RaidForums was crumbling before its DOJ takedown — here’s why

Cybercriminals are selling “exclusive” stolen data to multiple customers, threatening the stability of illicit marketplaces before even considering Justice Department actions.

Stealing data is easy, selling it is hard.

Cybercriminals must establish trust to successfully fence their digital spoils in illegal forums for buying and selling stolen credit card numbers or social security numbers.

As the recent U.S.-led takedown of the RaidForums website makes clear, law enforcement officials are often well aware of these platforms, and they carefully track those who operate and use them. Several high-profile cybercriminals have been identified and arrested because of their connections with the intermediaries who were fencing their stolen data, including notorious credit card hacker Albert Gonzalez.

But the RaidForums takedown, announced by the Justice Department on April 12, also highlights the deterioration of those illicit platforms and the eroding trust among cybercriminals. DOJ documents suggest RaidForums administrators routinely lied to customers — promising to sell data to only one buyer and then breaking those promises. That’s the kind of disreputable act that would not only undermine trust among users of the RaidForums platform but also hints at broader cleavages and destabilization within the cybercrime community about norms of behavior for illegal marketplaces.

Long term, these tensions are good news for law enforcement, because a splintering of the criminal landscape may make it even more difficult to run large-scale, centralized illegal marketplaces like RaidForums — especially if the people running those sites fail to keep their promises.

In addition to seizing three domains that hosted the RaidForums website, raidforums.com, Rf.ws, and Raid.lol, the Justice Department also filed criminal charges against the website’s founder, a Portuguese 21-year-old named Diogo Santos Coelho, who was arrested on January 31 in the United Kingdom and is currently awaiting extradition. Coelho’s indictment makes clear how central trust was to RaidForums’ operations. Among other allegations, the indictment claims Coelho offered an “Official Middleman Service” through RaidForums in which Coelho would “accept cryptocurrency from the purchaser and files, including stolen access devices and means of identification, from the seller. Coelho then verified the contents of the files and conversed with the buyer and seller. Once the parties were satisfied, Coelho released the funds to the seller and the files … to the purchaser.”

The whole point of Coelho’s role here was to act as a trusted third party for two different cybercriminals — one who was selling stolen information and another who was buying it. Just as legitimate e-commerce customers often like to buy things through trusted websites and platforms like Amazon, criminals also often like to deal with trusted third parties, especially since they have even less recourse if they purchase stolen information and it turns out to be faulty or have already been sold to someone else. That’s why there’s such demand for platforms like RaidForums that broker these deals. It’s also why it’s so surprising that Coelho does not appear to have been honoring his customers’ demands.

Stolen, stale and still for sale

In an affidavit in support of Coelho’s extradition, assistant U.S. attorney Carina Cuellar describes several sales that law enforcement officials initiated or observed on RaidForums. For instance, Cuellar reveals that a law enforcement officer in Virginia purchased thousands of user accounts for a U.S. e-commerce company in October 2018, as well as more than 1 million stolen credit card numbers through the site in March 2019 (no price is given for the first sale, for the second, law enforcement agents paid roughly $4,000, according to the indictment).

Cuellar describes a sale made through RaidForums in August 2021 when a telecommunications company hired a third party to buy back customer data that had been stolen from them and posted for sale on RaidForums. The affidavit only identifies the company as a U.S. telecommunications company and wireless network operator, but cybersecurity journalist Brian Krebs points out that the timing of the sale alongside the August 2021 T-Mobile breach strongly suggests it was T-Mobile. Acting on behalf of the company, a third party paid roughly $200,000 worth of Bitcoin to purchase the stolen database through RaidForums on the agreement that Coelho’s copy of the database would then be destroyed, according to Cuellar’s affidavit. However, she continues, RaidForums “continued to attempt to sell the databases after the … purchase.”

That is exactly the kind of behavior that could lead to a website like RaidForums losing its reputation and its customers. After all, no one wants to buy stolen credit card numbers that have already been sold to ten other people. In fact, in one RaidForums posting quoted in Cuellar’s affidavit, the seller describes the card numbers they are offering as “still fresh” and emphasizes that the information “hasn’t been resold anywhere.” Coelho’s behavior with the T-Mobile buyer suggests that the norms of illegal online forums are looser and less stable than they once were, perhaps in part due to growing pressure from law enforcement agents and growing disagreement among cybercriminals about everything from whether it’s ethical (insofar as cybercrime can be ethical) to target healthcare facilities in the midst of a pandemic to which side to take in the Russia-Ukraine war.

These divisions within the criminal community actually have the potential to help law enforcement by creating opportunities to turn cybercriminals against each other and fragmenting their goals, operations, and online forums. We see that not just in the takedown of RaidForums but also in the conflict between hackers supporting Russia and Ukraine facing off against each other. A divided cybercrime ecosystem is much more fragile than one in which the criminals can devote all their energy and resources to attacking their victims and avoiding law enforcement, rather than fighting with each other.