On February 25, Raid Forums—a popular illicit online community notorious for its high-profile large-scale database leaks—was allegedly seized by an unknown identity. As of this publishing, it is not clear why Raid Forums was taken down, or who was responsible. No official government agency in any country has claimed responsibility for seizing the Raid Forums domain, nor has any cyber threat group; Raid had been operating, more or less continuously, since 2015.
Not enough information is available at this time to confirm what happened to Raid Forum. However, our intelligence related Raid’s takedown paints a complicated yet meaningful picture of what may have occurred, and serves as a picture of the current state of affairs for threat actors and the illicit communities in which they operate. Although the permanency of Raid’s takedown is yet to be determined, its closure puts it temporarily into a lineage of illicit communities that have ceased operations in recent memory.
Furthermore, the timeline of Raid’s takedown coincides with numerous aspects of the Ukraine-Russia war, which may provide clues into its takedown, although Flashpoint cannot confirm this connection at this time. There are also a number of clues about Raid’s owner—who goes by the moniker “Omnipotent,” “Omni” or “terminal”— as well as within posts on the forum itself prior to closing, as well as other illicit communities thereafter, that tell a compelling story.
Raiding Raid: A Timeline
On February 7, the Raid Forums website began throwing database errors and users were unable to access the site until February 12. Immediately after the outage began, Raid users began speculating about whether or not Raid Forums had initially been compromised by authorities, as well as who was ultimately responsible for bringing Raid back online.
If government authorities seized the domain and were not able to also seize servers hosting the actual forum, it is plausible the login portal clone was put up in an effort to harvest user credentials in order to maximize their leverage over the domain and use it as an intelligence collection opportunity.
Prior to the alleged seizure, Omnipotent purportedly went on a vacation between January 31 and February 7, the day of the recent outage, according to his Telegram bio. After the site was back up on February 12, Omnipotent did not comment on the outage. Furthermore, the site’s owner was not apparently active on the site up until the alleged seizure on February 25. It’s not immediately clear if another admin outside of Omnipotent would have had the access necessary to fix the site. Furthermore, neither a Raid Forum admin nor a moderator provided an explanation for the outage.
Notable developments before and after Russia invasion of Ukraine
In the weeks leading up to its apparent seizure, Raid Forums saw an increasing amount of anti-Russian sentiment, and anti-Russian offerings in the form of potentially exploitive data, in the lead up to—and following—Russia’s invasion of Ukraine on February 24.
January 19: An established Raid Forums actor, called “Kristina,” posted a thread containing a renewed download link for a data dump, alleged to contain documents, emails, and passwords of the Russian military.
February 3: An offering to sell a 2TB array of Russian databases reportedly containing Russian personal information including full names, dates of birth, passport numbers, and tax information was posted to Raid Forums.
February 15: A Raid Forums user posted a Russian database for sale allegedly containing 61 million Russian phone numbers.
February 24: On the day of the Russian invasion of Ukraine, Raid Forums took an open stance in the conflict when the admin “moot” announced that the site would be banning all users found to be connecting to the site from Russia.
February 25: Raid threat actor “Kozak888” leaked a database belonging to a Russian express delivery and logistics company, Flashpoint confirmed. Kozak888 claimed that the Russian company provides services for the Russian federal government and stated that the database leak was a consequence of Russia’s invasion of Ukraine. Kozak888 revealed that the database contained 800 million records including full names, email addresses, and phone numbers.
February 25: A user posted a thread requesting assistance in creating fake identification documents, allegedly in order to assist a friend escape Ukraine and find refuge in neighboring Moldova.
February 25: A user posted a thread encouraging users to begin collecting attackable ranges of Russian IP addresses.
Given the growing animosity towards Russia on the site, plus Raid’s decision to block users coming to the site from Russian IP addresses, Flashpoint will continue to monitor the situation, including the potential role that the forum’s anti-Russian rhetoric and alleged offerings may have had in the forum’s takedown.
Cloning to harvest
Prior to the official announcement from the Raid Forums admin “Jaw” that the site had been seized on February 25, 2022, a clone of the Raid Forums login portal was put up in place of the homepage. It has remained up ever since. As of March 4 the cloned login portal was still active on raidforums[.]com.
Raid’s seizure was first reported in a post in the official Raid Forums Telegram channel by a Raid Forum admin known as “Jaw.” The channel was subsequently locked and has stayed dark ever since. (Image: Flashpoint)
However, when users enter their credentials into the portal, an error message appears for all users informing them that they have been banned from the site. This is an indication that whichever entity was responsible for seizing the site is potentially credential harvesting and logging visitor technical information such as IP addresses.
In the Telegram post by Raid Forums admin “Jaw”, it was also revealed the backup domain for Raid Forums would be rf[.]to, however, as of this publishing, this domain is inactive and it is unclear when, or if, the backup domain will be live.
In response to threat actors actively seeking alternatives to Raid Forums on the site’s official Telegram channel during the site outage between February 7 and February 12, 2022, the Russian-language hacking forums XSS and Exploit were recommended alternatives to Raid Forums.
On February 27, 2022, a thread was posted on XSS informing users of the alleged seizure of Raid Forums and warning XSS users with Raid Forums accounts to avoid attempting to log into the site due to the likelihood of the site being compromised. In the same thread, one user speculated whether or not XSS would become flooded with Raid Forums users.
Based on the recommendations in the official Raid Forums Telegram channel, Flashpoint assesses that a significant number of former Raid Forums users may migrate to Exploit or XSS. However, due the anti-Russian sentiment felt by a large portion of Raid Forums users, these users may not be easily enticed to migrate to these Russian-language alternatives.
Although it’s unclear when or if Raid Forums will come back online, the highly active Raid Forums threat actor “pompompurin” claimed on XSS on March 3, 2022, that they were in contact with Raid Forums admins who revealed to them that the site should be coming back online in the near future. Pompompurin reiterated that all that is known at this time is that “someone” seized the domain and it is still unclear who or whether or not they are affiliated with a government entity.