Blog

Raid Forums Is Down. Who’s Behind Its Apparent Seizure?

On February 25, 2022, Raid Forums—a popular illicit online community notorious for its high-profile large-scale database leaks—was allegedly seized by an unknown identity. As of this publishing, it is not clear why Raid Forums was taken down, or who was responsible. No official government agency in any country has claimed responsibility for seizing the Raid Forums domain, nor has any cyber threat group; Raid had been operating, more or less continuously, since 2015.

Default Author Image
Flashpoint
March 4, 2022
Table Of Contents
Table of Contents
What is the Timeline of the Raid Forums Takedown?
What were the Significant Events During the Initial Outage?
How did the Russia-Ukraine War Impact Raid Forums?
Why did a Cloned Login Portal Appear on the Site?
Where did Raid Forums Users Migrate After the Shutdown?
Get Flashpoint on Your Team for Threat Intelligence
Frequently Asked Questions (FAQs)
More
subscribe to our newsletter

On February 25, 2022, Raid Forums was allegedly seized by an unknown identity. This site was a popular illicit online community known for high-profile database leaks. As of this publishing, it is not clear why the site was taken down or who was responsible. No government agency has claimed responsibility yet. No cyber threat group has claimed it either. Raid had been operating since 2015.

Intelligence related to the takedown paints a complex picture. It shows the current state of affairs for threat actors and illicit communities. The closure puts it into a lineage of communities that have stopped operating recently.

The timeline of the takedown matches many parts of the Ukraine-Russia war. Clues from the owner and forum posts prior to closing tell a compelling story. 

What is the Timeline of the Raid Forums Takedown?

The Raid Forums website began showing database errors on February 7. Users were unable to access the site until February 12. Users speculated about whether authorities had compromised the site. They also wondered who brought it back online.

If authorities seized the domain but not the servers, they might have put up a fake login portal. This would allow them to harvest user credentials. This would give them more leverage over the domain. It would also provide an opportunity for intelligence collection.

What were the Significant Events During the Initial Outage?

The owner of Raid Forums goes by the name Omnipotent. He was reportedly on vacation between January 31 and February 7. This was the day the outage began. After the site returned on February 12, he did not comment on the issue. He was not active on the site up until the seizure on February 25.

It is not clear if another person had the access needed to fix the site. No admin or moderator gave an explanation for the downtime. 

How did the Russia-Ukraine War Impact Raid Forums?

In the weeks before the seizure, the site saw more anti-Russian sentiment. There were many offerings of exploitative data related to Russia.

  • January 19: An established Raid Forums actor, called “Kristina,” posted a thread containing a renewed download link for a data dump, alleged to contain documents, emails, and passwords of the Russian military.
  • February 3: An offering to sell a 2TB array of Russian databases reportedly containing Russian personal information including full names, dates of birth, passport numbers, and tax information was posted to Raid Forums.
  • February 15: A Raid Forums user posted a Russian database for sale allegedly containing 61 million Russian phone numbers. 
  • February 24: On the day of the Russian invasion of Ukraine, Raid Forums took an open stance in the conflict when the admin “moot” announced that the site would be banning all users found to be connecting to the site from Russia. 
  • February 25: Raid threat actor “Kozak888” leaked a database belonging to a Russian express delivery and logistics company, Flashpoint confirmed. Kozak888 claimed that the Russian company provides services for the Russian federal government and stated that the database leak was a consequence of Russia’s invasion of Ukraine. Kozak888 revealed that the database contained 800 million records including full names, email addresses, and phone numbers. 
  • February 25: A user posted a thread requesting assistance in creating fake identification documents, allegedly in order to assist a friend escape Ukraine and find refuge in neighboring Moldova.
  • February 25: A user posted a thread encouraging users to begin collecting attackable ranges of Russian IP addresses. 

Given the growing animosity towards Russia on the site, plus Raid’s decision to block users coming to the site from Russian IP addresses, Flashpoint will continue to monitor the situation, including the potential role that the forum’s anti-Russian rhetoric and alleged offerings may have had in the forum’s takedown. 

Why did a Cloned Login Portal Appear on the Site?

A clone of the login portal was put up before the official announcement of the seizure. It has remained active ever since. When users enter their details, they see an error message. It tells them they have been banned.

This suggests that the entity in control is harvesting credentials. They are likely logging technical info like IP addresses. An admin known as Jaw revealed a backup domain would be used. However, that domain is currently inactive.

Where did Raid Forums Users Migrate After the Shutdown?

In response to threat actors actively seeking alternatives to Raid Forums on the site’s official Telegram channel during the site outage between February 7 and February 12, 2022, the Russian-language hacking forums XSS and Exploit were recommended alternatives to Raid Forums. 

On February 27, 2022, a thread was posted on XSS informing users of the alleged seizure of Raid Forums and warning XSS users with Raid Forums accounts to avoid attempting to log into the site due to the likelihood of the site being compromised. In the same thread, one user speculated whether or not XSS would become flooded with Raid Forums users. 

Based on the recommendations in the official Raid Forums Telegram channel, Flashpoint assesses that a significant number of former Raid Forums users may migrate to Exploit or XSS. However, due the anti-Russian sentiment felt by a large portion of Raid Forums users, these users may not be easily enticed to migrate to these Russian-language alternatives. 

Although it’s unclear when or if Raid Forums will come back online, the highly active Raid Forums threat actor “pompompurin” claimed on XSS on March 3, 2022, that they were in contact with Raid Forums admins who revealed to them that the site should be coming back online in the near future. Pompompurin reiterated that all that is known at this time is that “someone” seized the domain and it is still unclear who or whether or not they are affiliated with a government entity.

Get Flashpoint on Your Team for Threat Intelligence 

Any organization’s security capabilities are only as good as its threat intelligence. Flashpoint’s suite of tools offer you a comprehensive overview of your threat landscape and the ability to proactively address risks and protect your critical data assets. To unlock the power of great threat intelligence, sign up for a demo or get started with a free trial.

Frequently Asked Questions (FAQs)

What was Raid Forums and why was it seized?

Raid Forums was a major illicit online community famous for leaking large-scale databases. It was allegedly seized in early 2022, though no specific government agency immediately claimed responsibility. The seizure occurred amidst a surge of anti-Russian activity on the site following the invasion of Ukraine.

CharacteristicDescription
Primary UseBuying, selling, and sharing stolen database leaks.
StatusSeized as of February 25, 2022.
LegacyOperated continuously for seven years (since 2015).

How did the Russia-Ukraine conflict affect the forum’s operation?

The conflict led to a massive increase in anti-Russian sentiment on the platform. Admins officially banned users connecting from Russian IP addresses, and threat actors began leaking sensitive Russian government and military data as a form of “cyber protest” against the invasion.

  • Data Leaks: Military emails, passwords, and logistics databases were shared.
  • IP Blocking: Russian users were formally banned from the community.
  • Cyber Warfare: Users coordinated to collect Russian IP addresses for potential attacks.

What are the risks of attempting to log into a seized forum?

When a forum like Raid Forums is seized, authorities or malicious actors may set up a “cloned” login portal. This is used for credential harvesting, allowing the entity in control to log usernames, passwords, and the visitor’s technical information, such as their IP address, for further investigation.

Risk FactorImpact on the User
Credential HarvestingYour username and password are captured by investigators.
Technical LoggingYour IP address and device info are linked to your illicit account.
Secondary AttacksStolen credentials can be used to compromise your other accounts.