Cybersecurity News that Matters

Cybersecurity News that Matters

Reblackhat forum operator running scam campaign using RaidForums as bait

by Sojun Ryu, Sangseon Kim

Jun. 09, 2022
5:52 AM GMT+9

A user impersonating the operator of RaidForums, which was shut down in February of this year, has recently appeared with a scam campaign.

About RaidForums

RaidForums started in 2015 and ended in February of this year after seven years of operation. This forum was one of the largest forums where cybercriminals traded illegal data. Unlike other forums, RaidForums was not operated on the dark web, and because it was possible to sign up through an anonymous mail service, anyone could easily join the forum. Cybercriminals have been trading sensitive information, such as leaked databases and stolen credentials, on this forum. According to the Department of Justice (DoJ), the forum sold more than 10 billion databases of personal information from around the world.

RaidForums went down in February, but the site could be accessed for a few more weeks, popping up a login page. Attempts to log in did not actually establish access, which is known to have been run secretly by the Federal Bureau of Investigation (FBI) to collect accounts.

Scammer – @tgomni

According to S2W’s analysis, a user named @tgomni posted a message on a telegram channel on May 23 stating that the Rebuild RaidForums forum had started again. While the previous RaidForums pricing was 10 euros for VIP, 20 euros for MVP, and 50 euros for GOD, the pricing they demanded went up to $50 for regular membership, $250 for VIP membership, and $500 for VIP+GOD membership. This is very similar to the membership levels of RaidForums in the past, but at a much higher price.

Source: S2W
Source: S2W

“pompompurin,” the operator of Breached forum, which is filling the void with the same user interface as RaidForums, uploaded a post on the forum that he would pay $100 worth of Bitcoin to anyone who trolls for @tgomni, who impersonates Omnipotent, the moderator of the Raidforums forum. In addition, one user created a telegram channel called “Omnipotent – tgomni scammer” to share his damage. According to a chat posted by this user, @tgomni immediately blocked the user as soon as he got paid.

@tgomni is an active account of a team that operates three hacking forums (reblackhat[.]com, owldarknet[.]com, and darknetworld[.]com), and they are also using the account @bySeller. They have been active since at least March of this year, and it appears they’ve been trying to replace RaidForums with their new forum, presumably after the forum shut down. The team, they claim, consists of 13 Chinese and Russians, and their leader, Nathan Larson, has already been arrested by the FBI.

Source: S2W

Currently, they are active in various hacking forums and multiple Telegram channels related to forums and cryptocurrencies. However, their credibility is very questionable in that they conduct scam campaigns using RaidForums.

Subscription

Subscribe to our newsletter for the latest insights and trends. Tailor your subscription to fit your interests:

By subscribing, you agree to our Privacy Policy. We respect your privacy and are committed to protecting your personal data. Your email address will only be used to send you the information you have requested, and you can unsubscribe at any time through the link provided in our emails.

Stay Ahead with The Readable's Cybersecurity Insights