Law Enforcement Seizes RaidForums, One of the Most Important Hacking Sites

A coalition of international law enforcement agencies led by the U.S. Department of Justice have seized RaidForums, a nexus for a wealth of stolen data and hacks, and arrested the site’s administrator, the DOJ announced on Tuesday.

The news caps off weeks of speculation of what may have happened to the site, which mysteriously became unresponsive around the end of February. 

“The domain for RaidForums has been seized by the Federal Bureau of Investigation, the United States Secret Service, and the Department of Justice,” a banner plastered across the site on Tuesday reads. The banner also includes a list of other U.S. and international agencies that worked on the operation, including Europol, the UK’s National Crime Agency, Swedish and Romanian police, and the IRS.

In a DOJ announcement published around the same time as the seizure notice went up, Assistant Attorney General Kenneth A. Polite Jr., said “The takedown of this online market for the resale of hacked or stolen data disrupts one of the major ways cybercriminals profit from the large-scale theft of sensitive personal and financial information.”

RaidForums existed for years as a bottom-of–the-barrel hacking forum, where users would often trade or freely distribute data that was sourced from long ago and publicly reported hacks. Generally, the members were apparently lower skilled hackers, taking lists of usernames and passwords dumped on the site and using those for their own gains. The site included data from all around the world and for all different sorts of targets, including telecos, tech companies, and websites. On the site, users could purchase tokens with cryptocurrency that they then used to unlock access to databases uploaded by the site’s members, and purchase different levels of membership to the site such as “MVP” and “God” ranks. These then provided more consistent access to databases and other site features.

As similar sites sometimes do, RaidForums steadily morphed into something else beyond its low-level roots though, and became a repository for new, previously undisclosed hacks. One user dumped data belonging to oil giant Saudi Aramco on the site. Associates of the LAPSUS$ hacking group, which went on to breach EA, Nvidia, Samsung, and Okta also used the site. Many journalists and cybersecurity researchers also had accounts on the site to study the hacks, tools, and information posted there.

The DOJ announcement said that “RaidForums members used the platform to offer for sale hundreds of databases of stolen data containing more than 10 billion unique records for individuals residing in the United States and internationally.” The announcement added that the site acted as a venue for “swatting,” where people would make false reports to the police and trick them into arriving at a scene expecting a potential shoot-out, putting peoples’ lives at risk.

In its own announcement, Europol said that the site had over half a million users.

A court in the Eastern District of Virginia also charged Diogo Santos Coelho, 21, from Portugal with allegedly being RaidForums’ administrator. He is charged with conspiracy, access device fraud, and aggravated identity theft. Coelho allegedly went by the handle Omnipotent on RaidForums, who was a constant fixture on the site, and personally offered data for sale. In its investigation, an undercover agent used the RaidForums credit system to purchase data stolen from an unnamed U.S. based company, the indictment against Coelho reads. Coelho also provided an undercover law enforcement officer with information on stolen data, and arranged a transaction with the undercover where he would act as a middleman for a transaction, the indictment alleges. The FBI also used a confidential human source (CHS) to investigate Coelho, the document adds.

The NCA said in its announcement it arrested the suspected administrator in Croydon, England.

RaidForums had been down for weeks, first going offline at the end of February, with rumors already spreading that the site had been taken over by law enforcement.

“The raidforums.com domain has been seized,” an administrator of the RaidForums Telegram channel who went by the handle Jaw said in a Telegram post on February 25. “I encourage anybody that attempted logging in to change your passwords and clear any logs you have.”

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.