An international law enforcement operation raided and took down RaidForums, one of the world's largest hacking forums notorious for selling access to hacked personal information belonging to users.
Dubbed Tourniquet, the seizure of the cybercrime website involved authorities from the U.S., U.K., Sweden, Portugal, and Romania, with the criminal investigation resulting in the arrest of the forum's administrator at his home last month in Croydon, England.
The three confiscated domains associated with the illicit marketplace include "raidforums[.]com," "Rf[.]ws," and "Raid[.]lol."
Diogo Santos Coelho (aka "Omnipotent"), the said founder and chief administrator, was apprehended in the U.K. on January 31 and is pending extradition to the U.S. Santos Coelho has been charged with conspiracy, access device fraud, and aggravated identity theft.
In addition to detailing Santos Coelho's central role in designing and administering the software and computer infrastructure, the U.S. Justice Department (DoJ) accused the 21-year-old Portuguese national of operating a fee-based middleman service to facilitate the transactions on the platform.
"Notably, to create confidence amongst transacting parties, the Official Middleman service enabled purchasers and sellers to verify the means of payment and contraband files being sold prior to executing the transaction," the DoJ said.
Europol, which called it a "culmination of a year of meticulous planning," said RaidForums had more than 500,000 users since its launch in January 2015, with the storefront offering for sale databases of pilfered data comprising more than 10 billion unique records of individuals in the U.S. and abroad.
These databases, which served as a repository of personal data, contained credit card details, bank account numbers and routing information, social security numbers, and the usernames and associated passwords needed to access online accounts.
"This marketplace had made a name for itself by selling access to high-profile database leaks belonging to a number of U.S. corporations across different industries," the agency said. "These datasets were obtained from data breaches and other exploits carried out in recent years."
Interestingly, the "Raid" in RaidForums is a nod to its early beginnings as a hub for organizing various forms of electronic harassment — like "raiding," which refers to a form of targeted harassment by posting an overwhelming volume of messages to a victim.
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
The dismantling of RaidForums is said to have occurred on February 25, 2022, when the online marketplace became mysteriously offline nearly two weeks after it was plagued by database errors and outages between February 7 and 12, implying that law enforcement officials had access to the infrastructure for several weeks.
"Prior to the alleged seizure, Omnipotent purportedly went on a vacation between January 31 and February 7, the day of the recent outage, according to his Telegram bio," cybersecurity company Flashpoint noted at the time.
"After the site was back up on February 12, Omnipotent did not comment on the outage. Furthermore, the site's owner was not apparently active on the site up until the alleged seizure on February 25."
Besides functioning as an online venue for illegal activity, RaidForums relied on different subscription tiers (i.e., free, VIP, MVP, and God) to profit from the sales of confidential and sensitive information. Another monetization technique entailed the use of credits for members to unlock privileged access to the compromised databases.
What's more, RaidForums enabled cybercriminals to earn credits in other ways, such as through posting instructions on how to commit illegitimate acts, the DoJ added.
The demise of RaidForums comes amid a series of ongoing steps taken by law enforcement to crack down on cybercrime over the past year. Last week, German and U.S. authorities shuttered Hydra, a Russia-based longest-running dark web marketplace that has been connected to $5 billion in transactions since 2015.
"Disruption has always been a key technique in operating against threat actors online, so targeting forums that host huge amounts of stolen data keeps criminals on their toes," Edvardas Šileris, head of Europol's European Cybercrime Centre, said in a statement.