Research

Long Live The New King – Is Breached.co the New RaidForums?

Introduction

For the past five years the notorious RaidForums had been one, if not the main pillar of the cybercriminals industry, serving many purposes, while the main purview of this forum was exclusive leaked databases. Towards the end of February, RaidForums was seized by the authorities and officially closed on April 12 by the FBI and its main owner was arrested.

With hundreds of thousands of consumers and threat actors looking for a new platform to share their leaks, a new deep-web leak site, Breached.co, threw down its challenge for the title of next most popular platform for leaks and databases exchange, and took over RaidForum’s legacy.

RaidForums Ends Its Reign

Towards the end of February, RaidForums ended its operations when users found they could only access a login page leading to an “invalid details” error.

One of the forum’s admins, Jaw, announced in closed Telegram groups that whoever had logged in should change their login credentials (Figure 1). He provided a new domain to serve the same purpose as the old RaidForums domain, although this domain ultimately did not function.

Jaw announcement on the Telegram channel
Figure 1: Jaw announcement on the Telegram channel

While there have been many questions about this and other incidents over the past several months, leading to long periods of time and up to a week when the site was down, speculations that the authorities seized RaidForums became more realistic.

After several nerve-racking days, on April 12, the FBI announced the official capture of RaidForums’ owner and one of its founders (Figure 2).

FBI announcement of the capture of RaidForum’s administrator
FBI announcement of the capture of RaidForum’s administrator

Although the authorities announced the seizure of RaidForums on the 15th, we already had an idea about what had happened to the marketplace’s admin the day before, when a Telegram channel related to the case published an announcement (Figure 3) about the capture of Omnipotent, RaidForums’ admin and founder.

RaidForums Telegram group announcing that Omnipotent had been captured
Figure 3: RaidForums Telegram group announcing that Omnipotent had been captured

While the identity of Omnipotent was kept secret, US District Court of Alexandria, Virginia court documents revealed the individual who was one of the two founders of RaidForums (Figure 4).

Court documents revealing the identity of the RaidForums founder
Figure 4: Court documents revealing the identity of the RaidForums founder

Diogo Santos Coelho (Figure 5) is a 21-year-old originally from Portugal, who lived in the UK. Diogo founded RaidForums when he was only 15-years-old, along with another 21-year-old individual.

Diogo Santos Coelho ID
Figure 5: Diogo Santos Coelho ID

Over the years, RaidForums became one of the “go to” sources for data leakage, both for consumption and for publishing. Although there are alternatives to RaidForums, the refugees from the notorious forum looked for a new home. While some of them migrated to XSS marketplace, and some looked for Telegram channels that might fulfill the void, others turned to a new forum emerged claiming to be the next RaidForums – Breached.co.

Breached.co Up For The Challenge

RaidForums was the home for many threat actors. Over the past year, we met some who played a crucial part in the day-to-day content that was published on the forum.

One of the most popular characters on RaidForums is Pompompurin, a threat actor who used to publish highly exclusive content and leaked databases. When RaidForums officially closed, Pompompurin decided to appoint a new heir to the data leaks throne – Breached.co (Figure 6).

Pompompurin tweets about the seizure of RaidForums and posts an announcement about s the new BreachForums
Figure 6: Pompompurin tweets about the seizure of RaidForums and posts an announcement about s the new BreachForums

Looking at BreachForums, we can immediately understand why it is has been dubbed the new RaidForums – they look the same (Figure 7).

BreachForums
Figure 7: BreachForums

Pompompurin is not attempting a breakthrough and is inviting everyone who used to follow RaidForums to turn to BreachForums instead. The only difference between the two leak sites is that BreachForums currently focuses on data leakage only, ignoring the malware marketplace and carding out.

If You Build It – They Will Come

One of the most popular threat groups to already use BreachForums was BlueHornet. The group used to upload the data leaks they obtained from several major Russian and Chinese organizations and APT individuals that serve these countries.

BreachForums is gaining popularity fast. Indications are that ever since the new forum emerged, the number of items published on BreachForum every day was 25% higher in the first two weeks of April compared to the last two weeks of March, resulting in potential growth of thousands per month (Figure 8).

Number of BreachForums items per day throughout March and April
Figure 8: Number of BreachForums items per day throughout March and April

The new BreachForums ranking system for users is more suspicious of new members. In order to access the valuable data published in the forum, a new member needs to show consistent activity in the forum, while on RaidForums the option of “buying your way” into the published content was much easier and popular. This new ranking system makes it harder for crawlers and authorities to find their way and get exclusive content without getting their hands dirty.

As mentioned, its seems that the rest of the content that was published in RaidForums, e.g., malware development, carding, scamming, phishing, was distributed in other forums such as Russian Marketplace, XSS, and others, while some threat actors opened their own Telegram channels and did not commit to any forum.

Summary

The RaidForums era has come to an end, and who is better to inherit the throne than one of the most popular threat actors in the forum – Pompompurin.

When one marketplace closes, it is nothing but obvious that threat actors will look to consume the leaked databases on other platforms such as Telegram, Discord, and other dark-web marketplaces.

Breached.co is currently the most promising successor to RaidForums for the simple reason that it looks exactly the same, and has a better, more suspicious ranking system for anonymous users, which helps the owners prevent crawlers and authorities from indexing the forum.

As much as RaidForums operated as one of the most popular data leakage forums, its seizure was nothing but a tap on the wing of the cybercrime industry, with a scent of nostalgia as we came to an end of an era.

Thanks to Tal Samra, a Source Development Expert at Cyberint, for contributing to this post.

 

Are you prepared for 2022’s security challenges?
Get Your Organization’s Digital Risk Snapshot