The DoJ is charging its founder, 21-year-old Portuguese citizen Diogo Santos Coelho, on six criminal counts, including conspiracy, access device fraud and aggravated identity theft.
U.S. law enforcement has shut down one of the largest cybercriminal online forums in the world and revealed the charges its Portuguese founder will face in federal court. However, the takedown is likely to only be a temporary blow to hackers, who will find other ways of buying and selling data stolen in cyber-attacks, security professionals noted.
The Department of Justice (DoJ) unveiled Tuesday that it has seized three domains to affectively shut down the RaidForums website, a major English-language online marketplace for cybercriminals to buy and sell databases stolen from organizations in ransomware and other cyber-attacks. The domains seized by the feds after obtaining judicial authorization were “raidforums.com,” “Rf.ws,” and “Raid.lol,” according to a press release published Tuesday.
The DoJ also unsealed charges being brought against RaidForums’ founder and chief administrator, 21-year-old Portuguese citizen Diogo Santos Coelho, who was arrested in the United Kingdom on Jan. 31. He is being charged on six counts, including conspiracy, access device fraud and aggravated identify theft.
The seizure of RaidForum’s domains means that members can no longer use the site to traffic stolen data, according to the feds. Indeed, the site is well known among cybercriminal circles as an online hub for buying and selling data stolen in cyberattacks.
Since its inception in 2015 RaidForums has sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches. For example, data scraped from profiles of some 700 million LinkedIn users was posted for sale on the forum last June.
“The takedown of this online market for the resale of hacked or stolen data disrupts one of the major ways cybercriminals profit from the large-scale theft of sensitive personal and financial information,” said Assistant Attorney General Kenneth Polite of the DoJ’s Criminal Division, in a press statement.
Polite cited international collaboration with authorities in Portugal, the European Union and the United Kingdom as crucial to the collective law-enforcement effort that led to the seizure and arrest of Coelho.
In addition to being a blow, at least temporarily, to hackers, the takedown also is a warning to other hacker marketplaces that they could be next as the feds continue to crack down on cybercriminal activity, observed a security professional.
“It’s important in as much as it’s disrupting a marketplace and creating additional difficulty and cost for cybercriminals who are looking to monetize their services and stolen data,” Casey Ellis, founder and CTO at crowdsourced cybersecurity firm Bugcrowd, said in an email to Threatpost. “It’s also a clear signal to other forum operators that they are in the DOJ’s crosshairs.”
However, he said that the shutdown is unlikely to have a long-term impact on cybercriminal activity, as threat actors likely will just shift tactics and find other ways to profit from their nefarious activity.
“Cybercrime, and its supporting criminal services are, by and large, incredibly successful and profitable for those who operate them, and business models like this tend to find a way to continue to exist,” Ellis noted.
Indeed, the shutdown of RaidForums merely presents an opportunity for other hacker forums to fill the “natural power vacuum” it creates within the cybercriminal community, sending its members flocking to alternative dark web sites, noted another security professional.
“The takedown of Raidforums is unlikely to result in a major disruption to overall cybercriminal activity; cybercriminals are well versed to platforms being taken down by [law enforcement] and so they remain agile and fluid as to where their next forum of choice is likely to pop-up,” wrote Chris Morgan, senior cyber threat intelligence analyst at digital risk protection solution provider Digital Shadows, in an email to Threatpost.
Hacker Hub Since 2015
RaidForums went online in 2015, initially operating as an online venue for organizing and supporting forms of electronic harassment, according to the DoJ statement. This included “raiding,” or posting or sending an overwhelming volume of contact to a victim’s online communications medium, as well as “swatting,” the practice of making false reports to public safety agencies of situations that would necessitate a significant, and immediate armed law enforcement response.
Between 2016 and 2022, RaidForums primarily served as a major online marketplace for individuals to buy and sell hacked or stolen databases that contain sensitive personal and financial information of victims of cyber-attacks in the United States and abroad.
Stolen records that could be bought and sold on the forum included: stolen bank routing and account numbers, credit card information, login credentials and social security numbers, according to the feds.
RaidForums acted on a membership business model, charging escalating prices for membership tiers that offered greater access and features, including a top-tier “God” membership status, according to the DoJ.
The forum also sold “credits” that provided members access to privileged areas of the website to download stolen financial information, online credentials and personal identification data from compromised databases, among other items.
Members could also could earn credits through other means, such as by posting instructions on how to commit fraudulent acts online, according to the DoJ.
Founder Facing Charges
Coelho is facing a six-count indictment in the Eastern District of Virginia for his role as the chief administrator of RaidForums, which he operated with the help of other website administrators, according to the DoJ.
In his role, Coelho and his co-conspirators allegedly designed and administered the platform’s software and computer infrastructure, established and enforced rules for its users, and created and managed sections of the website dedicated to promoting the buying and selling of illegally stolen data. For example, the site included a subforum titled “Leaks Market,” a self-described “place to buy/sell/trade databases and leaks.”
Coelho also personally sold stolen data on the platform, and directly facilitated illicit transactions by operating a fee-based “Official Middleman” service, according to the DoJ. In this service, Coelho allegedly acted as a trusted intermediary between RaidForums members seeking to buy and sell hacked data on RaidForums, officials said.
Law-enforcement agencies that collaborated in the effort include: FBI’s Washington Field Office, U.S. Secret Service, Joint Cybercrime Action Taskforce (Europol), National Crime Agency (U.K.), Swedish Police Authority (Sweden), Romanian National Police (Romania), Judicial Police (Portugal), Internal Revenue Service Criminal Investigation, Federal Criminal Police Office (Germany) and others.
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.