Updated April 12: Today, the US Department of Justice (DOJ) issued a press release confirming their seizure of the popular English-language hacking forum, Raid Forums.
“Our interagency efforts to dismantle this sophisticated online platform—which facilitated a wide range of criminal activity —should come as a relief to the millions victimized by it, and as a warning to those cybercriminals who participated in these types of nefarious activities,” said Jessica D. Aber, U.S. Attorney for the Eastern District of Virginia. “Online anonymity was not able to protect the defendant in this case from prosecution, and it will not protect other online criminals either.”
“The takedown of this online market for the resale of hacked or stolen data disrupts one of the major ways cybercriminals profit from the large-scale theft of sensitive personal and financial information,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “This is another example of how working with our international law enforcement partners has resulted in the shutdown of a criminal marketplace and the arrest of its administrator.”
Prior to this press release, Raid Forums was reported by an admin of the site to have been seized by unnamed authorities on February 25, 2022. Despite being widely speculated amongst threat actors that Raid Forums had been seized by the US government, there had been no confirmation by the US government until April 12.
The press release included some interesting details about the administration of RaidForums. The following are some interesting takeaways:
- The role of middle man services: The administrator, Diogo Santos Coelho (aka “Omnipotent”) offered a middle man service to help sell confidential and sensitive information, and transfer cryptocurrencies.
- The value of stolen credit cards: Coehlo possessed unauthorized access devices to steal payment card information from e-commerce companies. On December 16, 2018, Coehlo sold information from 2.3 million credit cards that were stolen from US hotels. Besides compromised credit card shops, payment card details are often sold in bulk on forums. This data may be resold through card shops.
- Off-band communications: Coehlo often took their communications to alternative messaging platforms, like the messaging application Discord, to discuss payment details. Forums are often a centralized venue where threat actors will congregate, and use alternative and encrypted messaging applications to share further details.
* * *
On February 25, 2022, Raid Forums—a popular illicit online community notorious for its high-profile large-scale database leaks—was allegedly seized by an unknown identity. As of this publishing, it is not clear why Raid Forums was taken down, or who was responsible. No official government agency in any country has claimed responsibility for seizing the Raid Forums domain, nor has any cyber threat group; Raid had been operating, more or less continuously, since 2015.
Furthermore, the timeline of Raid’s takedown coincides with numerous aspects of the Ukraine-Russia war, which may provide clues into its takedown, although Flashpoint cannot confirm this connection at this time. There are also a number of clues about Raid’s owner—who goes by the moniker “Omnipotent,” “Omni” or “terminal”— as well as within posts on the forum itself prior to closing, as well as other illicit communities thereafter, that tell a compelling story.
Raiding Raid: A Timeline
On February 7, the Raid Forums website began throwing database errors and users were unable to access the site until February 12. Immediately after the outage began, Raid users began speculating about whether or not Raid Forums had initially been compromised by authorities, as well as who was ultimately responsible for bringing Raid back online.
If government authorities seized the domain and were not able to also seize servers hosting the actual forum, it is plausible the login portal clone was put up in an effort to harvest user credentials in order to maximize their leverage over the domain and use it as an intelligence collection opportunity.
Prior to the alleged seizure, Omnipotent purportedly went on a vacation between January 31 and February 7, the day of the recent outage, according to his Telegram bio. After the site was back up on February 12, Omnipotent did not comment on the outage. Furthermore, the site’s owner was not apparently active on the site up until the alleged seizure on February 25. It’s not immediately clear if another admin outside of Omnipotent would have had the access necessary to fix the site. Furthermore, neither a Raid Forum admin nor a moderator provided an explanation for the outage.
Notable developments before and after Russia invasion of Ukraine
In the weeks leading up to its apparent seizure, Raid Forums saw an increasing amount of anti-Russian sentiment, and anti-Russian offerings in the form of potentially exploitive data, in the lead up to—and following—Russia’s invasion of Ukraine on February 24.
- January 19: An established Raid Forums actor, called “Kristina,” posted a thread containing a renewed download link for a data dump, alleged to contain documents, emails, and passwords of the Russian military.
- February 3: An offering to sell a 2TB array of Russian databases reportedly containing Russian personal information including full names, dates of birth, passport numbers, and tax information was posted to Raid Forums.
- February 15: A Raid Forums user posted a Russian database for sale allegedly containing 61 million Russian phone numbers.
- February 24: On the day of the Russian invasion of Ukraine, Raid Forums took an open stance in the conflict when the admin “moot” announced that the site would be banning all users found to be connecting to the site from Russia.
- February 25: Raid threat actor “Kozak888” leaked a database belonging to a Russian express delivery and logistics company, Flashpoint confirmed. Kozak888 claimed that the Russian company provides services for the Russian federal government and stated that the database leak was a consequence of Russia’s invasion of Ukraine. Kozak888 revealed that the database contained 800 million records including full names, email addresses, and phone numbers.
- February 25: A user posted a thread requesting assistance in creating fake identification documents, allegedly in order to assist a friend escape Ukraine and find refuge in neighboring Moldova.
- February 25: A user posted a thread encouraging users to begin collecting attackable ranges of Russian IP addresses.
Given the growing animosity towards Russia on the site, plus Raid’s decision to block users coming to the site from Russian IP addresses, Flashpoint will continue to monitor the situation, including the potential role that the forum’s anti-Russian rhetoric and alleged offerings may have had in the forum’s takedown.
Cloning to harvest
Prior to the official announcement from the Raid Forums admin “Jaw” that the site had been seized on February 25, 2022, a clone of the Raid Forums login portal was put up in place of the homepage. It has remained up ever since. As of March 4 the cloned login portal was still active on raidforums[.]com.
However, when users enter their credentials into the portal, an error message appears for all users informing them that they have been banned from the site. This is an indication that whichever entity was responsible for seizing the site is potentially credential harvesting and logging visitor technical information such as IP addresses.
In the Telegram post by Raid Forums admin “Jaw”, it was also revealed the backup domain for Raid Forums would be rf[.]to, however, as of this publishing, this domain is inactive and it is unclear when, or if, the backup domain will be live.
In response to threat actors actively seeking alternatives to Raid Forums on the site’s official Telegram channel during the site outage between February 7 and February 12, 2022, the Russian-language hacking forums XSS and Exploit were recommended alternatives to Raid Forums.
On February 27, 2022, a thread was posted on XSS informing users of the alleged seizure of Raid Forums and warning XSS users with Raid Forums accounts to avoid attempting to log into the site due to the likelihood of the site being compromised. In the same thread, one user speculated whether or not XSS would become flooded with Raid Forums users.
Based on the recommendations in the official Raid Forums Telegram channel, Flashpoint assesses that a significant number of former Raid Forums users may migrate to Exploit or XSS. However, due the anti-Russian sentiment felt by a large portion of Raid Forums users, these users may not be easily enticed to migrate to these Russian-language alternatives.
Although it’s unclear when or if Raid Forums will come back online, the highly active Raid Forums threat actor “pompompurin” claimed on XSS on March 3, 2022, that they were in contact with Raid Forums admins who revealed to them that the site should be coming back online in the near future. Pompompurin reiterated that all that is known at this time is that “someone” seized the domain and it is still unclear who or whether or not they are affiliated with a government entity.