Requiring no introduction, the RaidForums(RF) was the leading and most popular hacking forum residing on the surface web. This online community of opportunistic cybercriminals – notorious for leaking valuable data from databases, credentials, credit card information to the latest vulnerabilities & exploits – abruptly come to a closure. Whether it was a seizure by a law information agency or a compromise by a competing threat actor group, no one has come forward claiming the responsibility and little information has come to light concerning its abrupt disruption. Even the question of whether it is a permanent takedown of RF is left unanswered. As a result, defenders and most importantly the intelligence community are only speculating based on events that took place during its disruption. Without dwelling too much on “who” was responsible, as intel analysts, we are more interested to understand “where” the RF users have migrated to carry out their illicit activities.
While there are some obvious choices for threat actors used to operate through RF, our intelligence has revealed there are certainly new ones that have emerged that look forward to grabbing the opportunity and becoming the RF alternative.
XSS & Exploit: Both these Russian-speaking forums garnered similar reputation and popularity on the dark web as RF on the surface web. While arguably, RF can be considered a less technically skilled community compared to XXS and Exploit, we see it as the best fit for RF users to migrate to both of these forums. Soon after the closure of RF, conversations around these forums being flooded with RF users start to brew, especially in XSS. However, it certainly does make up for an interesting turn of events as both of these forums are primarily home to Russian users and RF members – before going down – were engaged in multiple anti-Russian activities.
Telegram: For a couple of years in the making, Telegram has emerged as the go-to place for cybercriminals looking to buy/ sell stolen data and engage in related conversations. While this platform may not provide forum-like features, its popularity among cybercriminals is exploded in recent times. This can be attributed to factors like guaranteed privacy, providing a low barrier to entry as compared to DDW forums, eliminating the need to register/ host/ maintain a domain, and support for automation. Given the bad track record of Telegram to tackle the illicit activities that take place on its platform, it becomes an easy alternative for RF users.
Likes of Nulled, Cracked, Eternia, Eleaks, and others: These forums can be considered most similar to RF in terms of technical skill-set and the style in which they operate. The users who were already active on RF are most likely to, if not active, have an account on these similar forums. Reportedly, an increased number of posts have been observed in some of these forums after RF went down.
DarkNetWorld: With the tagline “We love illegal” the forum DarkNet World came into existence soon after the RF incident took place. For defenders, the forum looked like a promising replacement for RF as one of its admins used the pseudonym “Omnipotent” – also used by the RF founder. Possibly suspecting an action from law enforcement for being affiliated with RF, the DarkNet World was quick to clarify that there was no relation with RF. While people behind this forum have been successful in getting the attention in absence of RF, most consider it to be just an exit scam. Most recently, suspecting an FBI investigation, the maker of these forums hosted the FBI’s seizure page and their motive in doing so remains unclear.
Breached: AKA “BreachForums” is visually a replica of RF and run by a former member of RF who goes by the pseudonym of “pompompurin”. The forum is a straightforward alternative to RF, however, not affiliated with RF in any way – the makers claim. The forum appears to come into existence around mid-March, although its domain has been registered for quite some time. The admin “pompompurin” also states that in an event where RF returns in an official capacity the domain will redirect to RF. As an initial observation, we don’t see Breached as a replacement of RF – neither it is aiming to be one. It appears that “pompompurin” has re-purposed one of his old domains to create a temporary community that was loyal to RF like him. At the time of our observation, Breached is close to 1800 members strong and we have started to see RF-like activities.
During our analysis, it was found that the seizure page for DarkNetWorld was fake. Also, on their telegram channel, DarkNetWorld has said that their new page is now redblackhat.com, which when checked by CYFIRMA’s threat intelligence team, looks exactly like darknetworld.com. At this point, it is worth mentioning that its reputation has taken a significant hit.
Lastly, we would like to highlight that there is the possibility that the Raid forums page as was and is now, has the potential to be a phishing page.