US and European law enforcement seize RaidForums and arrest suspected operator
Martin Matishak April 12, 2022

US and European law enforcement seize RaidForums and arrest suspected operator

US and European law enforcement seize RaidForums and arrest suspected operator

US and European law enforcement authorities on Tuesday announced that they had seized one of the largest hacker forums and arrested its chief administrator.

RaidForums, which served as a popular online marketplace where individuals could buy and sell hacking tools, stolen databases, and other sensitive information, was shut down and had its infrastructure seized as part of an operation called “TOURNIQUET,” Europol announced. The operation involved coordination between law enforcement efforts in the US, United Kingdom, Sweden, Portugal, and Romania.

“The seizure of the RaidForums website – which facilitated the sale of stolen data from millions of people throughout the world – and the charges against the marketplace’s administrator are a testament to the strength of the FBI’s international partnerships,” assistant director in charge of the FBI’s Washington Field Office Steven M. D’Antuono said in a statement. “Cybercrime transcends borders, which is why the FBI is committed to working with our partners to bring cybercriminals to justice – no matter where in the world they live or behind what device they try to hide.”

According to court documents, 21-year-old Diogo Santos Coelho (also known on the site as “Omnipotent” and “Downloading”) of Portugal is accused of operating the site from at least January 2015 to January 2022. He was arrested in the U.K. on January 31 and remains in custody awaiting extradition proceedings.

A six-count indictment against Coelho unsealed in the Eastern District of Virginia charges him with conspiracy, access device fraud, and aggravated identity theft.

In an interview published by The Record last January, Omnipotent — Coelho’s administrator username on the site — said that he wasn’t particularly concerned about law enforcement. “I just assume that the forum is being surveilled but then again in this day and age everyone is being surveilled,” he said. “It’s very likely that any website of this size would be surveilled by multiple federal and non-federal entities. In conclusion, I am not bothered by it as I try my best to be a law-abiding citizen.”

Launched in 2015, RaidForums grew to an estimated 500,000 members. Its massive illegal marketplace, among other things, advertised tools that could be used to carry out cyberattacks and sold access to high-profile data leaks from governments and corporations around the world.

RaidForums monetized the site in part by charging for membership tiers that offered different levels of access and features. Members could buy credits that allowed them to unlock and download stolen financial information and other sensitive data. They could also earn these credits by posting instructions on how to conduct hacks and other illegal acts.

Poland-Raid-post
An example of a RaidForums post from January 2022. Image: The Record

Coelho personally sold stolen data on the platform, according to the indictment, and facilitated transactions between members who wanted to buy and sell hacked data. An “Official Middleman” service on the site allowed buyers and sellers to verify the means and payment of what was being sold before completing their transaction.

The seizure notches another win for global law enforcement efforts against cyber criminals and malicious online actors in recent months.

Just last week, the Justice Department announced that Hydra Market, which was considered to be the world’s largest and oldest darknet marketplace of illegal items and services, was seized and shut down by German authorities in coordination with U.S. law enforcement.

The latest operation was coordinated at the international level by Europol’s European Cybercrime Centre and “was the culmination of a year of meticulous planning between the law enforcement authorities involved in preparation for the action,” according to Europol.

“Disruption has always been a key technique in operating against threat actors online, so targeting forums that host huge amounts of stolen data keeps criminals on their toes,” Edvardas Šileris, the hub’s chief, said in a statement.

Martin is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.