The U.S. Department of Justice on Tuesday announced it seized the website and user database for RaidForums, a popular English-language cybercrime forum that sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches since 2015.
The DOJ also charged the alleged administrator of RaidForums — 21-year-old Diogo Santos Coelho, of Portugal — with six criminal counts, including conspiracy, access device fraud, and aggravated identity theft.
Coelho was arrested in the United Kingdom on Jan. 31, at the request of U.S. officials. He remains in custody pending the resolution of his extradition proceedings.
Court records unsealed Tuesday indicate that the United States recently obtained judicial authorization to seize three domains that long hosted the RaidForums website. These domains were “raidforums.com,” “Rf.ws,” and “Raid.lol.”
Officials unsealed a six-count indictment against Coelho in the Eastern District of Virginia in connection with his role as the chief administrator of RaidForums. According to the indictment, between Jan. 1, 2015, and on or about Jan. 31, 2022, Coelho allegedly controlled and served as the chief administrator of RaidForums, which he operated with the help of other website administrators.
Illegal Online Marketplace
Coelho and his co-conspirators are alleged to have designed and administered the platform’s software and computer infrastructure, established and enforced rules for its users, and created and managed sections of the website dedicated to promoting the buying and selling of contraband. They included a subforum titled “Leaks Market” that described itself as “[a] place to buy/sell/trade databases and leaks.”
According to the affidavit filed in support of these seizures, from in or around 2016 through February 2022, RaidForums served as a major online marketplace for individuals to buy and sell hacked or stolen databases containing sensitive personal and financial information of victims in the U.S. and elsewhere. The data included stolen bank routing and account numbers, credit card information, login credentials, and social security numbers.
“The takedown of this online market for the resale of hacked or stolen data disrupts one of the major ways cybercriminals profit from the large-scale theft of sensitive personal and financial information,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division.
“This is another example of how working with our international law enforcement partners has resulted in the shutdown of a criminal marketplace and the arrest of its administrator,” he added.
Massive International Take Down
Prior to its seizure, RaidForums members used the platform to offer for sale hundreds of databases of stolen data containing more than 10 billion unique records for individuals residing in the United States and internationally.
At the time of its founding in 2015, RaidForums also operated as an online venue for organizing and supporting forms of electronic harassment, including by “raiding” — posting or sending an overwhelming volume of contact to a victim’s online communications medium — or “swatting” — the practice of making false reports to public safety agencies of situations that would necessitate a significant, and immediate armed law enforcement response.
The seizure of these domains by the government will prevent RaidForums members from using the platform to traffic in data stolen from corporations, universities, and governmental entities in the United States and elsewhere, including databases containing the sensitive, private data of millions of individuals around the world, according to the DOJ.
“Our interagency efforts to dismantle this sophisticated online platform — which facilitated a wide range of criminal activity — should come as a relief to the millions victimized by it, and as a warning to those cybercriminals who participated in these types of nefarious activities,” said U.S. Attorney Jessica D. Aber for the Eastern District of Virginia.
“Online anonymity was not able to protect the defendant in this case from prosecution, and it will not protect other online criminals either,” she asserted.
The law enforcement actions against RaidForums and Coelho resulted from an ongoing criminal investigation by the FBI’s Washington Field Office and the U.S. Secret Service.
Seizure of the RaidForums website and the charges against the marketplace’s administrator show the strength of the FBI’s international partnerships, noted Assistant Director in Charge Steven M. D’Antuono of the FBI’s Washington Field Office.
U.S. officials credited support from Joint Cybercrime Action Taskforce (Europol), National Crime Agency (U.K.), Swedish Police Authority (Sweden), Romanian National Police (Romania), Judicial Police (Portugal), Internal Revenue Service Criminal Investigation, Federal Criminal Police Office (Germany) and other law enforcement partners.
“Cybercrime transcends borders, which is why the FBI is committed to working with our partners to bring cybercriminals to justice — no matter where in the world they live or behind what device they try to hide,” said D’Antuono.
Operational Expertise Disclosed
To profit from the illicit activity on the platform, RaidForums charged escalating prices for membership tiers that offered greater access and features. The pricing structure included a top-tier “God” membership status.
RaidForums also sold “credits” that provided members access to privileged areas of the website and enabled members to “unlock” and download stolen financial information, means of identification, and data from compromised databases, among other items. Members could also earn credits through other means, such as by posting instructions on how to commit certain illegal acts.
According to the indictment, Coelho also personally sold stolen data on the platform and directly facilitated illicit transactions by operating a fee-based “Official Middleman” service. For that service, Coelho allegedly acted as a trusted intermediary between RaidForums members seeking to buy and sell contraband on the platform, including hacked data.
Notably, to create confidence among transacting parties, the Official Middleman service enabled purchasers and sellers to verify the means of payment and contraband files being sold prior to executing the transaction.
Long-Term Impact Questioned
The massive takedown of RaidForums might have little real impact against the large volume of hackers operating worldwide, according to Casey Ellis, founder and CTO at crowdsourced cybersecurity firm Bugcrowd.
“I question the long-term impact of this action on the cybercriminal industry. Cybercrime and its supporting criminal services are, by and large, incredibly successful, and profitable for those who operate them. Business models like this tend to find a way to continue to exist,” he told TechNewsWorld.
It definitely provides a deterrent aspect to people considering launching similar forums and marketplaces, he added. However, he suspects they will simply evolve the techniques used to maintain operational security and avoid detection.
“The other counter-intuitive consequence of this action is that it essentially burns a valuable tool used by those in CTI, who infiltrate forums like this one, build fake personas, and use them to gather tactical breach and risk intelligence,” he said.
Still, the arrest and seizure are important in as much as they disrupt a marketplace and create additional difficulty and cost for cybercriminals who are looking to monetize their services and stolen data.
“It is also a clear signal to other forum operators that they are in the DOJ’s crosshairs,” he said.
Disruption May Be Key Deterrent
The takedown of RaidForums will cause a natural power vacuum within the cybercriminal community. Many of Raid’s members are likely to flock to alternative platforms, suggested Chris Morgan, senior cyber threat intelligence analyst at risk protection firm Digital Shadows.
“The takedown of RaidForums is unlikely to result in a major disruption to overall cybercriminal activity. Cybercriminals are well versed to platforms being taken down by LEAs and so they remain agile and fluid as to where their next forum of choice is likely to pop-up,” he told TechNewsWorld.
The seizure of an individual forum will not have much long-term impact, agreed John Bambenek, principal threat hunter at digital IT and security operations firm Netenrich.
“However, if the justice department can keep up the pace of operations against many of these forums, it will provide a very strong disruption to the overall cybercrime ecosystem,” he predicted. “Just like a crime wave is not solved with individual prosecutions, cybercrime is no different.”