What is RaidForums?

RaidForums is an ex-leader among Darknet marketplaces and forums that was used to sell different sorts of data. Stolen credentials, PIIs, accesses to the network and data stolen from various sources – hackers flooded it with their stuff. However, it all ended in April 2022, after the successful Operation Tourniquet, initiated by the FBI. The law enforcement managed to seize the servers and detain the forum’s admin – Diogo Santos Coelho.

Nature abhors vacuum, thus the crowd migrated from the wiped platform to other forums. The new favourite – BreachForums – was swirling with criminal activity for almost a year, until the other successful FBI operation. In March 2023, one of the forum admins was detained, and another considered shutting it down due to the danger of the FBI taking over it.

RaidForums Data Leaked

On May 29, on a new favourite among Darknet forums – Exposed, that popped out after the Breached collapse – a database of RaidForum users was published. The one who released it is a forum admin, nicknamed The Impotent. The leaked database contains records (usernames, passwords, emails and even avatars) of over 478,000 users. This leak size is incredible, especially considering that RaidForums had only 550,000 users at the time of its seizure.

Though, as Exposed users who got their hands on the actual database say, it is not complete. Not all of the records have all the data sets mentioned in the leak announcement. Nonetheless, the fact that the data regarding all the users from the ceased forum is now publicly available, is tremendous. The admin refused to share the source of such a leak, but probably this data was already processed by law enforcements who managed to take over the forum. I.e., there is nothing particularly new or deanonymizing, though such a leak available to everyone may be dangerous for ex-users of the RaidForums.

Now what?

As I’ve just mentioned, the RaidForums leak creates privacy and account theft dangers to everyone present in the leaked database. Even though ones who were anywhere near the law enforcement’s interests already got a visit from men in uniform, email+password pair may give out a lot of information. For brute forcers, this data will be a great addition to their databases – and be sure, they will use it. Fortunately, the database was already indexed by services that track exposed data.

If you used RaidForums but don’t see your account in the leak/on the checkup sites, it will still be a good idea to change your password. In the modern threat landscape, this procedure is recommended to perform once a quarter. The more symbols and randomness you use – the less susceptible you are to brute force attempts.

The post RaidForums Leaked, Data of Almost 500,000 Users Published appeared first on Gridinsoft Blog.

On April 12, 2022, the National Crime Agency (shorty NCA) reported on their official website about the successful Operation Tourniquet. Under that process, they captured RaidForums administration and shut down the forums with the site controller seizure. The UK law enforcement, who was the host of this investigation and capturing, reports about arresting the person who is likely the chief of this outlaw organisation.

About RaidForums

RaidForums was considered the biggest online hacker forum that was active in our days. Its main activity was the Surface web rather than the Darknet. It is a very strange train for such a site, especially when we remember that the UK is a member of the 14 Eyes Surveillance. Nonetheless, the forum was present on three domains – raidforums[.]com, Raid[.]lol and rf[.]ws. There were also several Darknet mirrors, but their work was not so stable. Possibly, applying the Darknet as a place of action could prolong the lifespan of this forum, but history does not tolerate subjunctions.

RaidForums appeared in 2015, and gained the image of a place where you can purchase the leaked data of any sort. Through the 7 years of its activity, it powered the numerous cyberattacks and blackmailing cases with that information. It hosted over 530,000 members and asked for €10 for access to the chatrooms with the specific leaked information. Such a model could already gave the creators €5.3 million, but as the NCA report says, an even bigger sum was involved.

It was obvious that one day law enforcements will put an eye on them. However, by a strange coincidence, that happened shortly after the breaking of all possible relations with Russia. Hydra Market shutdown had a more obvious connection to the post-USSR countries, but actually cybercrimes do not have any borders. More likely that some of the persons related to Hydra had some valuable information about other crooks, and were pleased to share it with men in uniform.

RaidForums shutdown

The exact shutdown of RaidForums was not a one-day event. The long-term operation lasted for almost a year, and succeeded in capturing the 21-year Diogo Santos Coelho, the founder of this forum. During the arrest process, policemen also seized about £5000 and several thousands of U.S. dollars in cash. The seized cashless equity (generally in crypto) reached ~$500,000. The stopping of this forum is rather about shutting down the ability to purchase sensitive information about the companies around the world. In particular, the NCA claims about the information about British companies that was placed for sale on this forum. The overall database accounted for over 10 billion records regarding both individuals and companies.

Besides the founder, law enforcements also managed to capture the forum administrators. They are accused of money laundering. The interesting moment is that for that purpose they used an online business that was earlier considered legitimate. This event also had a significant chronology: at the edge of January, the aforementioned founder (known by the nickname Omnipotent) disappeared from the social networks. On February 7, the first problems began happening with RaidForums. Several database outages repeated on February 12, and there were no comments from administrators. Finally, on February 25 the website on all mentioned domains was down. No one knew a thing about the fate of the forum, until the official claims from law enforcement from multiple countries.

What is next?

The latest occasions show that there is an ongoing anti-cybercrime campaign running in the world. Maybe it is related to the US-Russia cybersecurity cooperation shutdown, or the overall warfare background. Possibly, it turns into a good tradition – to begin the year with some loud cybercriminals captured. A year ago, we witnessed the capture of the chain of Emotet distributors. This trojan virus appeared as a precursor in the numerous ransomware attacks. Last year, this event lead to a huge decrease in malware activity throughout the whole spring (the exact arrest happened in February). No one knows if it will have the same impact this year, but now it does not look like that. Hydra and RaidForums shutdowns are not pleasant, but they are not the elements of critical malware spreading infrastructure.

The post RaidForums shutdown as the result of Operation Tourniquet appeared first on Gridinsoft Blog.

The operation was reportedly prepared by the authorities of the United States, Great Britain, Sweden, Germany, Portugal and Romania for more than a year.

The US Department of Justice writes that the site administrator, known by the nickname Omnipotent, was arrested on January 31, 2022 in the UK, and he has already been charged. He was in custody from the time of his arrest until the completion of the extradition proceedings.

Since 21-year-old Portuguese citizen Diogo Santos Coelho was hiding behind the pseudonym Omnipotent, it turns out that he launched RaidForums when he was 14 years old, since the site has been running since 2015.

Law enforcers seized the domains hosting RaidForums: raidforums.com, rf.ws and raid.lol.

According to statistics from the US Department of Justice, in total, more than 10 billion unique records from hundreds of hacked databases were put up for sale on the marketplace, including those affecting people living in the United States. In turn, Europol reports that RaidForums had more than 500,000 users and was “one of the largest hacker forums in the world.” It is worth adding here that we are talking about English-language resources.

It is not yet known how long the investigation took overall, but law enforcement seems to have managed to get a pretty clear picture of the RaidForums hierarchy. The Europol press released notes that the people who supported the work of RaidForums were engaged in administration, money laundering, stolen and uploaded data to the site, and also bought stolen information.

At the same time, Diogo Santos Coelho, mentioned above, allegedly controlled RaidForums from January 1, 2015, that is, from the very beginning, and managed the site with the support of several administrators, organizing a structure to promote the purchase and sale of stolen data. To make a profit, the forum charged users for various membership levels and sold credits that allowed members to gain access to more privileged areas of the site or to stolen data posted on the forum.

Coelho also acted as an intermediary and guarantor between the parties, making transactions, undertaking to see that buyers and sellers would honor the agreements.

Bleeping Computer writes that back in February 2022, criminals and security researchers suspected that RaidForums had been taken over by law enforcement, as the site began displaying a login form on every page. When trying to enter the site, it simply showed the login page again, and many suspected that the site was taken over and this was a phishing attack by law enforcement agencies who are trying to get the attackers’ credentials.

On February 27, 2022, the raidforums.com DNS servers changed completely to jocelyn.ns.cloudflare.com and plato.ns.cloudflare.com, which only convinced the hackers that they were right. The fact is that in the past these DNS servers were used by other sites seized by the authorities, including weleakinfo.com and doublevpn.com.

RaidForums, which appeared back in 2015, has recently become widely known due to ransomware operators who leaked data stolen from victims to the site in order to force them to pay a ransom. For example, this tactic was previously used by Babuk and Lapsus$ operators.

However, earlier, when the resource was not so popular, its community specialized in swatting, as well as raiding, which The US Department of Justice describes it as “publishing or sending a huge number of contacts to the online medium that the victim uses to communicate.”

In recent years, the marketplace has been a favorite place for hackers to sell stolen databases or simply share them for free with other forum members.

Let me remind you that we also talked about the fact that Hydra Market Shut Down by the German Authorities.

The post Law enforcement officers closed the hacker resource RaidForums appeared first on Gridinsoft Blog.

Bleeping Computer says that there has been a serious split in the hacker community.

For example, the administrator of the database and trading platform RaidForums openly stated that he was imposing his own sanctions and blocking access for users from Russia. He made his position clear, saying that he opposes the Kremlin’s actions.

Another RaidForums participant posted an even harsher message as a warning to the “Russians”. He also posted on the forum a database with e-mail addresses and hashed passwords and the fsb.ru domain. Although the authenticity of this information has not yet been verified, the same user previously hosted similar databases for US .mil domains.

Let me remind you that we also said that Anonymous hackers declared war on the Russian government.

At the same time, extortionist groups also took up the opposite sides of the conflict. For example, members of one of the most aggressive hacker groups, Conti, declared “the full support of the Russian government” and threatened to retaliate with cyberattacks against anyone who attacks Russia, promising to use all their resources “to strike back at the enemy’s critical infrastructures.”

A little later, the hackers changed the statement, noting that in doing so they “do not ally with any government, and condemn the ongoing war”.

Another far less well-known hack group, CoomingProject, has also said it will support the Russian government if cyberattacks are directed against the country.

Interesting statistics about the “political position” of various hacker groups are also collected by journalists from The Record. According to them, two more groups have publicly declared their position.

UNC1151, allegedly based in Minsk, supports Russia. This hack group is considered to be Belarusian “government hackers” and is allegedly already working on hacking the emails of Ukrainian military personnel.

The Red Bandits also took the side of Russia. Back on February 22, the group announced on Twitter:

We also said that the FBI and NSA release a statement about attacks by Russian hackers.

The post Hacker groups split up: some of them support Russia, others Ukraine appeared first on Gridinsoft Blog.