RaidForums New Leak

Executive Summary

As the new underground forum, ExposedVC, is trying to establish credibility among threat actors and the cybersecurity community in general, its admins are working hard to give some valuable leaks to attract more people.

A few hours ago, the admins leaked what they claim to be the entire RaidForums DB that was taken down in 2022 by the FBI, along with the arrest of its admin Omnipotent.

This leak raised many questions and suspicions, such as the leak’s authenticity, its content, and if there is a chance that ExposedVC is another honeypot by the FBI.

The Leak

Impotent, the most active admin in the new underground forum, ExposedVC, announced a few hours ago that it uploaded the entire RaidForums database for the forums community to download (Figure 1).

Figure 1: Impotent’s announcement

The leak contains records of 478,000 former users of RaidForums.

When asked about the source of the leak and where the admin got it from, Impotent was not willing to provide an answer to the community and decided to keep it for himself for now.

Leak’s Authenticity

Many questions were asked regarding the authenticity of the leak; it seems that the leak is, in fact, authentic and does contain many interesting details about former RaidForums users.

Although part of the DB was removed, probably to protect some individuals linked to the admins or to the source that provided them with this DB, most of the users do appear in this leak which makes it more probable that we face authentic information that might give us some valuable discoveries in the future.

Another Honeypot

While this leak seems to gain much attraction from researchers and threat actors, many active discussions were also raised regarding the fact that this information should have been in possession of the FBI since the takedown of RaidForums and the arrest of its admin Omnipotent.

The suspicion of ExposedVC being a honeypot was pretty popular even before this leak and the fact that they leaked this information now, without providing answers about its source makes a lot of members in the community question the true intentions of ExposedVC.

The idea that it is a honeypot is not new given some infrastructure links to former forums that emerged after the BreachedForums shut down and disappeared.

Some conspiracy theorists claim that the whole operation of ExposedVC is a corporation of the feds with Omnipotent or even Pompompurin to create a new forum that will attract threat actors that the feds can monitor and arrest at every given time, depending on their location in the world of course.

Figure 2: Active member of the forum in the discussion about the feds and the informants’ cooperation

Conclusions

After being discovered last week by the Cyberint Research Team, the ExposedVC forum is already getting much attention and new users.

Even though the cybercrime community became very paranoid after recent arrests and shutdowns, a lot of members in the community still try to get to know the admins and find a new home, while others take their time and remain in the shadows for now, observing the development of the new forum.

There is no question about the contribution of this leak, especially to the research community.

Finally, only time will tell if ExposedVC is an ambitious new forum or a genius masterpiece of the FBI, but one thing is for sure, it is becoming one of the most interesting forums these days.