IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Authorities finally confirm leading hacker platform RaidForums has been seized

A 21-year-old was arrested in the UK in connection with the prolific hacker platform

International law enforcement agencies have officially announced the seizure of RaidForums, one of the most popular hacking forums in existence.

The UK’s National Crime Agency (NCA) worked with the US Department of Justice (DoJ), Europol, and four other countries to bring charges against one individual believed to be one of the site’s administrators.

RaidForums was a website where hackers could discuss cyber crime-related matters and pay for varying levels of access to high-profile data leaks in a membership scheme.

The cyber security community had suspected RaidForums had been seized as far back as February when the site went offline and then returned with its homepage replaced with a login screen that returned an error whenever credentials were inputted - a scheme many believe was a credential harvesting trick from law enforcement. 

The website was launched in 2015 and 21-year-old Portuguese Diogo Santos Coelho was arrested in Croydon, UK on 31 January 2022 in connection with the illicit website.

Coelho is one of many arrests that have been made through ‘Operation Tourniquet’ and the Eastern District of Virginia has issued him six indictments spanning offences such as conspiracy, access device fraud, and aggravated identify theft in connection with his role as the chief administrator of RaidForums.

At the time of Coelho’s arrest, officers seized £5,000 in cash and “thousands” in US dollars before having his cryptocurrency assets, in the region of half a million dollars, frozen, the NCA said.

Coelho is believed to be among a group of administrators based in the UK that was tasked with managing the site’s membership tiers and assisting in laundering the proceeds generated from payments made to the site.

“To profit from the illicit activity on the platform, RaidForums charged escalating prices for membership tiers that offered greater access and features, including a top-tier ‘God’ membership status,” said the DoJ.

“RaidForums also sold ‘credits’ that provided members access to privileged areas of the website and enabled members to ‘unlock, and download stolen financial information, means of identification, and data from compromised databases, among other items. Members could also earn credits through other means, such as by posting instructions on how to commit certain illegal acts.”

RaidForums hosted hundreds of databases linked with cyber crime, authorities said, and more than 10 billion unique records on individuals across the globe were reportedly accessible on the site.

LinkedIn’s database scraping incident from last year, in which hundreds of millions of records belonging to users were put up for sale last year, was linked to RaidForums.

It was also a platform used to organise other types of cyber crime and harassment unrelated to hacking. ‘Raiding’ was a common type of harassment organised on the site which saw people assembling to post an overwhelming volume of contact to an individual.

Authorities also said ‘swatting’ was commonly organised on RaidForums too - a practice whereby individuals are reported to their local police force for serious crimes enough crimes to trigger an armed police response in which they forced entry into the victim’s home.

One 2017 case in Kansas, US saw police fatally shoot an unarmed victim of swatting. The case ultimately led to the arrest and 20-year imprisonment of the ‘prankster’ responsible, according to the Washington Post.

Timeline of suspicions

Between 31 January and 12 February 2022, RaidForums was down, and the prolonged outage led users to believe it may have been during this time authorities seized control of the site’s servers, risk intelligence company Flashpoint said in a blog post.

The site had been experiencing connectivity issues since the start of 2022 and an increasing volume of anti-Russian posts started to emerge on the site in the first few weeks of the year.

Numerous cases of databases containing details of Russian citizens were dumped on the platform during this time, as well as users encouraging others to attack Russian targets, leading the platform to block access to Russian IP addresses.

RaidForums’ seizure was first reported by site administrator ‘Jaw’ through a Telegram channel. This message came before the alleged clone login portal was added to the site.

Jaw revealed details of a RaidForums backup site, but authorities said they have also seized this as part of its operation.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022