U.S. law enforcement seized RaidForums hacking site and detained its founder and administrator, Diogo Santos Coelho, and two accomplices in operation TOURNIQUET.
The operation also saw “RaidForums.com,” “Rf.ws,” and “Raid.Lol” domains seized and the website’s computer infrastructure accessed.
Europol’s Joint Cybercrime Action coordinated the year-long operation involving multiple law enforcement agencies in the U.S., the UK, Sweden, Portugal, and Romania.
Launched in 2015, RaidForums deals in selling stolen databases, account credentials, credit card details, and Social Security numbers.
RaidForums hacking site operates on the regular Internet instead of the dark web. It started as a forum for organized harassment, including swatting, before becoming an online marketplace for stolen information.
Babuk ransomware and Lapsus$ extortion gangs were among the high-profile threat actors who used the website.
Before its seizure, the English-speaking hacking forum had threatened to remove any member who supported the Russian invasion of Ukraine.
RaidForums hacking site founder faces extradition and federal charges
Authorities detained Coelho, a Portuguese national known by the online moniker “Omnipotent,” in the United Kingdom on January 31.
In March, two of his accomplices were also arrested, including a U.K. citizen detained by the National Crime Agency. Police seized thousands of U.S. dollars and £5,000 in cash and more than half a million dollars in crypto assets.
The main suspect remains in custody, awaiting the conclusion of his extradition proceedings for transfer to the United States.
Being the chief administrator, Coelho was assisted by others who organized and promoted the buying and selling of stolen sensitive personal and financial information on the hacking site.
Authorities say he made thousands of dollars through membership fees and middleman services. Coelho provided trusted middleman services to facilitate illegal transactions by ensuring that buyers and sellers honor their agreements.
Consequently, Coelho bore personal responsibility for various crimes and was charged in the Eastern District of Virginia. He faces six counts of conspiracy, aggravated identity theft, and access device fraud.
“Coelho also personally sold stolen data on the platform and directly facilitated illicit transactions by operating a fee-based ‘Official Middleman’ service,” the indictment states.
According to Europol, other administrators worked as money launderers and participated in stealing, buying, and uploading stolen data.
RaidForums was one of the leading hacking sites on the Internet
The Department of Justice says at least 10 billion unique records stolen from the United States and other countries were offered for sale on the hacking site. With more than 500,000 registered users, the FBI described RaidForums as one of the leading hacking forums on the Internet.
“This marketplace had made a name for itself by selling access to high-profile database leaks belonging to a number of U.S. corporations across different industries,” Europol wrote. “These contained information for millions of credit cards, bank account numbers and routing information, and the usernames and associated passwords needed to access online accounts.”
According to Assistant Attorney General Kenneth A. Polite Jr., the seizure of RaidForums disrupted a significant channel for criminals to trade in stolen details, according to Assistant Attorney General Kenneth A. Polite, Jr.
However, the seizure of RaidForums is unlikely to disrupt cybercrime significantly since threat actors are likely to migrate to other illegal hacking sites. A RaidForums administrator, “Jaw,” advised users to change their passwords, clear their logs, and migrate to a new site rf. to.
“The seizure of RaidForums is a great example of what can happen when law enforcement agencies cooperate in the global fight against cybercrime,” Chris Olson, CEO of The Media Trust, said. “Unfortunately, it’s not likely to have a significant impact on cybercrime, as users of RaidForums – and any ‘surface web’ hacking boards – are not major players, and many will simply migrate elsewhere.”
Flash Point says that a very active threat actor known as “pompompurin” launched a RaidForums copycat hacking site, Breach Forums, last month. The hacking site attracted more than a thousand members within days, with some reusing their old usernames.
Pompompurin was notorious for high-profile leaks and breaches and was responsible for the FBI email system breach that led to thousands of hoax emails.
Rumors of RaidForums’ seizure persisted since February when the hacking site began showing a login form on every page. Some members suggested that the behavior was a phishing attempt by authorities to collect hackers’ details.
Additionally, the RaidForums’ DNS servers changed to Cloudflare’s nameservers, jocelyn.ns.cloudflare.com and plato.ns.cloudflare.com, associated with FBI-seized domains weleakinfo.com and doublevpn.com.
Olson says that fighting cybercrime was challenging given the Internet’s borderlessness.
“By 2025, the yearly cost for consumers and organizations is expected to reach $10.5 trillion. In the meantime, we need to take better control of our digital borders – until we do, cyber actors will continue to target consumers through web and mobile endpoints.”