Cyber Incident Victim: RaidForums

The RaidForums hacking forum, a notorious online platform for hosting, leaking, and selling data stolen from breached organizations, had its infrastructure seized in an international law enforcement operation in April 2022. This operation resulted in the arrest of the site's administrator, known as 'Omnipotent,' along with two accomplices. Following the closure of RaidForums, its user base migrated to a new forum named 'Breached' to continue trading stolen databases. The Breached forum itself was shut down in March 2023 after its founder and owner, 'Pompompurin,' was arrested by the FBI, and the site's other administrator became concerned that law enforcement had potentially gained access to their servers.

In May 2023, a new hacking forum called 'Exposed' was launched to fill the void left by the closure of Breached, quickly gaining popularity within the cybercriminal community. On or around May 29, 2023, an administrator of the Exposed forum using the alias 'Impotent' leaked a database containing the registration information of RaidForums members. This action exposed a significant amount of data pertaining to the individuals who had frequented the now-defunct forum. The leaked data consisted of a single SQL file for the 'mybb_users' table, which was used by the RaidForums forum software to store user registration details.

The compromised database table contained the registration information for 478,870 RaidForums members. The exposed data included usernames, email addresses, hashed passwords, registration dates, and a variety of other information fields related to the forum software's user profiles. The data pertained to users who had registered on the forum between March 20, 2015, and September 24, 2020, which was likely the date when the database dump was originally created. The administrator Impotent stated that some RaidForums members had been removed from the leaked database, though the specific reasons for and timing of these removals were not disclosed. It was also noted that the origin of the database dump was unknown.

The legitimacy of the leaked data was confirmed through analysis. BleepingComputer verified that the information for numerous accounts contained known registration details, and members of the Exposed forum also confirmed their personal information was present within the leaked MySQL table, confirming its authenticity. While it was considered likely that law enforcement agencies already possessed this database as a result of the 2022 seizure, the public leak made the information widely available to other threat actors and security researchers.

The impact of this data exposure was significant due to the nature of the RaidForums community. The forum was a hub for threat actors who engaged in hacking websites and accessing exposed database servers to steal customer information. This stolen data was frequently sold to other criminals for use in phishing attacks, cryptocurrency scams, or malware distribution campaigns. When data was not sold or after some time had passed, it was often leaked for free on the forum to build the leaker's reputation within the community. The leak of the member database itself provided a wealth of information that could be exploited. Threat actors could potentially use the exposed email addresses and usernames for targeted attacks, credential stuffing, or social engineering against the individuals listed, many of whom were likely involved in cybercriminal activities themselves.

For security researchers, the data leak offered a unique opportunity to build profiles of known threat actors. By analyzing the registration information, researchers could potentially learn more about these individuals and link their forum identities to other malicious activities conducted elsewhere online. This intelligence gathering could aid in attributing past and future cyber incidents. The administrator Impotent later clarified that the RaidForums data dump was not originally intended for public release, but the decision was made to leak it on May 29th. While Impotent claimed to know the source of the data, they promised not to disclose any details about it. The admin also stated that the leaked member database table still contained 99% of the original data lines, with a small number of entries removed specifically to "cause no drama," though the criteria for these selective removals were not elaborated upon. The incident underscored the persistent and interconnected nature of cybercriminal ecosystems, where the closure of one major platform leads to the rapid emergence of another and where data from defunct sites can resurface to cause further exposure long after the original operation has ended.