April 12, 2022

The U.S. Department of Justice (DOJ) said today it seized the website and user database for RaidForums, an extremely popular English-language cybercrime forum that sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches since 2015. The DOJ also charged the alleged administrator of RaidForums — 21-year-old Diogo Santos Coelho, of Portugal — with six criminal counts, including conspiracy, access device fraud and aggravated identity theft.

The “raid” in RaidForums is a nod to the community’s humble beginnings in 2015, when it was primarily an online venue for organizing and supporting various forms of electronic harassment. According to the DOJ, that early activity included ‘raiding‘ — posting or sending an overwhelming volume of contact to a victim’s online communications medium — and ‘swatting,’ the practice of making false reports to public safety agencies of situations that would necessitate a significant, and immediate armed law enforcement response.”

But over the years as trading in hacked databases became big business, RaidForums emerged as the go-to place for English-speaking hackers to peddle their wares. Perhaps the most bustling marketplace within RaidForums was its “Leaks Market,” which described itself as a place to buy, sell, and trade hacked databases and leaks.

The government alleges Coelho and his forum administrator identity “Omnipotent” profited from the illicit activity on the platform by charging “escalating prices for membership tiers that offered greater access and features, including a top-tier ‘God’ membership status.”

“RaidForums also sold ‘credits’ that provided members access to privileged areas of the website and enabled members to ‘unlock’ and download stolen financial information, means of identification, and data from compromised databases, among other items,” the DOJ said in a written statement. “Members could also earn credits through other means, such as by posting instructions on how to commit certain illegal acts.”

Prosecutors say Coelho also personally sold stolen data on the platform, and that Omnipotent directly facilitated illicit transactions by operating a fee-based “Official Middleman” service, a kind of escrow or insurance service that denizens of RaidForums were encouraged to use when transacting with other criminals.

Investigators described multiple instances wherein undercover federal agents or confidential informants used Omnipotent’s escrow service to purchase huge tranches of data from one of Coelho’s alternate user  identities — meaning Coelho not only sold data he’d personally hacked but also further profited by insisting the transactions were handled through his own middleman service.

Not all of those undercover buys went as planned. One incident described in an affidavit by prosecutors (PDF) appears related to the sale of tens of millions of consumer records stolen last year from T-Mobile, although the government refers to the victim only as a major telecommunications company and wireless network operator in the United States.

On Aug. 11, 2021, an individual using the moniker “SubVirt” posted on RaidForums an offer to sell Social Security numbers, dates of birth and other records on more than 120 million people in the United States (SubVirt would later edit the sales thread to say 30 million records). Just days later, T-Mobile would acknowledge a data breach affecting 40 million current, former or prospective customers who applied for credit with the company.

The government says the victim firm hired a third-party to purchase the database and prevent it from being sold to cybercriminals. That third-party ultimately paid approximately $200,000 worth of bitcoin to the seller, with the agreement that the data would be destroyed after sale. “However, it appears the co-conspirators continued to attempt to sell the databases after the third-party’s purchase,” the affidavit alleges.

The FBI’s seizure of RaidForums was first reported by KrebsOnSecurity on Mar. 23, after a federal investigator confirmed rumors that the FBI had been secretly operating the RaidForums website for weeks.

Coelho landed on the radar of U.S. authorities in June 2018, when he tried to enter the United States at the Hartsfield-Jackson International Airport in Atlanta. The government obtained a warrant to search the electronic devices Coelho had in his luggage and found text messages, files and emails showing he was the RaidForums administrator Omnipotent.

“In an attempt to retrieve his items, Coelho called the lead FBI case agent on or around August 2, 2018, and used the email address unrivalled@pm.me to email the agent,” the government’s affidavit states. Investigators found this same address was used to register rf.ws and raid.lol, which Omnipotent announced on the forum would serve as alternative domain names for RaidForums in case the site’s primary domain was seized.

The DOJ said Coelho was arrested in the United Kingdom on January 31, at the United States’ request, and remains in custody pending the resolution of his extradition hearing. A statement from the U.K.’s National Crime Agency (NCA) said the RaidForums takedown was the result of “Operation Tourniquet,” an investigation carried out by the NCA in cooperation with the United States, Europol and four other countries that resulted in “a number of linked arrests.”

A copy of the indictment against Coelho is available here (PDF).

25 thoughts on “RaidForums Gets Raided, Alleged Admin Arrested

  1. Seller13

    Please delete this post as this means I am in big trouble.

  2. Mike D

    “However, it appears the co-conspirators continued to attempt to sell the databases after the third-party’s purchase”

    You don’t say…

    1. an_n

      Crime doesn’t take a vacation, but when it does, it flies UKUSA.

  3. Chief Johnson

    Please revise this post as soon as possible as to not state the obvious.

  4. Chief Johnson

    Please consider revising this post as soon as possible as to not state the obvious. Thank you.

  5. Trace The Hacker

    It’s a bad day for Seth B how will he ever buy or sell his fake databases now

  6. crd

    “posting or sending an overwhelming volume of contact to a victim’s online communications medium”
    Did you mean contact->content there?

      1. bobby

        Hey Brian, any chance you can link to the docket and not just a single indictment in legal proceedings? This case alone already contains 3 indictments (2 superseding the original) and it’s possible that more will result. Although normally, because PACER requires a minimal but non-zero payment to access such documents (even though they are legally speaking public), linking to the DOJ’s mirror is a workaround, but now that there’s an active effort to, through open source code, mirror entire dockets, which would then be preserved by the internet archive, perhaps it makes more sense to link to the Free Law Project’s RECAP docket of the case? It also has added features like alerts and RSS feeds when updates in the form of new filings are submitted to PACER. For this case, the docket is located at https://www.courtlistener.com/docket/63228349/united-states-v-coelho/. Cheers.

  7. soundcard

    Do you know if they got IP Logs by chance? Hoping not because if so I’m in biiiig trouble.

    1. Morp

      Of Course they do… Dumb kids. At least -> special purpose PC -> public/cracked wifi/3G modem ->VPN ->TOR . Goliath is x10 times stronger! The system spends x10 more than what gets taken to annihilate the intruders. Always be one step ahead of the Agents Smiths!

    2. jax

      it’s been run by the FBI for at least a month now dude. gl

  8. Jonnyrf828

    Delete this I’m gonna get in trouble

    I bought like all the rats and cryptors and databases and was God member.

  9. master data

    thank you for the dutch and france data you gave me as a gift.Master Data raidforums

  10. masterdata

    thank you for the dutch and france data you gave me as a gift.Master Data raidforums

  11. My HT Space

    Thanks a lot for the reply. I will try the suggested solution from your link.

  12. A.Nonymous

    Am I the only one who gets the reference to “Omnipotent”? The admin/owner of HackForums is called Omniscient.

    God damn, HackForums is a trip down memory lane for me. Is HF still around these days? I quit browsing around late 2013.

  13. Jeff

    I’ve always thought these mainstream hacking forums were honeypots. It’s crazy that they operated in the open for so long.

  14. Bishop99

    Darn it.. how will I make a living now?!?

Comments are closed.