The U.S. Department of Justice (DOJ) has seized the website and user database for RaidForums, a cybercrime forum that sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches since 2015. The DOJ also charged the alleged administrator of RaidForums, 21-year-old Diogo Santos Coelho, of Portugal, with six criminal counts, including conspiracy, access device fraud and aggravated identity theft. Two accomplices have also been arrested.
Launched in 2015, RaidForums was considered one of the world’s biggest hacking forums with a community of over half a million users. This marketplace had made a name for itself by selling access to high-profile database leaks belonging to a number of US corporations across different industries. These contained information for millions of credit cards, bank account numbers and routing information, and the usernames and associated passwords needed to access online accounts. These datasets were obtained from data breaches and other exploits carried out in recent years.
Europol’s European Cybercrime Centre coordinated Operation TOURNIQUET, a complex law enforcement effort to support independent investigations of the United States, United Kingdom, Sweden, Portugal, and Romania. The operation was the culmination of a year of meticulous planning between the law enforcement authorities involved in preparation for the action, which enabled the investigators to define the different roles the targets played within this marketplace, i.e.: the administrator, the money launderers, the users in charge of stealing/uploading the data, and the buyers.
The following authorities took part in the RaidForums investigation:
- Sweden: Swedish Police Authority (Polisen)
- Romania: National Police (Poliţia Română)
- Portugal: Judicial Police (Polícia Judiciária)
- Germany: Federal Criminal Police Office (Bundeskriminalamt)
- United States: US Secret Service (USSS), Federal Bureau of Investigation (FBI), Internal Revenue Service Criminal Investigation (IRS-CI)
- United Kingdom: National Crime Agency (NCA)
- Europol: European Cybercrime Centre (EC3), Joint Cybercrime Action Taskforce (J-CAT)
Polish and Swiss law enforcement authorities, supported by Europol and Eurojust, have taken down ‘InfinityBlack’, a hacker group involved in distributing stolen user credentials, creating and distributing malware and hacking tools, and fraud. The hackers created online platforms to sell user login credentials known as ‘combos’. The group was organised into three teams:
- Developers created tools to test the quality of the stolen databases
- Testers analysed the suitability of authorisation data.
- Project managers then distributed subscriptions against cryptocurrency payments.
The hacker group’s main source of revenue came from stealing loyalty scheme login credentials and then selling them on to other, less technical, criminal gangs. These gangs would then exchange the loyalty points for expensive electronic devices.
The hackers created a sophisticated script to gain access to a large number of Swiss customer accounts. Although the losses are estimated at €50,000, the hackers had access to accounts with potential losses of more than €610,000. Fraudsters were spotted when using the stolen data in shops in Switzerland.
Effective Cross-Border Cooperation resulted in arrests
On 29th April 2020, the Polish National Police searched six locations in five Polish regions and arrested five individuals believed to be members of the hacker group. Police seized electronic equipment, external hard drives and hardware cryptocurrency wallets, all worth around €100,000. Two platforms with databases containing over 170 million entries were closed down by the police.
Between 30th April and 2nd May 2019, five arrests were made in the Swiss canton of Vaud. This was as a result of investigative measures taken by specialists from the Cyber Investigation Division (DEC) of the Vaud Cantonal Police. Once the criminal gang cashing out the loyalty points was identified in Switzerland, police exchanged criminal intelligence and uncovered links to members of the separate hacking group in Poland.
Europol enabled close cooperation between cyber units in Poland and Switzerland through the dedicated network of cyber liaison officers (J-CAT) hosted at Europol’s headquarters. Europol also supported the operation by facilitating information exchange and providing technical and analytical support. Eurojust facilitated the transmission of information between the Public Prosecutor’s Offices in Switzerland and Poland.