a huge number of contacts to the online medium that the victim uses to communicate.”
In recent years, the marketplace has been a favorite place for hackers to sell stolen databases or simply share them for free with other forum members.
According to the US Department of Justice, RaidForums previously sold “hundreds of databases” containing stolen information. The site sold stolen bank account credentials, credit card information, login credentials, and social security numbers.
The size of the RaidForums market, according to the US Department of Justice, included hundreds of such data, containing more than 10 billion credentials of individuals living in the US and other countries.
The US authorities have filed charges against the forum’s founder and chief administrator, 21-year-old Diego Santos Coelho from Portugal. He was detained on January 31 in the UK at the request of the American side. The US Department of Justice is seeking his extradition, after which he will appear in the US District Court for the Eastern District of Virginia. Coelho faces six counts of conspiracy, device fraud and aggravated identity theft in connection with his alleged role as the chief administrator of RaidForums between January 1, 2015 and January 31, 2022. At the same time, the accused and his possible accomplices, according to the investigation, developed and administered the operation of the software and computer infrastructure of the specified platform,