Recapping Raid Forums: The Place Where Data Was Sold to the Highest Bidder

The content of this post is solely the responsibility of the author.  LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

From stolen personal data to entire corporate databases, Raid Forums was a digital black market where the most valuable commodities weren't physical goods but sensitive information.

What began as a hub for online trolls quickly spiraled into a bustling marketplace where hackers auctioned off data to the highest bidder. The platform evolved into a haven for cybercriminals, with notorious figures turning stolen information into profit.

But as law enforcement closed in, rookie OpSec mistakes led to this empire of deceit and data theft crumbling down.

Thus, let’s take a closer look at how Raid Forums became one of the internet’s most infamous data-selling platforms, its operational model and how it all came crumbling down.

Origins of Raid Forums: From Trolling to More Sinister Acts

Raid Forums began in 2015 as a notorious hub for trolling and harassment, with other disruptive activities like "swatting" and DDoS attacks also being discussed and orchestrated. Nevertheless, they were considered nothing more than a gaggle of terminally online script kiddies at the time.

At the center was its founder, Diogo Santos Coelho, or “Omnipotent,” a 14-year-old Portuguese national with a propensity for cybercrime. Frost and Pompompurin were two other notable admins.

Initially, users would reach out to him and the rest of the community to perform mass spam attacks—raids, justifying the forum’s name.

The shenanigans soon evolved—users orchestrated fake police reports, escalating the site's actions from online pranks to real-world disruptions in the form of online harassment campaigns and smear attacks. However, there was one major problem—these activities weren’t as profitable as Coelho as his partners in crime hoped. 

Shifting Goals: Transition to a Marketplace for Stolen Data

As the forum's audience expanded, its admin team figured it was time to pivot. Thus, Raid Forums gradually transformed into a marketplace for selling stolen information, from SSNs to corporate financial records, harvested from major data breaches.

This turned out to be a major boon for the site, as some of the world’s biggest freelance black hats saw Raid Forums as a suitable place to chain in on their digital loot.

At the same time, Raid developed its own team of data poachers and malware devs, resulting in their escapades devolving into more sinister, more meticulous endeavors.

Whether it was extracting invoice data from corporate emails to dig deeper into potential targets or compromising the FBI’s internal email system, the forum's activities evolved from simple financial gain to more sophisticated and far-reaching criminal operations.

How Raid Forums Worked: The Inner Workings of a Clandestine Marketplace

As Omnipotent and other members of the site’s leadership crew also engaged in data theft, they saw the site as an opportunity to earn extra funds. Therefore, the site depended on the following revenue streams:

  1. Auction proceedings. Registered users could upload their databases and Raid Forums would take a percentage of each sale, in the form of mediation funds.
  2. Direct sale mediation. Oftentimes, hackers and data brokers have an interested party to purchase their data but aren’t trusting of their intentions. Hence, Omnipotent or another admin would serve as escrow, ensuring both sides that the data and the money (usually Monero) were real.
  3. Memberships. While the admins’ goal was to attract more people, more users meant more scams, fake bids and other issues. As a result, they instituted a series of membership packages, with the God Tier providing access to the most valuable databases, secret auctions and private bids.

This turned out to be a sustainable operational model, with users being able to verify individual sellers and databases through reviews. Reputation was king, while admins used PGP to sign all their messages as a means of establishing legitimacy and reducing suspicion of a potential LEO mole.

What Type of Data Could You Find on Raid Forums

One of the things that set Raid Forums apart was the number of different types of data for sale, a logical result of the site being the epicenter for all such transactions. What caught the public’s attention the most, however, were:

Personal Identifiers

SSNs, DOBs, and home addresses often leak together with names and profile information, especially when a social network or forum suffers a data breach. Hackers often used Raid Forums to sell these stolen databases to scammers, who would attempt to commit identity theft and do everything from buying luxury goods to taking out loans, all in someone else’s name.

Financial Data

While personal identifiers are great for synthetic identity theft (for criminals, that is), stealing financial data is more attractive to smaller-time criminals.

Therefore, you would often see Raid Forums listings for hundreds of thousands of stolen credit cards. Oftentimes, it was like a lottery, with some cards being blocked and some having no limit whatsoever.

There were also instances of complete payment histories and information being leaked, which also helped scammers target people with other types of fraud. But, as always, corporate financial data used to fetch the highest prices.

Corporate and Private Records

Beyond financial records and company bank accounts, corporate systems also hold a treasure trove of other data. It doesn’t have to be R&D documents, proprietary IP or trade secrets—even something as inconspicuous as employee records could be invaluable to criminals.

What if someone found out that the janitor is often late, has drinking problems and recently got divorced? That sounds like an easy blackmail target to look the other way when necessary...

High-Profile Breaches that Raid Forums Facilitated

Chances are, if there was a significant data breach in the late 2010s or early 2020s, Raid Forums’ hands were all over it.

One notable example was the sale of records from the 2021 T-Mobile breach, which resulted in 37 million people being unwillingly doxxed by cyber criminals. However, this is just the tip of the iceberg, as Raid was the auction place of choice during the breaches of:

●      LinkedIn (2021): This incident involved the scraping of data from 700 million LinkedIn users. The dataset included personal details such as full names, email addresses, phone numbers, job positions, workplace information, and other profile-related data. The hacker responsible listed the data for sale on RaidForums, providing a sample of 1 million records as proof.

●      Facebook (2019): The breach affected 533 million Facebook users across 106 countries. The exposed data included phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses. This data was obtained through a vulnerability that was later patched by Facebook in 2019. Despite being an older dataset, it still posed significant risks for phishing and identity theft.

●      Astoria Company (2021): A marketing and lead generation firm, Astoria Company, suffered a data breach that exposed over 10 million records. The leaked data included names, addresses, phone numbers, email addresses, and credit scores. The dataset was sold on RaidForums, making it a valuable resource for identity thieves and fraudsters.

●      Brazilian Government (2021): A massive data breach affected 243 million Brazilian citizens, including deceased individuals. The leaked information included full names, tax identification numbers, dates of birth, and other sensitive data.

What was particularly harrowing about these breaches was that US netizens realized that their security could still be compromised by the very entities entrusted with their data.

Even if customers are using digital signatures and chansing their passwords regularly, a business or government agency can make critical mistakes, and now that everything is so interconnected, their lapses expose you to risks beyond your control.

How Raid Forums Admins Became the Architects of their Own Arrests

The downfall of Raid Forums can largely be traced back to two main reasons—the site simply got too big and critical OpSec mistakes were made by Omnipotent.

Popularity-wise, the site was becoming too successful for its own good. This gave law enforcement and intelligence agencies from dozens of countries a strong reason to put an end to Raid for good.

However, it turned out that the site’s creator ended up being its unmaker, too. Although Omnipotent was known for using private emails, VPNs and signing everything with his PGP key, he wasn’t, well—omnipotent.

He made the cardinal error of trying to enter the United States illegally in 2018, which allowed the FBI access to data about his illegal activities. To make things even worse, Omnipotent used the same email he used to register the Raid Forums domain to contact the FBI about getting his devices back!

Not to mention, Coelho also used his personal device to run the official Raid Forums Telegram channel. With all of this, the April 2022 takedown of Raid was but a formality and its former head admin and founder is facing extradition to the US, along with a potential 52-year sentence if extradited.

Conclusion

The fall of Raid Forums wasn’t the leviathan being bested—it was more like a single smack in a never-ending game of Whack-a-Mole. This is evident by Breach Forums and its quick rise to popularity, followed by its head admin and former Raid Forums admin, also being arrested.

Thus, the message is clear—this fight is an ongoing on, and only constant vigilance and timely regulations can even the playing field. Your data will always be for sale; the point is making getting it prohibitively difficult and expensive for any hacker, be it a freelancer or a forum.

Article Link: https://cybersecurity.att.com/blogs/security-essentials/recapping-raid-forums-the-place-where-data-was-sold-to-the-highest-bidder