RaidForums: The World’s Largest Hacker Forum Has Been Shut Down, And The 21-year-old Founder Arrested

RaidForums – a hacker forum – used mainly for trading and selling stolen databases – has now been taken down by US law enforcement and permanently closed during Operation TOURNIQUET , conducted by Europol in collaboration with law enforcement agencies in several countries.

The administrator of RaidForum and two accomplices have been arrested by the police, the infrastructure of this illegal market is now under the control of the police agency.

Administrator founded RaidForums at the age of 14:

Diogo Santos Coelho – RaidForums Administrator and Founder – is a Portuguese (aka Omnipotent) who was arrested on January 31 in the United Kingdom, and is facing criminal charges. He is currently in custody and awaiting extradition proceedings. The US Department of Justice said that Coelho is 21 years old this year, which means he was 14 years old when he launched RaidForums in 2015.

Three RaidForums hosting domains were seized: “”, “” and “Raid.Lol”. This marketplace once for sale more than 10 billion unique records from hundreds of stolen databases affecting people living in the US. In a latest announcement, Europol said that RaidForums has more than 500,000 users and is ” regarded as one of the largest hacking forums in the world “.

“This market has made a name for itself by selling access to leaked premium databases of several US corporations in various fields. They contain information on millions of credit cards. username, bank account number, routing information, username and associated password needed to access the account online.”

The removal of the forum and its infrastructure was the result of a year of planning among relevant law enforcement agencies in the US, UK, Sweden, Portugal and Romania. It is not clear how long the investigation will last, but cooperation between law enforcement agencies has allowed authorities to paint a clear picture of the roles of different individuals within the RaidForums.

According to the agency’s share in a press release, the people who maintain RaidForums operations include administrators, money launderers, data stealers and uploaders, as well as buyers of stolen information.

Coelho allegedly controlled RaidForums since January 1, 2015. In the indictment, he ran the site with the help of several administrators, organizing its structure to promote purchases of stolen goods.

The founder of RaidForums when he was only 14 years old

The forum benefits by charging fees for different membership tiers, selling credits that allow members to access privileged areas of the site, or having stolen data posted to the forum. Coelho also acts as a trusted intermediary between the parties making the transaction, to provide confidence that the buyer and seller will honor their agreement.

Quickly became famous:

Before becoming a favorite place for hackers to sell stolen data, RaidForums had humble beginnings, being used to organize many forms of electronic harassment, such as raid targets and assault. The DoJ describes it as “posting or sending a large amount of contact to the victim’s online media.”

The site has grown in popularity over the past few years, frequently used by ransomware gangs and blackmailers to leak data as a way of forcing victims to pay ransoms. It has been used by the Babuk and Lapsus$ hacker groups to extort money in the past.

As of 2015 and for more than 7 years, this is the shortest route for hackers to sell stolen databases or share them with forum members. RaidForums also stands out as the most popular English speaking hacking forum.

The forum was put on a watch list earlier this year:

Security researchers suspect RaidForums was taken down by law enforcement in February, when the website started displaying login forms. However when trying to login to the site it just shows the login page again. This led researchers and forum members to believe that it was controlled by law enforcement and that the login prompt was just a “trick” by the police to collect login information. of threat actors.

On February 27, 2022, the DNS servers for were suddenly changed to other servers – DNS servers that had previously been used with other websites seized by law enforcement holds, including and, so the researchers believe this further supports the domain being seized.

Leave a Reply

Your email address will not be published. Required fields are marked *