Multiple arrests made in RaidForums takedown

The underground RaidForums marketplace has been shut down and its infrastructure seized in a multinational police operation bringing together forces from Germany, Portugal, Romania, Sweden, the UK and the US. Multiple individuals, including a site admin named as Diogo Santos Coelho and an unnamed man from Croydon, have been taken into custody.

According to the US Department of Justice, Coelho, a 21-year-old Portuguese national, was arrested in the UK on 31 January at the US’s request, and is now in custody pending extradition to the US. A six-count indictment, unsealed in a Virginia court today, charges him with conspiracy, access device fraud and aggravated identity theft.

Coelho allegedly acted as the controller and chief admin of RaidForums, and played a role in the design and operation of the platform’s software and computer infrastructure, establishing and enforcing rules for forum users and managing sections of the website that sold contraband, including leaked data. He is also alleged to have personally sold stolen data on RaidForums, and acted as a middleman in various transactions, for a fee.

“The seizure of the RaidForums website – which facilitated the sale of stolen data from millions of people throughout the world – and the charges against the marketplace’s administrator are a testament to the strength of the FBI’s international partnerships,” said Steven D’Antuono, assistant director in charge of the FBI’s Washington Field Office.

“Cyber crime transcends borders, which is why the FBI is committed to working with our partners to bring cyber criminals to justice – no matter where in the world they live or behind what device they try to hide.”

Dating back to 2015, the prominent RaidForums service specialised in the sale of stolen or leaked personal data to cyber criminals for use in fraud and other forms of digitally enabled crime. It operated a membership scheme whereby users paid varying amounts to access chatrooms where they could exchange links and other material related to cyber crime. This scheme operated on a sliding scale depending on price, including a “God” tier membership status, and an earned credits system.

Disruption to the service apparently began towards the end of February 2022, prompting speculation that a law enforcement operation was in play.

“RaidForums had developed into one of the largest hacking forums online where hacking tips and stolen data were frequently exchanged,” said a National Crime Agency (NCA) spokesperson. “Data from some of the most high-profile hacking incidents in recent years could be located on the site and often the victims – real people – found themselves vulnerable to further crime, like fraud.

“The NCA works with international partners to identify, disrupt and apprehend those who profit from cyber crime and is committed to tackling this threat as it evolves.”

Edvardas Šileris, head of Europol’s European Cybercrime Centre, added: “Disruption has always been a key technique in operating against threat actors online, so targeting forums that host huge amounts of stolen data keeps criminals on their toes. Europol will continue working with its international partners to make cyber crime harder – and riskier – to commit.”

The second arrest in Croydon, which Computer Weekly understands actually happened in March, is supposedly of another of RaidForums’ site controllers or admins. The NCA also seized £5,000 in cash, and an undisclosed amount of US dollars, and froze cryptocurrency assets worth more than $500,000. The unnamed individual has since been released under investigation.

The NCA suspects this admin helped Coelho manage RaidForums’ membership and laundered payments through an apparently legitimate side business.