Account Takeover Fraud
Alleged Founder, 2 Accomplices Arrested; $500K Worth Crypto Assets Frozen
A yearlong joint operation by law enforcement agencies across several countries has led to the shuttering of darknet marketplace RaidForums and the seizure of three domains hosting the website. Its 21-year-old alleged founder and two of his unidentified co-conspirators have also been arrested.
RaidForums was used by hackers mainly to buy and sell stolen information, including financial data such as credit card details, bank account numbers, Social Security Numbers, login credentials and personally identifiable information.
To monetize its operation, the marketplace offered tiered memberships for criminals, such as staggered access to premium stolen financial information and means of identification. Members could earn additional credits to bump up their membership level by sharing instructions on carrying out illegal acts.
The U.S. Department of Justice on Tuesday unsealed criminal charges against Diogo Santos Coelho, allegedly the platform’s founder and chief administrator. He allegedly served as RaidForums’ founder and chief administrator between Jan. 1, 2015 and Jan. 31, 2022, the DOJ statement says, implying that he founded the marketplace as a 14-year-old.
He was arrested on Jan. 31 in the U.K., based on a request from the U.S. law enforcement. He remains in custody in the U.K. pending resolution of his extradition proceedings to the U.S., the DOJ statement says.
Coelho, also known under the aliases of Omnipotent, Downloading, Shiza and Kevin Maradona, has been charged with six counts related to access device fraud and aggravated identify theft, according to his indictment document.
His indictment document says that Coelho also acted as a middleman, facilitating the purchase and sale of contraband, including stolen and hacked data, for a price. The defendant and his co-conspirators, his indictment document shows, “accepted payment in cryptocurrency in return for the sale of stolen access devices.”
A statement from Europol says two of his accomplices were arrested too, but it does not disclose their identity or charges.
The DOJ statement did not disclose these details either, with a spokesperson for the agency adding that it had “shared all that we can about the forfeiture action.”
The U.K.’s National Crime Agency says that it arrested a “21-year-old from Croydon,” a suburb of London, at his home in March. “At the time of his arrest, officers seized £5,000 in cash, thousands in US dollars and put a freeze on crypto assets worth more than half a million dollars,” the statement says.
The DOJ document details the month of Coelho’s arrest as January, while the NCA arrest took place in March, but the agencies did not immediately respond to ISMG’s request for clarification.
“As administrators, Coelho and his co-conspirators are alleged to have designed and administered the platform’s software and computer infrastructure, established and enforced rules for its users, and created and managed sections of the website dedicated to promoting the buying and selling of contraband, including a sub-forum titled Leaks Market that described itself as ‘[a] place to buy/sell/trade databases and leaks’,” the DOJ statement says.
The U.S. has also seized three domains – raidforums.com, Rf.ws, and Raid.lol – that hosted the hacker forum, the DOJ statement says. Also under forfeiture are electronic devices, including a smartphone, tablet, laptop and a Yubico authentication device, and $215,571 of what the DOJ says are proceeds from his alleged crimes.
The agencies involved in this case, dubbed Operation Tourniquet, include the US Justice Department’s Criminal Division and Office of International Affairs, the U.S. Secret Service’s Criminal Investigative Division, the FBI, the Criminal Division’s Computer Crime and Intellectual Property Section, the Joint Cybercrime Action Taskforce (Europol), the National Crime Agency (U.K.), the Swedish Police Authority, the Romanian National Police, the Portugal Judicial Police, the Internal Revenue Service Criminal Investigation and the Federal Criminal Police Office (Germany).
“The takedown of this online market for the resale of hacked or stolen data disrupts one of the major ways cybercriminals profit from the large-scale theft of sensitive personal and financial information,” says assistant attorney general Kenneth A. Polite, Jr. of the Justice Department’s criminal division. “This is another example of how working with our international law enforcement partners has resulted in the shutdown of a criminal marketplace and the arrest of its administrator.”
U.S. attorney Jessica D. Aber for the Eastern District of Virginia adds, “Online anonymity was not able to protect the defendant in this case from prosecution, and it will not protect other online criminals either.”
One example of a RaidForums transaction where Coelho acted as the middleman reportedly refers to a T-Mobile breach.
On August 11, 2021, an individual using the moniker SubVirt, put on sale for six Bitcoins, millions of stolen customer records from a U.S.-based “major telecommunications company and wireless network operator,” the court affidavit shows. This data included customer names, Social Security Numbers, dates of birth, driver’s license numbers, phone numbers, billing account numbers, customer relationship manager information, Mobile Station Integrated Services Digital Network information, International Mobile Subscriber Identity numbers and International Mobile Equipment Identity numbers, it says.
On August 17, under the moniker Omnipotent, Coelho “executed his middleman service, and aided and abetted SubVirt in selling [to a third party] a sample of confidential and sensitive information and other data of value obtained during an unlawful computer intrusion,” the document says. He also helped the interested third party transfer a Bitcoin amount worth $50,000 at the time to SubVirt.
On August 22, he facilitated the execution of the sale and enabled the purchaser of the hacked data to transfer a Bitcoin amount worth $150,000 at the time to SubVirt.
The affidavit does not name the telecom company, but T-Mobile on Aug. 17 said it was hit by a data breach that affected 40 million people, days after the aforementioned RaidForums transactions took place.
It is not clear if the third party buyer was T-Mobile, an associate of T-Mobile or an uninvolved entity. The telecom company did not respond to ISMG’s request for comment.
Media reports show that the court document says the third party negotiated with SubVirt to delete their copy of the data once sold. But the co-conspirators reportedly “continued to attempt to sell the databases after the third-party’s purchase,” the reports say, citing the court document. ISMG could not independently verify this information.
Impact of Seizure
RaidForums comprised “hundreds of databases of stolen data containing more than 10 billion unique records of individuals,” the DOJ says. Hosted on a server located outside the U.S., the website also enabled its members to sell hacking tools, databases of hacked data, and other illegal services, such as hacking-for-hire.
While RaidForums was known to be a “good place for free leaked databases but holding little value for more serious actors, the takedown will certainly cause a power vacuum within the cybercriminal community,” says Chris Morgan, senior cyber threat intelligence analyst at cybersecurity firm Digital Shadows.
The takedown of RaidForums, Morgan says, is unlikely to result in major disruption of overall cybercriminal activity.
“Cybercriminals are well versed to platforms being taken down by law enforcement authorities, so they remain agile and fluid as to where their next forum of choice is likely to pop up. There are already numerous forums that have a foundation to act as a home for the RaidForums community, many of which appear to have been styled and constructed in a similar fashion,” he says.
John Bambenek, principal threat hunter at cybersecurity company Netenrich, adds that “if the justice department can keep up the pace of operations against many of these forums, it will provide a very strong disruption to the overall cybercrime ecosystem. Just like a crime wave is not solved with individual prosecutions, cybercrime is no different.”
The RaidForums takedown comes days after the German police, leading a trans-agency effort, shuttered Russian darknet marketplace Hydra, which has been known to offer stolen credit and SIM cards, VPN access, and cryptocurrency laundering services. Although there were no known arrests, the Federal Criminal Police Office of Germany seized 543 bitcoins, worth about $25 million, associated with the marketplace. (See: Germany Shutters Russian Darknet Marketplace Hydra )