RaidForums, the popular online forum that facilitated the sale of stolen data from millions of people worldwide, was shut down and its domain seized by U.S. law enforcement in coordination with Europol and agencies in several other countries.
Operation Tourniquet was coordinated by Europol to support the United States, United Kingdom, Sweden, Germany, Portugal and Romania in shutting down and seizing the infrastructure of RaidForums.
All partners worked closely together for a year to identify the key targets, which included defining different roles that the target played within the illegal forum (the administrator, the money launderers, the users in charge of stealing/uploading the data, and the buyers); and, establishing a coordinated strategy to prepare for the final step in the investigation.
Launched in 2015, the illegal marketplace was considered one the world's biggest hacking forums, with more than a half million users. According to the Department of Justice, at the time of its founding, the marketplace operated as an online venue for organizing and supporting forms of electronic harassment, including by "raiding" – posting or sending an overwhelming volume of contact to a victim's online communications medium – or "swatting" – the practice of making false reports to public safety agencies of situations that would necessitate a significant, and immediate armed law enforcement response.
RaidForums quickly became famous for selling access to high-profile data breaches with victims across several industries. The databases contained troves of personally identifiable information (PII), including social security numbers, bank account numbers, routing information, credit cards, usernames and associated passwords.
Chris Morgan, Senior Cyber Threat Intelligence Analyst at Digital Shadows, says, "Raidforums was a consistent and stable platform that had withstood the test of time, enduring many years and allowing its members to buy and sell data, largely without fear of disruption."
However, RaidForums was not viewed as an esteemed forum in the same light as other cybercriminal forums like XSS and Exploit, with a greater number of low-value or empty posts being present on Raidforums, Morgan explains. "Moderation was certainly more lenient, with many members of the Russian cybercriminal community — to which is often shared many overlaps in membership and content — often sharing a sentiment that RaidForums was a good place for free leaked databases but held little value for more serious actors."
The seizure of RaidForums serves as a deterrent to people considering launching similar forums and marketplaces, says Casey Ellis, Founder and CTO at Bugcrowd. It will also prevent its members from further using the platform to traffic in stolen data from corporations, universities and governmental entities, including databases containing the sensitive, private data of millions of individuals worldwide.
Yet, Morgan, Ellis and other security leaders predict that the takedown of RaidForums is unlikely to result in a significant disruption to overall cybercriminal activity. John Bambenek says, "The seizure of an individual forum will not have much long-term impact; however if the justice department can keep up the pace of operations against many of these forums, it will provide a very strong disruption to the overall cybercrime ecosystem."
Morgan says a natural power vacuum will occur within the cybercriminal community, "with many of Raid's membership likely to flock to alternative platforms," he explains. Several forums already have the foundation to act as a home for RaidForum's members, and many of them have been styled and constructed in a similar fashion.
Ellis believes cybercriminals will simply evolve their techniques to maintain operational security and avoid detection. "The other counterintuitive consequence of this action is that it essentially burns a valuable tool used by those in counterintelligence, who infiltrate forums like this one, build fake personas, and use them to gather tactical breach and risk intelligence."