The notorious dark web hacker forum and underground marketplace, RaidForums, had recently been shut down by the US authorities during Operation TOURNIQUET, alongside Europol and other law enforcement agencies worldwide.
Three of the dark web forum’s administrators were arrested, while the authorities also seized their main website, which now shows a ‘domain seizure’ message from the law enforcement teams upon accessing.
The Portuguese Diogo Santos Coelho, also known as Omnipotent, founded the hacking forum and was detained in the UK last January 31 due to operating an illegal online marketplace. According to the US police, the defendant was a 21-year-old cybercriminal, who they presume was only 14 years old when he began RaidForums in 2015.
Three domains that host RaidForums have been seized during the operation, including raidforums[.]com, Rf[.]ws, and Raid[.]Lol.
The underground marketplace had sold over 10 billion stolen records from various pilfered databases affecting US-based citizens based on records. The platform also has more than 500,000 active and inactive users, making them one of the biggest hacking forums in the world.
Europol also added that RaidForums took itself into the cybercrime spotlight by selling eminent database leaks from many US-based companies from different sectors, containing millions of sensitive financial data, usernames, email accounts, passwords, and more.
After a year of planning the seizing operation between groups of authorities from the US, the UK, Portugal, Sweden, and Romania, they were able to shut down RaidForums and its infrastructure. The planning enabled the police forces to probe the forum’s activities well and arrest its administrators successfully.
The underground forum charged its users through various membership tiers to gain income and had sold credits that allowed the members to access restricted areas within the platform. The founder, Coelho, also acted as the middleman between groups that trade and make transactions.
The users of the dark web forum, alongside many security analysts, had noticed that RaidForum was under police investigation when its website was displaying a login form upon accessing. This suspicion made the members think the authorities were trying to phish their credentials if they entered their details on the displayed login form.
Moreover, the dark web forum’s DNS servers were changed to other server names, thus heightening the members’ suspicions of the platform’s seizure.
RaidForum has helped many threat actors to trade stolen databases since its founding in 2015, especially with how the platform mostly caters to English-speaking members despite Russian threat actors being prevalent in the cybercrime landscape.
