Reblackhat forum operator running scam campaign using RaidForums as bait

By Sojun Ryu, The Readable
June 9, 2022 2:52PM KST

A user impersonating the operator of RaidForums, which was shut down in February of this year, has recently appeared with a scam campaign.

About RaidForums

RaidForums started in 2015 and ended in February of this year after seven years of operation. This forum was one of the largest forums where cybercriminals traded illegal data. Unlike other forums, RaidForums was not operated on the dark web, and because it was possible to sign up through an anonymous mail service, anyone could easily join the forum. Cybercriminals have been trading sensitive information, such as leaked databases and stolen credentials, on this forum. According to the Department of Justice (DoJ), the forum sold more than 10 billion databases of personal information from around the world.

RaidForums went down in February, but the site could be accessed for a few more weeks, popping up a login page. Attempts to log in did not actually establish access, which is known to have been run secretly by the Federal Bureau of Investigation (FBI) to collect accounts.

Scammer - @tgomni

According to S2W's analysis, a user named @tgomni posted a message on a telegram channel on May 23 stating that the Rebuild RaidForums forum had started again. While the previous RaidForums pricing was 10 euros for VIP, 20 euros for MVP, and 50 euros for GOD, the pricing they demanded went up to $50 for regular membership, $250 for VIP membership, and $500 for VIP+GOD membership. This is very similar to the membership levels of RaidForums in the past, but at a much higher price.

Source: S2W

Source: S2W

"pompompurin," the operator of Breached forum, which is filling the void with the same user interface as RaidForums, uploaded a post on the forum that he would pay $100 worth of Bitcoin to anyone who trolls for @tgomni, who impersonates Omnipotent, the moderator of the Raidforums forum. In addition, one user created a telegram channel called "Omnipotent - tgomni scammer" to share his damage. According to a chat posted by this user, @tgomni immediately blocked the user as soon as he got paid.

@tgomni is an active account of a team that operates three hacking forums (reblackhat[.]com, owldarknet[.]com, and darknetworld[.]com), and they are also using the account @bySeller. They have been active since at least March of this year, and it appears they've been trying to replace RaidForums with their new forum, presumably after the forum shut down. The team, they claim, consists of 13 Chinese and Russians, and their leader, Nathan Larson, has already been arrested by the FBI.

Source: S2W

Currently, they are active in various hacking forums and multiple Telegram channels related to forums and cryptocurrencies. However, their credibility is very questionable in that they conduct scam campaigns using RaidForums.

The cover image of this article was designed by Sangseon Kim.

Sojun Ryu is a cybersecurity researcher for The Readable. He graduated from the “Best of the Best” next-generation security expert training program (BoB) at the Korea Information Technology Research Institute (KITRI) in 2013, and holds a master’s degree in information security from Sungkyunkwan University in Korea. He worked at KrCERT/CC for seven years, analyzing malware and responding to incidents. He is also one of the authors of "Operation Bookcodes," published by KrCERT/CC in 2020. Recently, Ryu has been focusing on threat intelligence, cybercrime, and advanced persistent threats (APT) by expanding into the deep, dark web with TALON, the Cyber Threat Intelligence group at S2W.