In February 2022, the popular hacking forum and data leak marketplace RaidForums (known simply as RF) was seized by the FBI, and the creator of the website was charged with various counts of fraud and identity theft after running the website for 7 years. In that time, the forum amassed over five-hundred thousand users and became one of the leading data leak marketplace forums. Despite the evidenced repercussions for the creator of the original RaidForums, a few weeks later Breach Forums, or Breached, popped up and started to gain traction in the hacking community. Since its inception in Spring 2022, there have been numerous high-profile breaches put on sale on the website and high-profile users from RaidForums have moved to the so-called ‘RaidForums replacement’ to begin selling leaked data once again.

This raises two questions; ‘Will there always be some form of data leak marketplace?’ and ‘For what reasons do they persist even when there are serious repercussions for those creating them?

What is a data leak marketplace?

Data leak marketplaces are online websites, usually forums, that serve as a platform where bad actors operate to buy and sell compromised, sensitive data. The type of data sold includes but is not limited to credit card data, personal financial information, corporate databases and data gained through ransomware attacks. Buyers use the data for many different reasons such as to run phishing campaigns, commit identity theft and more quickly execute ransomware attacks and other types of cybercrime.

The seizure of RaidForums

RaidForums was introduced to the hacking community in 2015 and in its seven years of existence amassed a reputation for being a top hacking and data leak marketplace forum. At the time of its seizure it had over half a million users and was a haven for financially motivated cybercriminals to buy and sell stolen data. It had seen many high-profile breaches for sale on its website ranging from government databases to corporate databases, which unsurprisingly attracted the attention of law enforcement across the world.

In the end, after a yearlong effort from the FBI, Secret Service, Department of Justice, and law enforcement from many other nations, the website was finally seized and taken out of operation. The alleged founder was a 22-year-old Portuguese national living in England who started the forum when he was just 14. He, and two other users who helped design the forum’s software and computer infrastructure as well as manage and promote database exchanges were charged with multiple counts of conspiracy, access device fraud and aggravated identity theft. They are awaiting extradition to the US to be tried for these crimes.

The introduction and growth of Breach Forums

After RaidForums was seized, there were a few weeks of quiet where the online cybercrime community wondered if there would be a replacement to RaidForums or if popular sellers would move to other online forums. Two of the main forums at the time were XSS and Exploit, both Russian-language forums with their own substantial user bases. However, due to the Russia-Ukraine war, many RaidForums users felt a strong anti-Russian sentiment and were reluctant to start their criminal business on these forums. In any case, just a few weeks after the seizure of RF, cybercriminals found a new home in Breach Forums. On March 14^th 2022, Breached came into being and immediately started to gain users. It was created by someone with the username ‘pompompurin’, herein Pom, a prominent user and data leak seller on RF. Pom had sold a number of high-profile breaches on the now defunct RF, one of which was a leaked database from an undisclosed source containing the full names, birthdates, email addresses, phone numbers, home addresses and other personally identifiable information of 2.5 million Americans amounting to 263GB of data. Whoever ‘pompompurin’ was, they were not new to the data leak marketplace scene and were a respected and trusted name in the cybercrime community.

The forum looked to be a promising replacement to RF. Its interface was almost identical and it had the same types of sub-forums and content as RF such as Cracking, Leaks, Marketplace, Tutorials and other hacking topics. It also enticed veteran RF users to join the forum by promising their titles back that they had earned or bought on RF, which allowed them access to various Databases and sub-forums that other users did not have access to. This act seemed to work as within a few weeks, 6 out of the top 10 sellers on RF had moved over to Breached and started selling data once again.

To encourage activity and growth during the first few weeks, Breached did not implement the sale of 'credits' (a token that allowed users to buy data - essentially allowing the forum to gain a revenue stream) despite that being a standard feature on RF; this encouraged users to post and to share databases in order to gain credits. After this initial period the option to purchase credits was implemented, it undeniably helped the initial growth of Breached and helped to reinforce the idea that Breached was here to stay and was a serious contender on the data leak marketplace scene. Furthermore, over time admin Pom posted all the databases that were sold on RF in one place on the forum where they could be easily accessed by anyone with credits. This was advertised on other forums and hacking Telegram channels as accessing these databases had never been as easy as it had been made on Breached, attracting a horde of new users to the site.

The legitimacy of Breached grew over months, and with more users came more posts with more data for sale. One post in particular cemented the legitimacy of Breached: the high-profile Shanghai National Police (SHGA) database that was listed for $200,000. It gained attention from not only users, but also cyber news entities who wrote articles about the data breach, simultaneously advertising the new forum. The post attracted so many people that the administrator was compelled to write a post welcoming all the new users, specifically those from China, interested in the leak.

Something that sets Breached apart from other hacking forums was that it welcomed discussion of ransomware and selling of ransomware products. While other forums, such as previously mentioned XSS and Exploit, made a move to ban all discussion about ransomware in a bid to avoid Western authorities, Breached welcomed it. Users are not only able to discuss ransomware in general but can also buy ransomware itself or buy the more popular Ransomware as a Service (RaaS). RaaS is a service that a user can buy wherein the ransomware operator will perform the ransomware attack on an entity of the user’s choice. In some examples, operators receive 20% of the profit from the attack with the remaining profit going back to the user who bought the service. It is a lucrative business where both the operator and the user make a financial gain. Allowing the discussion and selling of ransomware products certainly helped attract a niche group of cybercriminals to start business when they were not welcomed on other forums further growing the user base of Breached, while also making it a more diverse hacking forum.

All of the efforts of Pom seemed to work, as the forum grew at a rapid rate. At the time of writing, just 10 months after its creation, Breached has 289,644 total members, which is just over half the amount that RaidForums had amassed in its seven years. As well as this, in June 2022, just three months after it began, Breached declared that it had accumulated data records totaling 10.9 billion, surpassing the 10.8 billion record held by RF. This was of course aided by the aforementioned posting of all RF databases, but is nonetheless an impressive feat for a new forum. While initially, it was debated within the cybercrime community as to whether Breached would be a successful successor to RF, that is certainly not being questioned anymore and Breached has made a name for itself in the hacking community and is a strong player in the data leak marketplace community.

Why do data marketplace forums persist, despite evidenced consequences?

The rapid rise of Breach Forums shows that there remains a strong demand for platforms that enable the buying and selling of stolen data. Pair this with the evident apparent ease at which these types of forums can be made and promoted means they are unlikely to go anywhere any time soon. The legal repercussions that the creators of RF faced were evidently not enough to deter Pom from making a carbon copy of Raid and allowing all those who had lost their marketplace to find a new home and start business all over again. Perhaps it is the belief in one’s own OpSec (operational security), a desire for notoriety, or simply the financial gain of running a data leak marketplace that makes creators of these website feel secure in their creation and operation. Ultimately, the success of these forums comes down to the demand of cybercriminals looking to buy stolen data and those who are willing to supply it for the right price. It seems therefore, that the cybercrime world functions on the basis of the well-known economic model of supply and demand and it is for this reason that data leak marketplaces persist.

Sources

https://ke-la.com/six-months-into-breached-the-legacy-of-raidforums/

https://www.digitalshadows.com/blog-and-research/russian-speaking-cybercriminals-grapple-with-sanctions-and-forum-takedowns/

https://www.digitalshadows.com/blog-and-research/breach-forums-when-student-becomes-the-teacher/

https://www.bankinfosecurity.com/blogs/after-raidforums-demise-breached-forum-seizes-leaks-mantle-p-3281

https://arstechnica.com/tech-policy/2022/04/us-seizes-raidforums-the-go-to-site-for-hackers-selling-stolen-login-details/

https://socradar.io/dark-web-threat-profile-pompompurin/

https://breached.vc/

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.