Raid Forums is down. Who is behind his apparent seizure?

On February 25, Raid Forums – a popular illicit online community known for large-scale database leaks – was allegedly seized by an unknown identity. At the time of this publication, it is unknown why Raid Forums was taken down, or who was responsible for it. No official government agency in any country has claimed responsibility for taking over the Raid Forums domain, nor has any cyber threat group; Raid had been running, more or less continuously, since 2015.

There is not enough information available at this time to confirm what happened to the Raid Forum. However, the intelligence-linked Raid takedown paints a complicated but meaningful picture of what may have happened and serves as a picture of the current situation for threat actors and the illicit communities in which they operate. While the permanence of Raid’s withdrawal remains to be determined, its closure temporarily places it in a line of illicit communities that have gone out of business in recent memory.

Additionally, the timeline of Raid’s takedown coincides with many aspects of the Ukraine-Russia War, which may provide clues to its takedown, though Flashpoint can’t confirm that connection at this time. There are also a number of clues to the owner of Raid – who goes by the nickname “Omnipotent”, “Omni”, or “terminal” – as well as in posts on the forum itself before the shutdown, as well as on d ‘other illicit communities thereafter, which tell a captivating story.

Raid Raid: A Timeline

On February 7, the Raid Forums website started generating database errors, and users were unable to access the site until February 12. Immediately after the outage began, Raid users began to wonder if Raid Forums was initially compromised by authorities, as well as who was ultimately responsible for bringing Raid back online.

If government authorities seized the domain and were unable to also seize the servers hosting the actual forum, it is plausible that the login portal clone was set up for the purpose of collecting the information of identification of users in order to maximize their leverage over the domain and use it as an intelligence gathering opportunity.

Initial cutand

Prior to the alleged seizure, Omnipotent reportedly went on vacation between January 31 and February 7, the day of the recent outage, according to his Telegram bio. After the site was backed up on February 12, Omnipotent had no comment on the outage. Additionally, the site owner was apparently not active on the site until the alleged February 25 seizure. It’s not immediately clear if another admin outside of Omnipotent would have had the access needed to fix the site. Additionally, neither a Raid Forum administrator nor a moderator provided an explanation for the outage.

Notable developments before and after Russia’s invasion of Ukraine

In the weeks leading up to its apparent seizure, Raid Forums saw a growing amount of anti-Russian sentiment and anti-Russian offerings in the form of potentially actionable data, before and after the Russian invasion of Ukraine in February. . 24.

  • January 19: An established Raid Forums actor called “Kristina” posted a thread containing a renewed download link for a data dump, believed to contain Russian military documents, emails and passwords .
  • February 3: An offer to sell a 2TB Russian database bundle containing Russian personal information, including full names, dates of birth, passport numbers and tax information, has been posted on the Raid forums.
  • February 15: A Raid Forums user has put up for sale a Russian database allegedly containing 61 million Russian phone numbers.
  • February 24: On the day of the Russian invasion of Ukraine, Raid Forums took an open stance in the dispute when admin “moot” announced that the site would ban all users connecting to the site from Russia.
  • February 25: Raid threat actor “Kozak888” has leaked a database belonging to a Russian express delivery and logistics company, Flashpoint has confirmed. Kozak888 claimed that the Russian company provides services to the Russian federal government and said the database leak was a consequence of Russia’s invasion of Ukraine. Kozak888 revealed that the database contains 800 million records, including full names, email addresses and phone numbers.
  • February 25: A user posted a thread asking for help creating fake identity documents, allegedly to help a friend flee Ukraine and find refuge in neighboring Moldova.
  • February 25: A user posted a thread encouraging users to start collecting attackable Russian IP ranges.

Given the growing animosity towards Russia on the site, as well as Raid’s decision to block users coming to the site from Russian IP addresses, Flashpoint will continue to monitor the situation, including the potential role that the forum’s anti-Russian rhetoric and alleged offers may have had. in the dismantling of the forum.

Clone to Harvest

Prior to the official announcement by Raid Forums administrator “Jaw” that the site had been seized on February 25, 2022, a clone of the Raid Forums login portal was set up in place of the homepage. It has remained in place ever since. As of March 4, the cloned login portal was still active on raidforums[.]com.

The seizure of Raid was first reported in a post on the official Raid Forums Telegram channel by a Raid Forum administrator known as “Jaw”. The channel was then locked down and has remained dark ever since. (Image: Flashpoint)

However, when users enter their credentials in the portal, an error message appears for all users informing them that they have been banned from the site. This indicates that the entity responsible for entering the site is potentially harvesting identifying information and recording technical information about visitors such as IP addresses.

In Raid Forums admin Telegram message “Jaw” it was also revealed that the backup domain for Raid Forums will be rf[.]However, as of this posting, this domain is inactive and it is unknown when or if the backup domain will come online.

Alternatives to Raids

In response to threat actors actively seeking alternatives to the Raid Forums on the site’s official Telegram channel during the site’s outage between February 7 and February 12, 2022, the XSS and Exploit Russian-language hacking forums were recommended as alternatives to Raid Forums.

On February 27, 2022, a thread was posted on XSS notifying users of the alleged Raid Forums seizure and warning XSS users with Raid Forums accounts to avoid attempting to log into the site due to the likelihood that the site is compromised. In the same thread, a user speculated whether or not XSS would be inundated with users from Raid Forums.

Based on recommendations from the official Raid Forums Telegram channel, Flashpoint estimates that a significant number of former Raid Forums users can migrate to Exploit or XSS. However, due to the anti-Russian sentiment felt by a large portion of Raid Forums users, these users may not be easily enticed to migrate to these Russian-language alternatives.

Although it is unclear when or if Raid Forums will come back online, the very active Raid Forums threat actor “pompompurin” claimed on XSS on March 3, 2022 that he was in contact with the administrators of Raid Forums who told them that the site should be back online in the near future. Pompompurin reiterated that all that is known at present is that “someone” has taken over the domain and it is still unclear who or whether or not it is affiliated with an entity. governmental.

Integrate Flashpoint with your team for threat intelligence

The quality of an organization’s security capabilities depends on its threat intelligence. Flashpoint’s suite of tools gives you a complete overview of your threat landscape and the ability to proactively address risks and protect your critical data assets. To unlock the power of excellent threat intelligence, sign up for a demo or start with free try.

The Raid Forums post is down. Who is behind his apparent seizure? appeared first on Flashpoint.

*** This is a syndicated blog from the Security Bloggers Network of Blog – Flashpoint written by Jonathan Zalman. Read the original post at:

Harry L. Blanchard