- Table of contents
The Cyberint Research Team work round the clock to unearth the latest threats to SMBs and enterprises. They are on top of the latest TTPs and monitor rising threat groups, malwares and trends.
Table of contents
Long Live The New King – Is Breached.co the New RaidForums Domain?
Updated June 26th 2023 – scroll to the bottom for the latest updates
For the past five years the notorious RaidForums had been one, if not the main pillar of the cybercriminals industry, serving many purposes, but the main activity of this forum was exclusively leaked databases. Towards the end of February, RaidForums was seized by the authorities and officially closed on April 12 by the FBI and its main owner was arrested.
With hundreds of thousands of consumers and threat actors looking for a new platform to share their leaks, a new deep-web leak site, Breached.co, threw down its challenge for the title of next most popular platform – the new RaidForums 2.0 – for leaks and databases exchange, and took over RaidForum’s legacy.
RaidForums Ends Its Reign
Towards the end of February, RaidForums ended its operations when users found they could only access a login page leading to an “invalid details” error.
One of the forum’s admins, Jaw, announced in closed Telegram groups that whoever had logged in should change their login credentials (Figure 1). He provided a new domain to serve the same purpose as the old RaidForums domain, although this domain ultimately did not function.
While there have been many questions about this and other incidents over the past several months, leading to long periods of time and up to a week when the site was down, speculations that the authorities seized RaidForums became more realistic.
After several nerve-racking days, on April 12, the FBI announced the official capture of RaidForums’ owner and one of its founders (Figure 2).
Although the authorities announced the seizure of RaidForums on the 15th, we already had an idea about what had happened to the marketplace’s admin the day before, when a Telegram channel related to the case published an announcement (Figure 3) about the capture of Omnipotent, RaidForums’ admin and founder.
While the identity of Omnipotent was kept secret, US District Court of Alexandria, Virginia court documents revealed the individual who was one of the two founders of RaidForums (Figure 4).
Diogo Santos Coelho (Figure 5) is a 21-year-old originally from Portugal, who lived in the UK. Diogo founded RaidForums when he was only 15-years-old, along with another 21-year-old individual.
Over the years, RaidForums became one of the “go to” sources for data leakage, both for consumption and for publishing. Although there were alternatives to RaidForums, the refugees from the notorious forum looked for a new home. While some of them migrated to XSS marketplace, and some looked for Telegram channels that might fulfill the void, others turned to a new forum emerged claiming to be the next RaidForums – Breached.co.
Breached.co Up For The Challenge
RaidForums was the home for many threat actors. One of the most popular characters on RaidForums was Pompompurin, a threat actor who used to publish highly exclusive content and leaked databases. When RaidForums officially closed, Pompompurin decided to appoint a new heir to the data leaks throne – Breached.co (Figure 6).
Looking at BreachForums, we can immediately understand why it was been dubbed the new RaidForums – they looked the same (Figure 7).
Pompompurin invited everyone who used to follow RaidForums to turn to BreachForums instead. The only difference between the two leak sites was that BreachForums focused on data leakage only, ignoring the malware marketplace and carding options.
If You Build It – They Will Come
One of the most popular threat groups to already use BreachForums was BlueHornet. The group used it to upload the data leaks they obtained from several major Russian and Chinese organizations and APT individuals that serve these countries.
BreachForums was gaining popularity fast. The number of items published on BreachForum every day was 25% higher in the first two weeks of April compared to the last two weeks of March, resulting in potential growth of thousands per month (Figure 8).
The new BreachForums ranking system for users was more suspicious of new members. In order to access the valuable data published in the forum, a new member needed to show consistent activity in the forum, while on RaidForums the option of “buying your way” into the published content was much easier and popular. This new ranking system made it harder for crawlers and authorities to find their way and get exclusive content without getting their hands dirty.
As mentioned, its seemed that the rest of the content that was published in RaidForums, e.g., malware development, carding, scamming, phishing, was distributed in other forums such as Russian Marketplace, XSS, and others, while some threat actors opened their own Telegram channels and did not commit to any forum.
June 1st 2023 Update
On March 15, the FBI arrested the person suspected to be Pompompurin. This led soon after to BreachForums shutting down. On April 4, Genesis Market forum, was also shut down. Since March threat actors have been looking for a new home and ExposedVC Forum has emerged taking on BreachForums structure. It has since leaked what they claim to be the entire RaidForums database.
June 13th 2023 Update
BreachForums Makes a Comeback, Exposed is up for Sale. The Cyberint Argos platform detected dark web chatter discussing the potential revival of the “Breached” forum. This forum had previously been shut down by the FBI and its administrator, Pompompurin, was arrested. There are indications that BreachForums might be making a comeback, with the involvement of Shiny Hunters and the former staff members from BreachForums known as Baphomet. Meanwhile, the “Exposed” forum, which was intended to be the successor of Breached, is currently up for sale but remains online and active.
June 26th 2023 Update
After making a comeback following its shutdown BreachForums experienced a data breach caused by its rival OnniForums. The breach exploited a zero-day vulnerability in the MyBB software and resulted in the exposure of personal information of more than 4,000 members.
Then on June 26th the US government has finally managed to capture the surface web domains associated with the infamous cybercrime marketplace BreachForums. Now, when you visit breached.vc, you’ll come across a notice that says:
“The domains related to Breach Forums have been seized by the Federal Bureau of Investigation, US Department of Health and Human Services, Office of Inspector General, and the Department of Justice in accordance with a seizure warrant issued pursuant to 18 U.S. §§ 981, 982, inter alia, by the United States District Court for the Eastern District of Virginia as part of law enforcement action taken in parallel with the US Secret Service, Homeland Security Investigations, the New York Police Department, the US Postal Inspection Service, the Dutch National Police, the Australian Federal Police, the United Kingdom National Crime Agency, and Police Scotland.”
The authorities went all out and displayed the BreachForums logo along with the avatar used by its owner, “Pompompurin” (aka Conor Fitzpatrick). They digitally altered the image and added a pair of handcuffs.
July 2023 Update
BreachForums is now live again, but there is talk and suspicion that it is actually a honeypot, and the FBI are behind its resurfacing. Many cybercriminals are therefore showing reluctance to post there, due to the uncertainty.
The RaidForums era came to an end, and who was better to inherit the throne than one of the most popular threat actors in the forum – Pompompurin.
When one marketplace closes, it is nothing but obvious that threat actors will look to consume the leaked databases on other platforms such as Telegram, Discord, and other dark-web marketplaces.
Breached.co was the most promising successor to RaidForums for the simple reason that it looked exactly the same, and had a better, more suspicious ranking system for anonymous users, which helped the owners prevent crawlers and authorities from indexing the forum.
As much as RaidForums operated as one of the most popular data leakage forums, its seizure was nothing but a tap on the wing of the cybercrime industry, with a scent of nostalgia as we came to an end of an era. The same goes for BreachForums as new forums emerge.
Cyberint and the Dark Web
Cyberint excels in accessing high-tier sources that remain elusive to most companies. Our unique ability to penetrate these hidden corners enables us to collect and analyze invaluable data. We enrich our automated collection with a human approach, through research and analysis of our military-grade expert team.
Find new sources in deep and dark web marketplaces, forums, and sites, even if those sources are volatile and difficult to track. Get deep analysis and reports, that allow you to understand a specific threat actor and group profiling, including the places of operation, targeted countries or verticals, TTPs and more. Get a demo and see what assets you have exposed on the deep & dark web.
Thanks to Tal Samra, a Source Development Expert at Cyberint, for contributing to this post.