The chain of international law enforcement agencies – Europol, FBI, NCA and others – seized the world’s largest hacker forum – RaidForums. That seems to be part of an anti-cybercrime campaign that started from the Hydra Shop shutdown.
On April 12, 2022, the National Crime Agency (shorty NCA) reported on their official website about the successful Operation Tourniquet. Under that process, they captured RaidForums administration and shut down the forums with the site controller seizure. The UK law enforcement, who was the host of this investigation and capturing, reports about arresting the person who is likely the chief of this outlaw organisation.
RaidForums was considered the biggest online hacker forum that was active in our days. Its main activity was the Surface web rather than the Darknet. It is a very strange train for such a site, especially when we remember that the UK is a member of the 14 Eyes Surveillance. Nonetheless, the forum was present on three domains – raidforums[.]com, Raid[.]lol and rf[.]ws. There were also several Darknet mirrors, but their work was not so stable. Possibly, applying the Darknet as a place of action could prolong the lifespan of this forum, but history does not tolerate subjunctions.
RaidForums appeared in 2015, and gained the image of a place where you can purchase the leaked data of any sort. Through the 7 years of its activity, it powered the numerous cyberattacks and blackmailing cases with that information. It hosted over 530,000 members and asked for €10 for access to the chatrooms with the specific leaked information. Such a model could already gave the creators €5.3 million, but as the NCA report says, an even bigger sum was involved.
It was obvious that one day law enforcements will put an eye on them. However, by a strange coincidence, that happened shortly after the breaking of all possible relations with Russia. Hydra Market shutdown had a more obvious connection to the post-USSR countries, but actually cybercrimes do not have any borders. More likely that some of the persons related to Hydra had some valuable information about other crooks, and were pleased to share it with men in uniform.
The exact shutdown of RaidForums was not a one-day event. The long-term operation lasted for almost a year, and succeeded in capturing the 21-year Diogo Santos Coelho, the founder of this forum. During the arrest process, policemen also seized about £5000 and several thousands of U.S. dollars in cash. The seized cashless equity (generally in crypto) reached ~$500,000. The stopping of this forum is rather about shutting down the ability to purchase sensitive information about the companies around the world. In particular, the NCA claims about the information about British companies that was placed for sale on this forum. The overall database accounted for over 10 billion records regarding both individuals and companies.
Besides the founder, law enforcements also managed to capture the forum administrators. They are accused of money laundering. The interesting moment is that for that purpose they used an online business that was earlier considered legitimate. This event also had a significant chronology: at the edge of January, the aforementioned founder (known by the nickname Omnipotent) disappeared from the social networks. On February 7, the first problems began happening with RaidForums. Several database outages repeated on February 12, and there were no comments from administrators. Finally, on February 25 the website on all mentioned domains was down. No one knew a thing about the fate of the forum, until the official claims from law enforcement from multiple countries.
What is next?
The latest occasions show that there is an ongoing anti-cybercrime campaign running in the world. Maybe it is related to the US-Russia cybersecurity cooperation shutdown, or the overall warfare background. Possibly, it turns into a good tradition – to begin the year with some loud cybercriminals captured. A year ago, we witnessed the capture of the chain of Emotet distributors. This trojan virus appeared as a precursor in the numerous ransomware attacks. Last year, this event lead to a huge decrease in malware activity throughout the whole spring (the exact arrest happened in February). No one knows if it will have the same impact this year, but now it does not look like that. Hydra and RaidForums shutdowns are not pleasant, but they are not the elements of critical malware spreading infrastructure.