Cyber Threat Actor: Raidforums
| Actor Type | Location | Known Incidents |
Criminal
|
Portugal
|
1 incident |
|---|
Profile
Raidforums is a knownalias used by a threat actor group that operates from Portugal. The group maintains an online forum that shares hacking tutorials, tools, combolists and marketplace content similar to other underground communities. It has been linked to the public release of large datasets obtained from compromised systems. The actor’s presence on the forum platform allows it to distribute stolen data and communicate with peers.
In July 2019 the group was associated with a breach of a hospitality company that exposed personal information of over ten million former guests, including names, contact details and birth dates. The compromised data did not contain financial information and was later reposted on public hacking forums. The organization involved confirmed the incident, notified affected individuals and engaged external investigators to assess the impact. No further details about the actor’s objectives in this incident are provided in the source material. A separate operation attributed to Raidforums occurred in August 2019 when the group breached the rival hacking forum Cracked.to. The attackers exploited a vulnerability in the myBB forum software to obtain a database containing 321 000 member records. The dump included 749 161 unique email addresses, IP addresses, usernames, private messages and bcrypt‑hashed passwords with a work factor of 12. The leaked data was published on Raidforums.com and highlighted the reuse of credentials and the exposure of private communications.
Regarding tactics, the actor’s known initial access vector relies on exploiting weaknesses in web‑application software, as demonstrated by the myBB exploit used against Cracked.to. No specific malware families or custom tooling are mentioned in the available reports. The actor’s tooling style appears to focus on acquiring and disseminating stolen data rather than deploying persistent malware.
Attribution to a state sponsor or a recognized criminal consortium has not been established in the public sources consulted. The group’s activities are primarily documented through its own forum and the publication of breached databases. Consequently, any affiliation beyond the self‑identified Raidforums persona remains undetermined.
