RaidForums was a notorious marketplace for criminals to purchase stolen data, hacking tools, and pornographic material and was active for almost 7 years.
Unusually for such a popular criminal website, RaidForums was not a Dark Web site, but rather a surface web site which was hosted at raidforums.com. Visiting the site now displays the familiar FBI takedown notice.
OP Tourniquet – Admin Arrest
In April 2022, the UK National Crime Agency (NCA) raided an address in Croyden and arrested the 22 year old administrator of the website – Diogo Santos Coelho, a Portuguese national.
Under the name Operation Tourniquet, several investigations into the criminal site were conducted by law enforcement agencies in the United States, the United Kingdom, Sweden, Portugal, and Romania.
As part of their investigations, the FBI obtained copies of the back-end database for RaidForums which allowed them to identify numerous IP address, login details and private messages between members and administrators.
Eventually, the FBI identified that Diogo Santos Coelho had been the main person responsible for the purchase of the raidforums domain name and the administration of the database & website with the same name.
Coelho used a number of alternate online names including “Downloading”, “Shiza”, and “Kevin Maradona”, but his main online alias was “Omnipotent”. It was this name which he used to administer the raidforums website.
At the time of his arrest, officers seized £5,000 in cash, thousands in US dollars and put a freeze on cryptocurrency assets worth more than USD $500K.
Domain registration
According to historical WHOIS data, the RaidForums domain was first registered on the 19th December 2010, making Coelho 10 years of age at the time the domain was registered. It is doubtful that Coelho registered the domain at that time.
The domain was transferred to a new owner in 2015, which is the point at which the RaidForums site first appeared – This makes Coehlo just 15 years old when he started operating the site.
The domain was further transferred to a new owner in 2018, – In the course of their investigation, the FBI identify that Coehlo used the name “Kevin Maradona” to falsely register the domain.
A place for multiple nefarious deeds
Prior to its seizure, RaidForums members used the platform to offer for sale hundreds of databases of stolen data containing more than 10 billion unique records for individuals residing across the globe.
At the time of its founding in 2015, RaidForums also operated as an online venue for organizing and supporting forms of electronic harassment, including by “raiding”and “swatting”
Raiding & Swatting
Raiding is the term given to the practice of posting or sending an overwhelming volume of contact to a victim’s online communications medium – The most common of which is “Twitch Raiding” – which as the name suggests is aimed at users of the streaming platform Twitch.
Raiding is the practice of making false reports to public safety agencies of situations that would necessitate a significant, and immediate armed law enforcement response. A more wide-spread term for raiding is Swatting – after the Swat-teams typically used in America to respond to such threats to life, etc.
The BBC News video below details the swatting call which ultimately lead to the death of Andrew Finch who was the victim of the hoax call.
Two people playing the Call of Duty game became involved in a heated argument – one of the players made the hoax call, but gave Mr Finch’s address – not the address of the 2nd player – Mr Finch was killed on 28th December 2018. He was a complete innocent party in the events.
Stolen data
The Indictment, posted in the U.S. Eastern District of Virginia, highlights some of the activities of the investigation including the purchase by an FBI agent some credits which allowed for the “unlocking” of some stolen data belonging to a major US broadcasting and cable company.
In August 2021, a user of the RaidfForums site offered for sale some stolen data under the heading “SELLING 30M SSN + DL + DOB database” for 6 bitcoin, which at the time would have equated to approx. $276,000.
Using his “Omnipotent” alias, Coelho acted as a middleman between an un-named user (who was actually acting on behalf of the company where the data was stolen from) and the seller – a user with the name “SubVirt” to sell the stolen data.
This data included customer names, social security numbers, dates of birth, driver’s license numbers, phone numbers, billing account numbers, customer relationship manager information, Mobile Station Integrated Services Digital Network (MSISDN) information. International Mobile Subscriber Identity (MSI) numbers, and International Mobile Equipment Identity (IMEI) numbers.
Although, not officially confirmed, at the time of the sale, T-Mobile had recently suffered a major security breach of their systems where a large amount of data was stolen. It is widely suspected that this sale, was the stolen T-Mobile data.
Continuing investigations
Since the seizure of the domain, and the associated database which users registered to use, various law enforcement agencies have been working to identify those users of the site.
Analysis of the data has already led to the arrest of three people who extorted companies by threatening to leak stolen data if a ransom was not paid. I wrote about the arrests in an earlier post which you can read here.
On April the 12th, the Dutch National Police announced that they had sent thousands of emails and hundreds of letters to RaidForums members to warn them that their actions are illegal and that they are being monitored by law enforcement.