Stolen-data market RaidForums taken down in domain seizure

Suspected admin who went by 'Omnipotent' awaits UK decision on extradition to US


After at least six years of peddling pilfered personal information, the infamous stolen-data market RaidForums has been shut down following the arrest of suspected founder and admin Diogo Santos Coelho in the UK earlier this year.

Coelho, 21, who allegedly used the mistaken moniker "Omnipotent" among others, according to the US indictment unsealed on Monday in the Eastern District of Virginia, is currently awaiting the outcome of UK legal proceedings to extradite him to the United States.

The six-count US indictment [PDF] charges Coelho with conspiracy, access device fraud, and aggravated identity theft following from his alleged activities as the chief administrator of RaidForums, an online market for compromised or stolen databases containing personal and financial information.

The unsealing of the indictment, initially filed May 6, 2021, was accompanied by word of an international effort to shutter the web domains associated with RaidForums – raidforums[.]com, Rf[.]ws, and Raid[.]lol. The site is said to have attracted about half a million users.

Europol, working with authorities from the US, UK, Germany, Portugal, Sweden, and Romania, said it has taken the underground forum offline, seized its infrastructure, and arrested two of Coelho's alleged accomplices as part of Operation TOURNIQUET.

In the US, all-caps acronyms are a common way for lawmakers to embed some aptly pandering phrase within legislative shorthand. For example, consider the DISCLOSE (Democracy Is Strengthened by Casting Light On Spending in Elections) Act of 2015. Europol, however, appears to have resorted to capital letters merely for emphasis.

"The seizure of the RaidForums website – which facilitated the sale of stolen data from millions of people throughout the world – and the charges against the marketplace's administrator are a testament to the strength of the FBI's international partnerships," said Assistant Director in Charge Steven M. D’Antuono of the FBI’s Washington Field Office in a statement.

According to the indictment, Coelho founded RaidForums in January 2015. Initially, the website focused on organizing and supporting harassment, in the form of "raiding" – deluging a target with messages – and "swatting" – making false reports to law enforcement agencies to elicit an armed response, which sometimes ends in the victim's death.

By the following year, the forum is said to have become a venue for the buying and selling of stolen data consisting of personal and financial information from people in the US and elsewhere. The data allegedly included bank routing and account numbers, credit card details, login credentials, and social security numbers.

The feds say that RaidForums, in addition to selling pilfered data, offered hacking services and tools at four different membership tiers: free, VIP, MVP, and God.

"The God membership offered almost unlimited access to the RaidForums and features," the indictment says, indicating that designation as a deity still falls short of "Omnipotent," the sudo-nym of the RaidForums admin.

Coelho also allegedly used the names "Downloading," "Shiza," and "Kevin Maradona."

The indictment says Coelho himself participated in the buying and selling of illicit data by running an "Official Middleman Service," to make sure sellers didn't misrepresent what they were selling and buyers actually paid.

Coelho himself appears not to have been paid all that well for his trouble. The indictment says authorities intend to seek "a money judgment in the amount of not less than $215,571, representing the proceeds the defendant obtained as a result of the [alleged violations]."

That's assuming UK authorities agree to ship him stateside. ®

Broader topics


Other stories you might like

  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • Travis CI exposes free-tier users' secrets – new claim
    API can be manipulated to reveal tokens in clear text log data

    Travis CI stands for "Continuous Integration" but might just as well represent "Consciously Insecure" if, as security researchers claim, the company's automation software exposes secrets by design.

    Aqua Security Software on Monday said its researchers had reported a data disclosure vulnerability with the Travis CI API. The response they said they received is that everything is working as intended.

    In a blog post security researchers Yakir Kadkoda, Ilay Goldman, Assaf Morag, and Ofek Itach said they had found tens of thousands of user tokens were accessible through the Travis CI API, which provides a way to fetch clear-text log files.

    Continue reading
  • Inverse Finance stung for $1.2 million via flash loan attack
    Just cryptocurrency things

    A decentralized autonomous organization (DAO) called Inverse Finance has been robbed of cryptocurrency somehow exchangeable for $1.2 million, just two months after being taken for $15.6 million.

    "Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said on Thursday in a post attributed to its Head of Growth "Patb."

    And Inverse Finance would like its funds back. Enumerating the steps the DAO intends to take in response to the incident, Patb said, "First, we encourage the person(s) behind this incident to return the funds to the Inverse Finance DAO in return for a generous bounty."

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading

Biting the hand that feeds IT © 1998–2022