The Takedown of RaidForums By Law Enforcement Could Just Mean Cybercriminals Pivot to Privacy


With over 530K members, RaidForums is known as one of the go-to forums for cybercriminals. Cybercriminals from all over the world exchange information on attacks, leaked and stolen data, ransomware/malware, and services they can offer. They also have more general conversations, discussing law enforcement actions and even general politics.


This week, RaidForum was shut down. US, UK, and Sweden law enforcement agencies, in collaboration with many other organizations, took the popular website down. According to Krebs on Security, “the DOJ also charged the alleged administrator of RaidForums — 21-year-old Diogo Santos Coelho, of Portugal — with six criminal counts, including conspiracy, access device fraud and aggravated identity theft.”


A notice on the RaidForums website on Tuesday said: "This domain has been seized" by the FBI, US Secret Service and Justice Department.


This takedown, combined with the recent takedown of the Hydra dark web marketplace, shows just how tightly law enforcement is cracking down on cybercriminal watering holes.


"The takedown of this online market for the resale of hacked or stolen data disrupts one of the major ways cybercriminals profit from the large-scale theft of sensitive personal and financial information," said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department's Criminal Division.


While the takedown of RaidForums is publicly seen as a win for law enforcement and the fight against cybercrime, there’s no telling what this could mean long-term for how cybercriminals communicate and conduct business.


RaidForums is where Trustwave, a managed detection and response and threat intelligence provider most notably found a massive US voter database of 186M records for sale to cybercriminals during the infamous 2020 US presidential election. This information was passed to the FBI – as it was discovered during the same time the bureau made a very public warning about nation-state actors of Iran and Russia sending spoofed emails to voters in the days before the election.


The question becomes: what’s next? Where will cybercriminals head to? Another forum, or will they rally their communities on other platforms?


“With the heightened attention on these forums by law enforcement, we could see cybercriminals move to peer-to-peer communications or utilize private chats on encrypted messaging platforms more aggressively,” said Gary De Mercurio, VP, Global Practice Lead, Trustwave SpiderLabs.


“Hackers could spin up a forum replacement to RaidForums rather quickly. It would most likely be hosted in a geography that is more difficult for international law enforcement to take action in. There are plenty of countries with non-extradition treaties that don’t care about hacker activity – as long as the hackers don’t attack companies on their own soil.”


The takedown also presents an interesting dilemma for law enforcement. They’ve taken down a central hub of malicious information sharing, but a hub that was relatively easy to monitor and infiltrate. Having a pulse on platforms like RaidForums gave law enforcement and security researchers alike insights into new trends, attack techniques (and defenses), data breaches, and general thought patterns of cybercriminals. Without central hubs like RaidForums, insights could prove harder to extract long-term – especially if cybercriminals move to smaller, more vetted groups that use encrypted communications to have conversations more privately.


“We should expect cybercriminals to become much more cautious about where they are sharing information and having conversations,” said Ziv Mador, VP of Security Research at Trustwave SpiderLabs.


“Long-term, this could potentially hinder the ability to monitor cybercriminal activity by law enforcement and security researchers.”


###