After RaidForums’ Demise, Breached Forum Seizes Leaks Mantle
Cybercrime as-a-service , Fraud Management & Cybercrime , Ransomware
New Forum Boasts More Stolen Records for Sale, Nearly as Many Users as Predecessor Mathew J. Schwartz (euroinfosec) • September 12, 2022 Former RaidForums seller LeakBase is now offering 50 stolen databases for sale on Breached. (Source: Kela)
The FBI seizure of cybercrime forum RaidForums earlier this year hasn’t stopped black hats from finding a new place to connect online following emergence of a new alternative: Breached.
See Also: Live Webinar Tomorrow | Prevent, Detect & Restore: Data Security Backup Systems Made Easy
The rapid rise of Breached – also known as BreachForums – shows there remains a strong demand for sites that facilitate the buying and selling of stolen data. “Breached is not only the successor of RaidForums, but in a very short time frame has become a promising data leak marketplace,” says Yael Kishon, a threat intelligence analyst at Israeli threat intelligence firm Kela. The forum’s popularity is bolstered by users of now-defunct RaidForums and also a large repository of stolen data, he says.
Some of the heavy hitters of RaidForums have already set up shop at Breached, helping boost its profile. The new forum also has a knack for hosting splashy data sets, including a listing asserting it contains the personal details of 1 billion residents of China gathered by Shanghai National Police. The data set was advertised on the forum in July by “ChinaDan” for 10 bitcoins – then worth about $200,000.
RaidForums, disrupted in February by law enforcement, was a haven for financially motivated cybercriminals. Forums help criminals monetize data theft, enabling them to sell stolen payment card details or initial access to hacked corporate networks and more. Buyers use the data to commit identity theft, run phishing campaigns or engage in credential stuffing and more quickly execute ransomware attacks and other types of crime.
The forum went offline after a yearlong law enforcement investigation dubbed Operation Tourniquet. Law enforcement arrested its alleged founder, Diogo Santos Coelho, in the United Kingdom on Jan. 31. The Portuguese national, 22, faces a six-count U.S. indictment that includes fraud and identity theft charges. He’s been accused of founding RaidForums in 2015 and working as one of its main administrators via the handle “Omnipotent.” Coelho is fighting extradition to the U.S. in British courts.
Springtime for Breached
After RaidForums shuttered, experts wondered if users might move to XSS or Exploit – two Russian-language forums that remain the world’s biggest online havens for cybercriminals. Russia’s invasion of Ukraine appears to have made those sites unpalatable to many.
“Due to the anti-Russian sentiment felt by a large portion of RaidForums users, these users may not be easily enticed to migrate to these Russian-language alternatives,” threat intelligence firm Flashpoint predicted after RaidForums’ demise.
Their loss is Breached’s gain. Researchers say the new forum was launched in March by “pompompurin,” who had been a very active member of RaidForums.
Pompompurin “has quickly elevated this platform into the one of the next go-to hot spots on the English-language cybercriminal scene,” the Photon research team at Digital Shadows reports. “Following the takedown of its older sibling, the forum has grown increasingly in popularity owing to its member base – 41,500 members, an almost 35,000 rise since April – and their selling of media-attention-seeking data sets.”
Breached also appears to allow ransomware groups to advertise for affiliates, targets and initial access to victim networks, without restrictions. Kela reports that the Chaos ransomware builder has been advertised on the forum, as have new ransomware-as-a-service offerings SolidBit and Garyk.
That stands in apparent contrast to Exploit and XSS, which in May 2021 claimed to ban ransomware discussions, seemingly to make their forums less of a target for disruption by Western authorities. But aside from some careful wording by users – saying they’re looking for “pen testers,” for example, rather than advertising the recruitment of advanced hackers for a ransomware crew – the bans never amounted to much, says Roman Faithfull, a cyberthreat intelligence analyst at Digital Shadows.
Don’t Break the Mold
By all measures, Breached is thriving. As of June, the forum claimed to have 10.9 billion records for sale, surpassing the 10.8 billion records ultimately hosted by RaidForums. Breached, after being in operation for just a handful of months, has amassed a user base just 10% smaller than RaidForums, Digital Shadows reports.
One secret of its success is that Breached doesn’t try to reinvent the wheel. The look of the site echoes RaidForums, as does its organization. Many of the individuals or groups who listed stolen sets of data on RaidForums have since relisted them for sale on Breached, Kela’s Kishon says.
Initially, users could only access such data by posting other stolen data, to build up credit. But Kishon says that on March 29, following in RaidForums’ footsteps, Pompompurin introduced the ability to purchase credits.
Users of RaidForums apparently feel comfortable with the new offering. “Breached includes the types of content that appeared on RaidForums under the same categories, including cracking, leaks, marketplace, tutorials and tech,” Kishon says. He notes that “the most popular subcategory on Breached is databases, which consists of dumps, in which credentials from various breaches are shared.”
The rapid rise of Breached demonstrates a perennial challenge with disrupting this part of the cybercrime economy: the apparent ease with which new data leak sites can be launched. Coelho, for example, is accused of standing up RaidForums when he was just 14 years old.
Even as current players age out or get arrested, it won’t be long before a new generation is ready to make its mark. The cybercrime-as-a-service circle of life continues.