Justice Department seizes major cybercrime spot RaidForums

RaidForums boasted at one point of having close to 10 billion pieces of PII for sale, making it one of the biggest destinations for cybercriminals.
(Via Europol, April, 12, 2022)

The Department of Justice seized popular online cybercriminal marketplace RaidForums, according to recently unsealed criminal charges against the website’s founder, Diogo Santos Coelho.

The takedown, which DOJ announced Tuesday, is the latest massive sweep by the U.S. government and international law enforcement partners of online marketplaces where hackers buy and sell data. RaidForums boasted at one point of having close to 10 billion pieces of personally identifiable information for sale, making it one of the biggest destinations for cybercriminals.

According to the affidavit filed by law enforcement, RaidForums operated from around 2016 through Feb. 22 of this year as a massive online marketplace for individuals to buy and sell hacked and stolen data, including sensitive personal and financial information from victims in the United States. Among those sales included leaked data from 178 million Facebook users.

“The takedown of this online market for the resale of hacked or stolen data disrupts one of the major ways cybercriminals profit from the large-scale theft of sensitive personal and financial information,” said Assistant Attorney General Kenneth Polite Jr. of the Justice Department’s Criminal Division.


According to court documents, as a part of the investigation, law enforcement obtained a copy of the backend of RaidForums’ database, granting them a treasure trove of information on forum members including account registration information, user IP addresses and private messages with other members.

That information could be used to tie cybercriminals to accounts on other platforms, who sometimes reuse the same handle,  says Austin Warnick, a senior cyber intelligence analyst at FlashPoint. Warnick pointed out that many RaidForums users migrated to a new community called “Breach Forums” after it initially appeared the site was seized and some used the same handle.

The court records confirm suspicions from researchers that the sudden shuttering of RaidForums in February was the work of law enforcement. At that time, no parties took responsibility for the shutdown.

But sometime after the FBI seizure and initial outage, according to the timeline in court documents, the Raid Forums homepage was swapped with a clone that served up only an error message after users logged in and allowed access to no other data.  An announcement from Raid Forums admin “Jaws” warned users on February 25 in a Telegram group that they should change their passwords and delete any logs from the website. The replacement remained up until at least April 2 and now displays a warning from the FBI it was seized.

Warnick couldn’t speculate on if the login portal on the seized website was being used by law enforcement.


The takedown was the result of a joint law enforcement effort coordinated by Europol and involving United States, United Kingdom, Sweden, Portugal and Romania.

Coelho, 21, was arrested in the United Kingdom on Jan. 31, at the United States’ request and remains in custody pending extradition. The Portuguese national faces six counts in relation to his role in running the forum including conspiracy, access device fraud and aggravated identify theft. Coelho profited from the forum by charging membership prices or users as well as acting as an intermediary between buyers, authorities said.

The RaidForums takedown is a part of an ongoing effort by international law enforcement to take out infrastructure cybercriminals use to make and launder profits. Last week German authorities took down another major online crime marketplace, the dark web market Hydra.

Updated 4/12/2022: With commentary from FlashPoint.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts