Category Archives: News

News

Brazil Arrests ‘USDoD,’ Hacker in FBI Infragard Breach

Read Time:3 Minute, 51 Second

Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of being “USDoD,” a prolific cybercriminal who rose to infamy in 2022 after infiltrating the FBI’s InfraGard program and leaking contact information for 80,000 members. More recently, USDoD was behind a breach at the consumer data broker National Public Data that led to the leak of Social Security numbers and other personal information for a significant portion of the U.S. population.

USDoD’s InfraGard sales thread on Breached.

The Brazilian news outlet TV Globo first reported the news of USDoD’s arrest, saying the Federal Police arrested a 33-year-old man from Belo Horizonte. According to TV Globo, USDoD is wanted domestically in connection with the theft of data on Brazilian Federal Police officers.

USDoD was known to use the hacker handles “Equation Corp” and “NetSec,” and according to the cyber intelligence platform Intel 471 NetSec posted a thread on the now-defunct cybercrime community RaidForums on Feb. 22, 2022, in which they offered the email address and password for 659 members of the Brazilian Federal Police.

TV Globo didn’t name the man arrested, but the Portuguese tech news outlet Tecmundo published a report in August 2024 that named USDoD as 33-year-old Luan BG from Minas Gerais, Brazil. Techmundo said it learned the hacker’s real identity after being given a draft of a detailed, non-public report produced by the security firm CrowdStrike.

CrowdStrike did not respond to a request for comment. But a week after Techmundo’s piece, the tech news publication hackread.com published a story in which USDoD reportedly admitted that CrowdStrike was accurate in identifying him. Hackread said USDoD shared a statement, which was partially addressed to CrowdStrike:

A recent statement by USDoD, after he was successfully doxed by CrowdStrike and other security firms. Image: Hackread.com.

In August 2024, a cybercriminal began selling Social Security numbers and other personal information stolen from National Public Data, a private data broker in Florida that collected and sold SSNs and contact data for a significant slice of the American population.

Additional reporting revealed National Public Data had inadvertently published its own passwords on the Internet. The company is now the target of multiple class-action lawsuits, and recently declared bankruptcy. In an interview with KrebsOnSecurity, USDoD acknowledged stealing the NPD data earlier this year, but claimed he was not involved in leaking or selling it.

In December 2022, KrebsOnSecurity broke the news that USDoD had social-engineered his way into the FBI’s InfraGard program, an FBI initiative designed to build informal information sharing partnerships with vetted professionals in the private sector concerning cyber and physical threats to critical U.S. national infrastructure.

USDoD applied for InfraGard membership using the identity of the CEO of a major U.S. financial company. Even though USDoD listed the real mobile phone number of the CEO, the FBI apparently never reached the CEO to validate his application, because the request was granted just a few weeks later. After that, USDoD said he used a simple program to collect all of the contact information shared by more than 80,000 InfraGard members.

The FBI declined to comment on reports about USDoD’s arrest.

In a lengthy September 2023 interview with databreaches.net, USDoD told the publication he was a man in his mid-30s who was born in South America and who holds dual citizenship in Brazil and Portugal. Toward the end of that interview, USDoD said they were planning to launch a platform for acquiring military intelligence from the United States.

Databreaches.net told KrebsOnSecurity USDoD has been a regular correspondent since that 2023 interview, and that after being doxed USDoD made inquiries with a local attorney to learn if there were any open investigations or charges against him.

“From what the lawyer found out from the federal police, they had no open cases or charges against him at that time,” Databreaches.net said. “From his writing to me and the conversations we had, my sense is he had absolutely no idea he was in imminent danger of being arrested.”

When KrebsOnSecurity last communicated with USDoD via Telegram on Aug. 15, 2024, they claimed they were “planning to retire and move on from this,” referring to multiple media reports that blamed USDoD for leaking nearly three billion consumer records from National Public Data.

Less than four days later, however, USDoD was back on his normal haunt at BreachForums, posting custom exploit code he claimed to have written to attack recently patched vulnerabilities in a popular theme made for WordPress websites.

Read More

News

Recapping Raid Forums: The Place Where Data Was Sold to the Highest Bidder

Read Time:8 Minute, 2 Second

The content of this post is solely the responsibility of the author.  LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

From stolen personal data to entire corporate databases, Raid Forums was a digital black market where the most valuable commodities weren’t physical goods but sensitive information.

What began as a hub for online trolls quickly spiraled into a bustling marketplace where hackers auctioned off data to the highest bidder. The platform evolved into a haven for cybercriminals, with notorious figures turning stolen information into profit.

But as law enforcement closed in, rookie OpSec mistakes led to this empire of deceit and data theft crumbling down.

Thus, let’s take a closer look at how Raid Forums became one of the internet’s most infamous data-selling platforms, its operational model and how it all came crumbling down.

Origins of Raid Forums: From Trolling to More Sinister Acts

Raid Forums began in 2015 as a notorious hub for trolling and harassment, with other disruptive activities like “swatting” and DDoS attacks also being discussed and orchestrated. Nevertheless, they were considered nothing more than a gaggle of terminally online script kiddies at the time.

At the center was its founder, Diogo Santos Coelho, or “Omnipotent,” a 14-year-old Portuguese national with a propensity for cybercrime. Frost and Pompompurin were two other notable admins.

Initially, users would reach out to him and the rest of the community to perform mass spam attacks—raids, justifying the forum’s name.

The shenanigans soon evolved—users orchestrated fake police reports, escalating the site’s actions from online pranks to real-world disruptions in the form of online harassment campaigns and smear attacks. However, there was one major problem—these activities weren’t as profitable as Coelho as his partners in crime hoped. 

Shifting Goals: Transition to a Marketplace for Stolen Data

As the forum’s audience expanded, its admin team figured it was time to pivot. Thus, Raid Forums gradually transformed into a marketplace for selling stolen information, from SSNs to corporate financial records, harvested from major data breaches.

This turned out to be a major boon for the site, as some of the world’s biggest freelance black hats saw Raid Forums as a suitable place to chain in on their digital loot.

At the same time, Raid developed its own team of data poachers and malware devs, resulting in their escapades devolving into more sinister, more meticulous endeavors.

Whether it was extracting invoice data from corporate emails to dig deeper into potential targets or compromising the FBI’s internal email system, the forum’s activities evolved from simple financial gain to more sophisticated and far-reaching criminal operations.

How Raid Forums Worked: The Inner Workings of a Clandestine Marketplace

As Omnipotent and other members of the site’s leadership crew also engaged in data theft, they saw the site as an opportunity to earn extra funds. Therefore, the site depended on the following revenue streams:

Auction proceedings. Registered users could upload their databases and Raid Forums would take a percentage of each sale, in the form of mediation funds.
Direct sale mediation. Oftentimes, hackers and data brokers have an interested party to purchase their data but aren’t trusting of their intentions. Hence, Omnipotent or another admin would serve as escrow, ensuring both sides that the data and the money (usually Monero) were real.
Memberships. While the admins’ goal was to attract more people, more users meant more scams, fake bids and other issues. As a result, they instituted a series of membership packages, with the God Tier providing access to the most valuable databases, secret auctions and private bids.

This turned out to be a sustainable operational model, with users being able to verify individual sellers and databases through reviews. Reputation was king, while admins used PGP to sign all their messages as a means of establishing legitimacy and reducing suspicion of a potential LEO mole.

What Type of Data Could You Find on Raid Forums

One of the things that set Raid Forums apart was the number of different types of data for sale, a logical result of the site being the epicenter for all such transactions. What caught the public’s attention the most, however, were:

Personal Identifiers

SSNs, DOBs, and home addresses often leak together with names and profile information, especially when a social network or forum suffers a data breach. Hackers often used Raid Forums to sell these stolen databases to scammers, who would attempt to commit identity theft and do everything from buying luxury goods to taking out loans, all in someone else’s name.

Financial Data

While personal identifiers are great for synthetic identity theft (for criminals, that is), stealing financial data is more attractive to smaller-time criminals.

Therefore, you would often see Raid Forums listings for hundreds of thousands of stolen credit cards. Oftentimes, it was like a lottery, with some cards being blocked and some having no limit whatsoever.

There were also instances of complete payment histories and information being leaked, which also helped scammers target people with other types of fraud. But, as always, corporate financial data used to fetch the highest prices.

Corporate and Private Records

Beyond financial records and company bank accounts, corporate systems also hold a treasure trove of other data. It doesn’t have to be R&D documents, proprietary IP or trade secrets—even something as inconspicuous as employee records could be invaluable to criminals.

What if someone found out that the janitor is often late, has drinking problems and recently got divorced? That sounds like an easy blackmail target to look the other way when necessary…

High-Profile Breaches that Raid Forums Facilitated

Chances are, if there was a significant data breach in the late 2010s or early 2020s, Raid Forums’ hands were all over it.

One notable example was the sale of records from the 2021 T-Mobile breach, which resulted in 37 million people being unwillingly doxxed by cyber criminals. However, this is just the tip of the iceberg, as Raid was the auction place of choice during the breaches of:

●      LinkedIn (2021): This incident involved the scraping of data from 700 million LinkedIn users. The dataset included personal details such as full names, email addresses, phone numbers, job positions, workplace information, and other profile-related data. The hacker responsible listed the data for sale on RaidForums, providing a sample of 1 million records as proof.

●      Facebook (2019): The breach affected 533 million Facebook users across 106 countries. The exposed data included phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses. This data was obtained through a vulnerability that was later patched by Facebook in 2019. Despite being an older dataset, it still posed significant risks for phishing and identity theft.

●      Astoria Company (2021): A marketing and lead generation firm, Astoria Company, suffered a data breach that exposed over 10 million records. The leaked data included names, addresses, phone numbers, email addresses, and credit scores. The dataset was sold on RaidForums, making it a valuable resource for identity thieves and fraudsters.

●      Brazilian Government (2021): A massive data breach affected 243 million Brazilian citizens, including deceased individuals. The leaked information included full names, tax identification numbers, dates of birth, and other sensitive data.

What was particularly harrowing about these breaches was that US netizens realized that their security could still be compromised by the very entities entrusted with their data.

Even if customers are using digital signatures and chansing their passwords regularly, a business or government agency can make critical mistakes, and now that everything is so interconnected, their lapses expose you to risks beyond your control.

How Raid Forums Admins Became the Architects of their Own Arrests

The downfall of Raid Forums can largely be traced back to two main reasons—the site simply got too big and critical OpSec mistakes were made by Omnipotent.

Popularity-wise, the site was becoming too successful for its own good. This gave law enforcement and intelligence agencies from dozens of countries a strong reason to put an end to Raid for good.

However, it turned out that the site’s creator ended up being its unmaker, too. Although Omnipotent was known for using private emails, VPNs and signing everything with his PGP key, he wasn’t, well—omnipotent.

He made the cardinal error of trying to enter the United States illegally in 2018, which allowed the FBI access to data about his illegal activities. To make things even worse, Omnipotent used the same email he used to register the Raid Forums domain to contact the FBI about getting his devices back!

Not to mention, Coelho also used his personal device to run the official Raid Forums Telegram channel. With all of this, the April 2022 takedown of Raid was but a formality and its former head admin and founder is facing extradition to the US, along with a potential 52-year sentence if extradited.

Conclusion

The fall of Raid Forums wasn’t the leviathan being bested—it was more like a single smack in a never-ending game of Whack-a-Mole. This is evident by Breach Forums and its quick rise to popularity, followed by its head admin and former Raid Forums admin, also being arrested.

Thus, the message is clear—this fight is an ongoing on, and only constant vigilance and timely regulations can even the playing field. Your data will always be for sale; the point is making getting it prohibitively difficult and expensive for any hacker, be it a freelancer or a forum.

Read More

News

Recapping Raid Forums: The Place Where Data Was Sold to the Highest Bidder

Read Time:8 Minute, 2 Second

The content of this post is solely the responsibility of the author.  LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

From stolen personal data to entire corporate databases, Raid Forums was a digital black market where the most valuable commodities weren’t physical goods but sensitive information.

What began as a hub for online trolls quickly spiraled into a bustling marketplace where hackers auctioned off data to the highest bidder. The platform evolved into a haven for cybercriminals, with notorious figures turning stolen information into profit.

But as law enforcement closed in, rookie OpSec mistakes led to this empire of deceit and data theft crumbling down.

Thus, let’s take a closer look at how Raid Forums became one of the internet’s most infamous data-selling platforms, its operational model and how it all came crumbling down.

Origins of Raid Forums: From Trolling to More Sinister Acts

Raid Forums began in 2015 as a notorious hub for trolling and harassment, with other disruptive activities like “swatting” and DDoS attacks also being discussed and orchestrated. Nevertheless, they were considered nothing more than a gaggle of terminally online script kiddies at the time.

At the center was its founder, Diogo Santos Coelho, or “Omnipotent,” a 14-year-old Portuguese national with a propensity for cybercrime. Frost and Pompompurin were two other notable admins.

Initially, users would reach out to him and the rest of the community to perform mass spam attacks—raids, justifying the forum’s name.

The shenanigans soon evolved—users orchestrated fake police reports, escalating the site’s actions from online pranks to real-world disruptions in the form of online harassment campaigns and smear attacks. However, there was one major problem—these activities weren’t as profitable as Coelho as his partners in crime hoped. 

Shifting Goals: Transition to a Marketplace for Stolen Data

As the forum’s audience expanded, its admin team figured it was time to pivot. Thus, Raid Forums gradually transformed into a marketplace for selling stolen information, from SSNs to corporate financial records, harvested from major data breaches.

This turned out to be a major boon for the site, as some of the world’s biggest freelance black hats saw Raid Forums as a suitable place to chain in on their digital loot.

At the same time, Raid developed its own team of data poachers and malware devs, resulting in their escapades devolving into more sinister, more meticulous endeavors.

Whether it was extracting invoice data from corporate emails to dig deeper into potential targets or compromising the FBI’s internal email system, the forum’s activities evolved from simple financial gain to more sophisticated and far-reaching criminal operations.

How Raid Forums Worked: The Inner Workings of a Clandestine Marketplace

As Omnipotent and other members of the site’s leadership crew also engaged in data theft, they saw the site as an opportunity to earn extra funds. Therefore, the site depended on the following revenue streams:

Auction proceedings. Registered users could upload their databases and Raid Forums would take a percentage of each sale, in the form of mediation funds.
Direct sale mediation. Oftentimes, hackers and data brokers have an interested party to purchase their data but aren’t trusting of their intentions. Hence, Omnipotent or another admin would serve as escrow, ensuring both sides that the data and the money (usually Monero) were real.
Memberships. While the admins’ goal was to attract more people, more users meant more scams, fake bids and other issues. As a result, they instituted a series of membership packages, with the God Tier providing access to the most valuable databases, secret auctions and private bids.

This turned out to be a sustainable operational model, with users being able to verify individual sellers and databases through reviews. Reputation was king, while admins used PGP to sign all their messages as a means of establishing legitimacy and reducing suspicion of a potential LEO mole.

What Type of Data Could You Find on Raid Forums

One of the things that set Raid Forums apart was the number of different types of data for sale, a logical result of the site being the epicenter for all such transactions. What caught the public’s attention the most, however, were:

Personal Identifiers

SSNs, DOBs, and home addresses often leak together with names and profile information, especially when a social network or forum suffers a data breach. Hackers often used Raid Forums to sell these stolen databases to scammers, who would attempt to commit identity theft and do everything from buying luxury goods to taking out loans, all in someone else’s name.

Financial Data

While personal identifiers are great for synthetic identity theft (for criminals, that is), stealing financial data is more attractive to smaller-time criminals.

Therefore, you would often see Raid Forums listings for hundreds of thousands of stolen credit cards. Oftentimes, it was like a lottery, with some cards being blocked and some having no limit whatsoever.

There were also instances of complete payment histories and information being leaked, which also helped scammers target people with other types of fraud. But, as always, corporate financial data used to fetch the highest prices.

Corporate and Private Records

Beyond financial records and company bank accounts, corporate systems also hold a treasure trove of other data. It doesn’t have to be R&D documents, proprietary IP or trade secrets—even something as inconspicuous as employee records could be invaluable to criminals.

What if someone found out that the janitor is often late, has drinking problems and recently got divorced? That sounds like an easy blackmail target to look the other way when necessary…

High-Profile Breaches that Raid Forums Facilitated

Chances are, if there was a significant data breach in the late 2010s or early 2020s, Raid Forums’ hands were all over it.

One notable example was the sale of records from the 2021 T-Mobile breach, which resulted in 37 million people being unwillingly doxxed by cyber criminals. However, this is just the tip of the iceberg, as Raid was the auction place of choice during the breaches of:

●      LinkedIn (2021): This incident involved the scraping of data from 700 million LinkedIn users. The dataset included personal details such as full names, email addresses, phone numbers, job positions, workplace information, and other profile-related data. The hacker responsible listed the data for sale on RaidForums, providing a sample of 1 million records as proof.

●      Facebook (2019): The breach affected 533 million Facebook users across 106 countries. The exposed data included phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses. This data was obtained through a vulnerability that was later patched by Facebook in 2019. Despite being an older dataset, it still posed significant risks for phishing and identity theft.

●      Astoria Company (2021): A marketing and lead generation firm, Astoria Company, suffered a data breach that exposed over 10 million records. The leaked data included names, addresses, phone numbers, email addresses, and credit scores. The dataset was sold on RaidForums, making it a valuable resource for identity thieves and fraudsters.

●      Brazilian Government (2021): A massive data breach affected 243 million Brazilian citizens, including deceased individuals. The leaked information included full names, tax identification numbers, dates of birth, and other sensitive data.

What was particularly harrowing about these breaches was that US netizens realized that their security could still be compromised by the very entities entrusted with their data.

Even if customers are using digital signatures and chansing their passwords regularly, a business or government agency can make critical mistakes, and now that everything is so interconnected, their lapses expose you to risks beyond your control.

How Raid Forums Admins Became the Architects of their Own Arrests

The downfall of Raid Forums can largely be traced back to two main reasons—the site simply got too big and critical OpSec mistakes were made by Omnipotent.

Popularity-wise, the site was becoming too successful for its own good. This gave law enforcement and intelligence agencies from dozens of countries a strong reason to put an end to Raid for good.

However, it turned out that the site’s creator ended up being its unmaker, too. Although Omnipotent was known for using private emails, VPNs and signing everything with his PGP key, he wasn’t, well—omnipotent.

He made the cardinal error of trying to enter the United States illegally in 2018, which allowed the FBI access to data about his illegal activities. To make things even worse, Omnipotent used the same email he used to register the Raid Forums domain to contact the FBI about getting his devices back!

Not to mention, Coelho also used his personal device to run the official Raid Forums Telegram channel. With all of this, the April 2022 takedown of Raid was but a formality and its former head admin and founder is facing extradition to the US, along with a potential 52-year sentence if extradited.

Conclusion

The fall of Raid Forums wasn’t the leviathan being bested—it was more like a single smack in a never-ending game of Whack-a-Mole. This is evident by Breach Forums and its quick rise to popularity, followed by its head admin and former Raid Forums admin, also being arrested.

Thus, the message is clear—this fight is an ongoing on, and only constant vigilance and timely regulations can even the playing field. Your data will always be for sale; the point is making getting it prohibitively difficult and expensive for any hacker, be it a freelancer or a forum.

Read More

News

A glimmer of good news on the ransomware front, as encryption rates plummet

Read Time:21 Second

No-one would be bold enough to say that the ransomware problem is receding, but a newly-published report by Microsoft does deliver a slither of encouraging news amongst the gloom.

And boy do we need some good news – amid reports that 389 US-based healthcare institutions were hit by ransomware last year – more than one every single day.

Read more in my article on the Tripwire State of Security blog.

Read More