US seizes RaidForums, the “go-to” site for hackers selling stolen login details
2022 04 12
The US has seized the domain of what it calls “one of the world’s largest hacker forums” and indicted its founder, the Department of Justice announced Tuesday. A notice on RaidForums.com says the domain was seized by the FBI, Secret Service, and Department of Justice. Europol and law enforcement agencies from Sweden, Romania, Portugal, Germany, and the UK were also involved.
RaidForums founder and chief administrator, Diogo Santos Coelho, a 21-year-old from Portugal, was arrested in the UK on January 31 and is in custody pending the outcome of extradition proceedings. The case in US District Court for the Eastern District of Virginia was unsealed Monday. Two accomplices were also arrested, according to Europol.
Founded in 2015, “RaidForums served as a major online marketplace for individuals to buy and sell hacked or stolen databases containing the sensitive personal and financial information of victims in the United States and elsewhere, including stolen bank routing and account numbers, credit card information, login credentials and social security numbers,” the DOJ said. As a Vice article noted, the seizure announcement “caps off weeks of speculation of what may have happened to the site, which mysteriously became unresponsive around the end of February.”
Security reporter Brian Krebs wrote that “the ‘raid’ in RaidForums is a nod to the community’s humble beginnings in 2015, when it was primarily an online venue for organizing and supporting various forms of electronic harassment. But over the years as trading in hacked databases became big business, RaidForums emerged as the go-to place for English-speaking hackers to peddle their wares.” The Krebs article said that “the FBI had been secretly operating the RaidForums website for weeks” before the seizure.
Hundreds of databases with stolen data
The DOJ said it also seized the related Rf.ws and Raid.lol domains. The DOJ announcement said:
Prior to its seizure, RaidForums members used the platform to offer for sale hundreds of databases of stolen data containing more than 10 billion unique records for individuals residing in the United States and internationally. At the time of its founding in 2015, RaidForums also operated as an online venue for organizing and supporting forms of electronic harassment, including by “raiding”—posting or sending an overwhelming volume of contact to a victim’s online communications medium—or “swatting”—the practice of making false reports to public safety agencies of situations that would necessitate a significant, and immediate armed law enforcement response.
In 2019, hackers from RaidForums breached the site of rival hacking forum Cracked.to and released data for more than 321,000 of its members, Ars reported at the time. Later that year, after a hack of cryptocurrency wallet service GateHub, a database with personal information for 1.4 million accounts was posted on RaidForums.
Databases offered for sale on RaidForums included “usernames and associated passwords for access to user accounts issued by an electronic commerce company in the United States,” usernames and passwords for “online customer accounts issued by a major broadcasting and cable company in the United States,” and private account information from “a major telecommunications company and wireless network operator that provides services in the United States,” the newly unsealed indictment of Coelho said. The telecom breach appears to be the one last year involving T-Mobile.
Coleho and co-conspirators “are alleged to have designed and administered the platform’s software and computer infrastructure, established and enforced rules for its users, and created and managed sections of the website dedicated to promoting the buying and selling of contraband, including a subforum titled ‘Leaks Market’ that described itself as ‘[a] place to buy/sell/trade databases and leaks,'” the DOJ announcement said. More details are available in an affidavit filed by an assistant US attorney.