Close up shot of woman typing on laptop showing hacking forum data leak

Members of Defunct Underground Hacking Forum Exposed by Database Leak

Prior to its seizure in April 2022, RaidForums was one of the biggest hacking forums catering to “black hat” criminals that trade in stolen data. Proving that there really is no honor among thieves, a new competitor is looking to make a name for itself by exposing some 478,000 former RaidForums members. The forum “Exposed” posted the database leak on May 29, which contains hashed passwords and email addresses among other forum profile and registration information in a single SQL file of about 374 MB.

Members of former hacking forum exposed by upstart competitor

RaidForums was taken down by an international cooperative law enforcement action in early 2022, with its infrastructure seized and its administrator (who turned out to be a Portuguese 21 year old who had founded the hacking forum at age 14) arrested. During its seven year run, RaidForums had about half a million members and oversaw the trade of some 10 billion stolen identity documents.

The database leak appears to expose members of the hacking forum that registered somewhere between its inception in 2015 and September 24, 2020. The administrator of Exposed, going by the handle “Impotent,” told the media that the information of some RaidForums members was pruned before the leak and that they do not know how or why the database was dumped. The database leak does appear to have happened well over a year before the law enforcement raid and is likely not connected to the asset seizure.

Current members of the Exposed hacking forum have indicated that the database leak is legitimate by confirming that their own registration information is present. The dump includes RaidForums members’ user names, email addresses, hashed passwords, and registration dates among other information.

Law enforcement has likely been privy to this information for some time now, and any cyber criminal worth their salt would have used a throwaway email address and bogus registration information not connected to their real world identity. The database leak will likely be of greatest interest to security researchers, who might be able to use some of the information to flesh out profiles of threat actors that they track and connections between them.

Database leak contains information on 478,870 RaidForums members

Law enforcement has been more aggressive in pursuing hacking forums in recent years. After the shutdown of RaidForums, most of its members shifted to a new underground forum called “Breached,” but that was also taken down in less than a year. There is now something of a void in the market in which the remaining players seem to be willing to be more audacious in their schemes to attract attention.

As Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, observes: “There’s no telling how this data was gathered, whether it was a new breach or just re-using data from another older breach, but it continues a well-worn pattern of malicious websites leaking customer data. It turns out that most malicious websites are no better secured than the sites they used to collect their ill-gotten gains. And law enforcement has long used data compromised from malicious web sites to track down criminals.”

Hacking forums are the central clearinghouse for information stolen via breaches and database leaks, particularly attacks on major corporations that involve millions of records. Many of them cater to a Russian-speaking audience, but surprisingly some of the most popular turn out to not be based in Russia. The Breached hacking forum administrator turned out to be a 20 year old living with his parents in New York, and making only about $1,000 per day from running one of the world’s largest gathering places of this nature. While that is certainly a comfortable living, it is dwarfed by the value of the information that is traded via these forums and the seriousness of the consequences for victims.

With an obvious lack of regulation to protect buyers and sellers, the participants in these hacking forums rely on building reputations attached to their handles to inspire confidence in potential business partners. It generally takes sellers at least several months to develop some sort of trusted reputation in these subcultures. Forums could previously be expected to remain stable for years, but with increased law enforcement attention, some of this activity has since moved to Telegram and similar encrypted messaging apps as the criminals look for a new way to stay one step ahead of the police.

Underground hacking forums also tend to go down when they cross predictable lines. In the case of Breached, increased attention from the FBI came after an early March 2023 database leak of the D.C. Health Link medical coverage service (used by a number of politicians and their staffers residing in the city) was advertised there. About 60,000 records belonging to members of Congress and their staffs were thought to be included in that breach, making it an obvious immediate priority for federal law enforcement. Breached was taken down within weeks of this incident.

2021 also saw a wave of unknown actors breaching active hacking forums and leaking user information, ironically advertised on RaidForums at the time. This appeared to be a case of a criminal targeting other criminals rather than a law enforcement operation, as the attacker demanded large payments to keep the database leaks from going public.