US and international law enforcement agencies have seized control of a popular website where hackers have advertised data stolen from American consumers and corporations – the latest in a long-running effort to crack down on forums where cybercriminals congregate.
“This domain has been seized” by the FBI, US Secret Service and Justice Department, read a notice Tuesday on the home page of RaidForums, a website known more for advertising hacked data in English rather than in Russian, the preferred language of other criminal forums. Law enforcement agencies from the United Kingdom, Sweden and elsewhere were involved in the seizure, according to the statement.
With over 530,000 registered members, according to threat intelligence firm Recorded Future, RaidForums had great reach and influence among low to mid-level cybercriminals.
RaidForums’ 21-year-old alleged founder, Diogo Santos Coelho, was arrested in the United Kingdom on January 31, and remains in custody pending “the resolution of his extradition proceedings,” the Justice Department said.
It’s the latest move in a sustained international law enforcement effort to upend the marketplaces where cybercrime flourishes. German police last week seized the computer servers of Hydra, a popular Russian dark web market connected to $5 billion in transactions since 2015.
“The takedown of this online market for the resale of hacked or stolen data disrupts one of the major ways cybercriminals profit from the large-scale theft of sensitive personal and financial information,” Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division in a written statement.
US authorities had access to RaidForums’ computer infrastructure for several months before the seizure was announced, according to a law enforcement official familiar with the matter. That likely gave authorities valuable insight into who bought and sold hacked data during that time.
The seizure of RaidForums is a blow to crooks looking for an easy way to profit from data breaches. But the underground market for stolen financial and personal data will likely continue to flourish, analysts said, because there are numerous other online bazaars for trading that data.
“With its low barriers to entry, RaidForums made it extremely easy for new and established threat actors to be active in the data breach and leak community,” Recorded Future senior threat intelligence analyst Allan Liska told CNN.
It was one of the few English-language cybercriminal sites that denizens of prominent Russian-language underground forums deemed worthy of mentioning, according to Digital Shadows, a San Francisco-based security firm that monitors the dark web.
It had been a “consistent and stable platform” for hackers around the world to buy and sell data “largely without fear of disruption,” Digital Shadows’ Photon Research Team said in a statement to CNN.
“Highly sought-after databases were often shared on RaidForums and repurposed on Russian-language cybercriminal forums, leading members of the Russian-language cybercriminal underground to frequent RaidForums solely for this purpose,” the Photon Research Team said.
Whereas cybercrime forums associated with the “dark web” require special software to access, “clear text” websites like RaidForums are accessible to the regular Internet user.
After the shuttering of RaidForums, other “forums on the clear web that struggled to compete with RaidForums could see an increase in the number of active members, but more sophisticated cybercriminals are likely to integrate themselves in underground forums on the dark web,” said Ivan Righi, senior cyber threat intelligence analyst at Digital Shadows.
This story has been updated with additional details.