Law enforcement takedowns continue with RaidForums seizure

RaidForums, a widely used marketplace known for selling high-profile stolen databases, was taken offline in a coordinated law enforcement effort led by the Department of Justice.

In a press release Tuesday, the DOJ referred to RaidForums as "one of the world's largest hacker forums." The dark web marketplace was used in a variety of ways since its formation in 2015. Not only could cybercriminals purchase stolen data belonging to more than 10 billion U.S. and international residents, but it was also used for cyberharassment.

The takedown involved Europol along with law enforcement agencies from the United Kingdom, Sweden, Portugal and Romania.

In addition to the seizure of three domains that hosted the RaidForums website, the DOJ also arrested the alleged founder and chief administrator, 21-year-old Diogo Santos Coelho of Portugal. He was arrested in the United Kingdom on Jan. 31 and remains in custody pending extradition proceedings, according to the DOJ.

Coelho was indicted on several charges including access device fraud, conspiracy to commit access device fraud, and aggravated identity theft.

In a separate announcement on RaidForums Tuesday, Europol revealed that two unnamed accomplices were arrested in addition to Coelho.  

Europol referred to the takedown as "Operation Tourniquet" and said it "was the culmination of a year of meticulous planning."

The release noted the broad scope of the marketplace, which amassed over half a million users.

"This marketplace had made a name for itself by selling access to high-profile database leaks belonging to a number of U.S. corporations across different industries," Europol said in the release.

The leaks contained sensitive information such as stolen bank routing and account numbers, credit card information and Social Security numbers. They also included login credentials complete with passwords and usernames.

It appears Coelho may have been running the illegal platform since his teenage years.

The DOJ said Coelho "allegedly controlled and served as chief administrator" from January of 2015 through 2022 with the help of administrators. Coelho and "his co-conspirators" are being accused of a high level of involvement that includes developing the platform's software and computer infrastructure, making and enforcing rules for its users and managing sections of the website.

However, Coelho's charges extend beyond operating the platform. He is also being accused of personally selling stolen data through the forum, and "directly" facilitating "illicit transactions by operating a fee-based 'Official Middleman' service."

"Notably, to create confidence amongst transacting parties, the Official Middleman service enabled purchasers and sellers to verify the means of payment and contraband files being sold prior to executing the transaction," the DOJ said in the release.

Flashpoint published a blog last month that RaidForums servers were initially taken offline in February, though government or law enforcement attribution was not made until the DOJ and Europol announcements Tuesday. The threat intelligence vendor connected it to Russia's invasion of Ukraine.

"In the weeks leading up to its apparent seizure, Raid Forums saw an increasing amount of anti-Russian sentiment and anti-Russian offerings in the form of potentially exploitive data, in the lead up to -- and following -- Russia's invasion of Ukraine on February 24," the blog said.

UPDATE 4/13: Austin Warnick, team lead at Flashpoint, told SearchSecurity he was fairly surprised that RaidForums saw an increase in anti-Russian sentiment recently. "RaidForums stood out in that it was a mid-tier forum, so it attracted more of an English-speaking audience or people who were comfortable with typing or reading in English," he said. "Because of that, it attracted more Western-based threat actors than Eastern-based."

While the dark web site had seen a spike in leaked data from Russian organizations lately, Warnick said the DOJ and other law enforcement agencies still made RaidForums a priority. "I think the big thing is there was just so much PII related to Westerners on that site. I won't say a majority, but a large portion was U.S. datasets so I think law enforcement felt obligated to do something," he said.

While RaidForums is now offline, another platform has already taken its place. Warnick said that a high-level threat actor from RaidForums, who goes by the alias Pompompurin, started a new platform on March 16 called "Breach Forum." Pompompurin issued a statement Tuesday following the DOJ's RaidForums announcement touting the new dark web marketplace and encouraging users to access the site with VPNs.

The RaidForums seizure is the latest takedown of dark web marketplaces in the last year amid an increase in law enforcement action against cybercriminal operations. Earlier this month, Germany's Federal Criminal Police Office shut down another dark web forum, Hydra Market, and seized the private keys for wallets holding around $25 million worth of bitcoin.

In October, various law enforcement agencies across the globe took down DarkMarket, which Europol called the world's biggest marketplace on the dark web for illicit goods. And in June 2021, the DOJ announced the disruption of Slilpp, a notorious dark web site that trafficked in stolen credentials.