Authorities finally confirm leading hacker platform RaidForums has been seized

A man in handcuffs standing in front of computer equipment in a darkened room
(Image credit: Shutterstock)

International law enforcement agencies have officially announced the seizure of RaidForums, one of the most popular hacking forums in existence.

The UK’s National Crime Agency (NCA) worked with the US Department of Justice (DoJ), Europol, and four other countries to bring charges against one individual believed to be one of the site’s administrators.

RaidForums was a website where hackers could discuss cyber crime-related matters and pay for varying levels of access to high-profile data leaks in a membership scheme.

The cyber security community had suspected RaidForums had been seized as far back as February when the site went offline and then returned with its homepage replaced with a login screen that returned an error whenever credentials were inputted - a scheme many believe was a credential harvesting trick from law enforcement.

The website was launched in 2015 and 21-year-old Portuguese Diogo Santos Coelho was arrested in Croydon, UK on 31 January 2022 in connection with the illicit website.

Coelho is one of many arrests that have been made through ‘Operation Tourniquet’ and the Eastern District of Virginia has issued him six indictments spanning offences such as conspiracy, access device fraud, and aggravated identify theft in connection with his role as the chief administrator of RaidForums.

At the time of Coelho’s arrest, officers seized £5,000 in cash and “thousands” in US dollars before having his cryptocurrency assets, in the region of half a million dollars, frozen, the NCA said.

Coelho is believed to be among a group of administrators based in the UK that was tasked with managing the site’s membership tiers and assisting in laundering the proceeds generated from payments made to the site.

“To profit from the illicit activity on the platform, RaidForums charged escalating prices for membership tiers that offered greater access and features, including a top-tier ‘God’ membership status,” said the DoJ.

“RaidForums also sold ‘credits’ that provided members access to privileged areas of the website and enabled members to ‘unlock, and download stolen financial information, means of identification, and data from compromised databases, among other items. Members could also earn credits through other means, such as by posting instructions on how to commit certain illegal acts.”

RaidForums hosted hundreds of databases linked with cyber crime, authorities said, and more than 10 billion unique records on individuals across the globe were reportedly accessible on the site.

LinkedIn’s database scraping incident from last year, in which hundreds of millions of records belonging to users were put up for sale last year, was linked to RaidForums.

It was also a platform used to organise other types of cyber crime and harassment unrelated to hacking. ‘Raiding’ was a common type of harassment organised on the site which saw people assembling to post an overwhelming volume of contact to an individual.

Authorities also said ‘swatting’ was commonly organised on RaidForums too - a practice whereby individuals are reported to their local police force for serious crimes enough crimes to trigger an armed police response in which they forced entry into the victim’s home.

One 2017 case in Kansas, US saw police fatally shoot an unarmed victim of swatting. The case ultimately led to the arrest and 20-year imprisonment of the ‘prankster’ responsible, according to the Washington Post.

Timeline of suspicions

Between 31 January and 12 February 2022, RaidForums was down, and the prolonged outage led users to believe it may have been during this time authorities seized control of the site’s servers, risk intelligence company Flashpoint said in a blog post.

The site had been experiencing connectivity issues since the start of 2022 and an increasing volume of anti-Russian posts started to emerge on the site in the first few weeks of the year.

Numerous cases of databases containing details of Russian citizens were dumped on the platform during this time, as well as users encouraging others to attack Russian targets, leading the platform to block access to Russian IP addresses.

RaidForums’ seizure was first reported by site administrator ‘Jaw’ through a Telegram channel. This message came before the alleged clone login portal was added to the site.

Jaw revealed details of a RaidForums backup site, but authorities said they have also seized this as part of its operation.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.