U.S. Department of Justice today announced the seizure of the RaidForums website
“The domain for RaidForums has been seized by the Federal Bureau of Investigation, the United States Secret Service, and the Department of Justice,”
In what appears to be a highly coordinated law enforcement effort —in the early morning hours of April 12, 2022 -the domain https://raidforums.com Was seized with the DOJ, FBI, USSS along with the alphabet soup across the pond —who worked in tandem with our Federal Law Enforcement; including Europol, the UK’s National Crime Agency, Swedish and Romanian police, and the IRS.
Well this finally explains why the RaidForums have been tango down since February 2022…you can read more here. And while the domain takeover is an important step - it appears that many of RaidForums customers and merchants merely moved to the following (new-ish) marketplace: https://breached.co
Also see the October 2021 “chatter” about the domain hold/suspension -you can read more here.
Defendant COELHO is now facing a six count indictment (technically speaking its a second superseding indictment but that’s because I’m a stickler for tiny details) and yes of course all three indictments are embedded below.
‘The Department of Justice today announced the seizure of the RaidForums website, a popular marketplace for cybercriminals to buy and sell hacked data, and unsealed criminal charges against RaidForums’ founder and chief administrator, Diogo Santos Coelho, 21, of Portugal… Coelho was arrested in the United Kingdom on Jan. 31, at the United States’ request and remains in custody pending the resolution of his extradition proceedings.”
RaidForums… contained over “10 billion unique records for individuals..”
…used the platform to offer for sale hundreds of databases of stolen data containing more than 10 billion unique records for individuals residing in the United States and internationally.”
The (now defunct) RaidForums, offered the following membership options;
MVP membership; and
The more expensive the membership, the more access a user could get to the RaidForums website. The God membership, for example, offered almost unlimited access to-the RaidForums website and features.
Count One - Conspiracy to Commit Access Device Fraud -the Government alleges that Defendant DIOGO SANTOS COELHO (a/k/a "Omnipotent," "Downloading," "Shiza," and "Kevin Maradona") —from June 2016 until January 31, 2022:
…did knowingly and with the intent to defraud, combine, conspire, confederate, and agree with other persons both known and unknown to the Grand Jury, to commit and aid and abet the following offenses…
As further alleged in the newly unsealed indictment —the Government states that the Defendant (and his co-conspirators) created several “sub forums” —think marketplaces where users would either buy credits or use a middleman service. Additionally Defendant COELHO offered an “Official Middleman Service" on the RaidForums website… for a fee and accepted payment via cyber currency…
Also notice the WayBack URL redirect to the Raidforum User mariecurie (also mentioned on page 7 and it’s incredibly interesting, at least for me because the fact that RaidForum actually ran a mirroring site is kind of telling.
Amazingly (and this is why one should read the affidavit -the Government disclosed that Defendant Coelho
“In an attempt to retrieve his items, Coelho called the lead FBI case agent on or around August 2, 2018, and used the email address email@example.com to email the agent,”
The government’s affidavit also noted that investigators discovered this same email address (firstname.lastname@example.org) was later used to register other websites. For Example rf.ws and raid.lol —the later was later announced by Defendant Coelho’s alias “Omnipotent” made an official announced on the forum (aforesaid websites) would “now serve as alternative domain names for RaidForums in case the site’s primary domain was seized” -you can read the U.K.’s National Crime Agency (NCA) statement -which adds additional details of the RaidForums takedown —which was the result of “Operation Tourniquet,” (you can read more here but I’d highly recommend you read Krebs on Security’s Operation Tourniquet) which was an investigation carried out by the NCA in cooperation with the United States, Europol and four other countries that resulted in “a number of linked arrests.”
T-Mobile data breach
At some point I’ll just have to deal with the copious amount of research that’s now gone -however I distinctly remember creating a thread about T-Mobile’s data breach(es) ←there have been several —but as you’ll note the Indictment speaks about: on Aug. 11, 2021, an individual using the moniker “SubVirt” posted on RaidForums an offer to sell the nearly 47M+ user data they had stolen
The Cyberattack Against T‑Mobile and Our Customers: What happened, and what we are doing about it. By Mike Sievert, CEO of T-MobileAugust 27, 2021
There are several (unconfirmed) reports that two of Coelho are also in custody —But as of now no additional details have been made public but based on Coelho’s various indictments, I counted at least four coconspirators but then again I could be wrong or I’m over thinking the indictment (which is entirely possible)
Extradition say what -MLATs-
And look I understand that some of you might be tired of me harping about MLATS -but clearly the complete takedown on Raidforums could not have occurred if it were not for the various MLATs “in force” and I’ll bet you that most mainstream media organizations failed to provide their readers with;
March 17, 2022 -AFFIDAVIT in Support of Request for Extradition by USA as to Diogo Santos Coelho (see EDVA-ECF for affidavit which includes not only the extradition affidavit but the 2nd superseding indictment or see via my Scribd account)
Have you figured out why I pointed you to the WayBack URL redirect to the Raidforum User mariecurie? Or do you need me to explain why it’s important? because the mirroring forum was also seized https://rfmirror.com …and that’s why I pointed it out —because those tiny details matter. I’m going out on a limb and saying you should read the indictment because a plain reading shows there are at least four co-conspirators… but again it’s important that you read the indictment, closely, or not.
Per today’s DOJ-OPA which reads in part:
The seizure of these domains by the government will prevent RaidForums members from using the platform to traffic in data stolen from corporations, universities and governmental entities in the United States and elsewhere, including databases containing the sensitive, private data of millions of individuals around the world.
In addition, a six-count indictment against Coelho was unsealed in the Eastern District of Virginia charging him with conspiracy, access device fraud and aggravated identify theft in connection with his role as the chief administrator of RaidForums. According to the indictment, between Jan. 1, 2015, and on or about Jan. 31, 2022, Coelho allegedly controlled and served as the chief administrator of RaidForums, which he operated with the help of other website administrators. As administrators, Coelho and his co-conspirators are alleged to have designed and administered the platform’s software and computer infrastructure, established and enforced rules for its users, and created and managed sections of the website dedicated to promoting the buying and selling of contraband, including a subforum titled “Leaks Market” that described itself as “ [a] place to buy/sell/trade databases and leaks.”
Your daily Sunset on the sound video…
enjoy- because it was spectacular to see the reds and purples and let me tell you that new iPhone is definitely giving my DLSR a serious run for its money -enjoy the video. Also I’m going dark tomorrow because we are hitting the Ocean for some deep sea fishing. Our Captain called tonight saying we need to be at the marina by 5AM tomorrow so that means if the winds die down we might actually get to see the sunrise on the boat.
-Filey -I’ll see you on Thursday or Friday—depending upon the weather and contractor we might say until Sunday…