Hacker forum RaidForums, used primarily for the trade and sale of stolen databases, was shut down by US law enforcement and its domain confiscated during Operation TOURNIQUET, a Europol-coordinated operation involving of the order in different countries.
The administrator of RaidForum and two of his accomplices have been arrested and the infrastructure of the illegal market is now under the control of the law enforcement agencies.
The 14-year-old started RaidForums
RaidForum administrator and founder Diogo Santos Coelho from Portugal, also known as the Almighty, was arrested in the UK on January 31 and faces criminal charges. He has been in custody since his arrest pending the completion of his extradition proceedings.
The US Department of Justice says today that Coelho is 21, meaning he was just 14 when he started RaidForums in 2015.
Three domains hosting RaidForum were seized: raidforums.com, Rf.ws and Raid.Lol.
According to the DoJ, the marketplace has put up for sale more than 10 billion unique records from hundreds of stolen databases impacting people in the United States.
In a separate announcement today, Europol said RaidForums had more than 500,000 users and “was considered one of the largest hacking forums in the world.”
The closure of the forum and its infrastructure is the result of a year-long plan between law enforcement agencies in the US, UK, Sweden, Portugal and Romania.
It is unclear how long the investigation took, but cooperation between law enforcement agencies has allowed authorities to draw a clear picture of the roles played by various individuals within the RaidForums.
The European law enforcement agency shared some details in its press release, but notes that the people running RaidForum worked as administrators and money launderers, stole and uploaded data, and bought the stolen information.
Coelho has controlled RaidForums since January 1, 2015, according to the indictment, and managed the site with the help of some administrators and organized its structure to encourage the buying and selling of stolen goods.
In order to generate profits, the forum charged different levels of membership and sold credits that allowed members access to privileged areas of the site or stolen data entered into the forum.
Coelho also acted as a trusted intermediary between parties completing a transaction, instilling confidence that the buyer and seller would honor their agreement.
Members get suspicious in February
Threat actors and security researchers initially suspected RaidForums had been seized by law enforcement in February when the site began displaying a login form on every page.
However, while trying to access the site, it simply presented the login page again.
This led researchers and forum members to believe that the site had been seized and that the login request was a phishing attempt by law enforcement to harvest the attackers’ credentials.
Since these DNS servers had previously been used with other websites seized by law enforcement, including weleakinfo.com and doublevpn.com, the researchers felt this provided further support for the domain seizure.
Before becoming a favorite place for hackers to sell stolen data, RaidForums had a humbler beginning and was used to organize various types of electronic harassment including targeting (creating false reports leading to armed intervention by US forces order) and “Raid”. the DoJ describes it as “posting or sending a massive amount of leads to a victim’s online medium.”
The website has risen to prominence in recent years and has been widely used by ransomware gangs and data racketeers to leak data to force victims to pay a ransom and has been used by both Babuk ransomware gang and Lapsus ransomware group $ in the past.
The marketplace has been around since 2015 and has long been the shortest path for hackers to sell or share stolen databases with forum members.
Sensitive data exchanged on the forum included personal and financial information such as sort codes and account numbers, credit cards, login information