[Dismas]

I typically avoid discussing other forums here, but wanted to issue a warning.

Visiting Raidforums leads to a phishing page, site is likely compromised by FBI (or other 3-letter). As shown in the tweet below, their domain is pointed to a previously seized Cloudflare NS. Any details you attempt to use on the site are being logged. The forum was known for having much looser rules than us, hosting and selling government/financial databases. A reminder that these things are not allowed here and we will have a much firmer policy moving forward.

[hacxx]

I read it first on my darknet news app last month.
I had share some valuable logs there for credits but they have been breached and i lost all my credits

[mothered]

Given the nature of the content RF discussed and contributed, this was bound to happen sooner or later.

Don't think for a minute that the Feds aren't watching.

[Boudica]

Given the nature of the content RF discussed and contributed, this was bound to happen sooner or later.

Don't think for a minute that the Feds aren't watching.

Agreed. I would operate on any public forum under the assumption the feds are here. For all our members know, Oni, Mothered and I are all feds!

What an interesting place this would be if that were true haha.

[mothered]

For all our members know, Oni, Mothered and I are all feds!

Damn, we promised to keep It between ourselves.

[ConcernedCitizen]

I did some digging. There is an investigation into the Interwarp ISP leak that was posted about on RF. The CoomingProject Ransomware actor, I believe led to the leak in the first place, and some users began posting direct details of employees at the ISP. According to research and confirmed sources, this has been ongoing since on or before September 26, 2022. Interesting to note that on the days leading up to that date, there was an information exposure of the staff portal and resulted in the site being down for maintenance shortly after. The investigation has led to other domains where the leak was posted about, being seized as well. It has even led to he suspected turnover of the entity known as .@Omnipotent, a male from Europe according to the FBI. So it should be assumed that this Admin has been working with the FBI since at least late September, early October. The actual domain was last updated: February 25, 2022 so it should also be assumed this was the domain seizure date.

A user from Twitter posted the details of the domain name servers now in use for the domain raidforums [dot] com here, DNS used in other seizures.

https://pbs.twimg.com/media/FNjt4e_aIAIvI9v?format=png&name=900x900

So, it seems the FBI has setup both an internal honeypot and a whaling operation on the following IPs:

EC2 instance detected: 216[.]182.229.162

Code:

ip: "216[.]182.229.162"
city: "Ashburn"
region: "Virginia"
country: "US"
loc: "39.0437,-77.4875"
org: "AS14618 Amazon.com, Inc."
postal: "20147"
timezone: "America/New_York"
asn: Object
asn: "AS14618"
name: "Amazon.com, Inc."
domain: "amazon.com"
route: "216[.]182.224.0/21"
type: "hosting"
company: Object
name: "Amazon.com, Inc."
domain: "amazon.com"
type: "hosting"
privacy: Object
vpn: false
proxy: false
tor: false
relay: false
hosting: true
service: ""
abuse: Object
address: "US, WA, Seattle, Amazon Web Services Elastic Compute Cloud, EC2, 410 Terry Avenue North, 98109-5210"
country: "US"
email: "abuse@amazonaws.com"
name: "Amazon EC2 Abuse"
network: "216[.]182.224.0/20"
phone: "+1-206-266-4064"
domains: Object
total: 0
domains: Array

[*] Internal honeypot was detected using active IDS on: ip-10-0-0-14.ec2.internal

Nice one, FBI. :>

Using Amazon to phish for hackers is their only play here, it seems?

[Dismas]

For all our members know, Oni, Mothered and I are all feds!

Damn, we promised to keep It between ourselves.

Guess our cover is blown.

Spoiler:

I did some digging. There is an investigation into the Interwarp ISP leak that was posted about on RF. The CoomingProject Ransomware actor, I believe led to the leak in the first place, and some users began posting direct details of employees at the ISP. According to research and confirmed sources, this has been ongoing since on or before September 26, 2022. Interesting to note that on the days leading up to that date, there was an information exposure of the staff portal and resulted in the site being down for maintenance shortly after. The investigation has led to other domains where the leak was posted about, being seized as well. It has even led to he suspected turnover of the entity known as .@Omnipotent, a male from Europe according to the FBI. So it should be assumed that this Admin has been working with the FBI since at least late September, early October. The actual domain was last updated: February 25, 2022 so it should also be assumed this was the domain seizure date.

A user from Twitter posted the details of the domain name servers now in use for the domain raidforums [dot] com here, DNS used in other seizures.

https://pbs.twimg.com/media/FNjt4e_aIAIvI9v?format=png&name=900x900

So, it seems the FBI has setup both an internal honeypot and a whaling operation on the following IPs:

EC2 instance detected: 216[.]182.229.162
[snip]

[*]Internal honeypot was detected using active IDS on: ip-10-0-0-14.ec2.internal

Nice one, FBI. :>

Using Amazon to phish for hackers is their only play here, it seems?

This somewhat aligns with what I've heard. I was told by a relatively reliable source that Omnipotent disclosed his income and information about certain databases to an undercover/informant many months ago. Whether any of that's true or anyone believes me, is up to them. Overall I like to keep my hands clean, so we've always kept our distance from other forums of that nature. We also had some bizarre interactions with some of their members in the past, so it's not surprising.

[ConcernedCitizen]

We also had some bizarre interactions with some of their members in the past, so it's not surprising.

The details on some of those comments... sheeesh.

I can guarantee that this is part of a much larger sting operation because it is also known that the hacker behind the breach of the International Committee for the Red Cross (ICRC) was a data vendor on the site. "RaidForums advertised the sale of data from the Red Cross and Red Crescent Movement ... the email address used by a an actor who offered to sell the stolen ICRC data also was used to register multiple domain names the FBI says are tied to a sprawling media influence operation originating from Iran."

I'll post more as I learn of it from my sources as well.

[Drako]

This is why shady business isn't allowed here, such as carding. I'm sure sinister.ly and Oni are on a watchlist somewhere, but still. You mess with the government, you get the long-arm of the law up your ass.

[mothered]

You mess with the government, you get the long-arm of the law up your ass.

^ Totally nailed It.