The contents of cyber break-ins and database leaks are generally sold on underground dark web hacking forums, where sensitive personal and financial information is bought and sold in bulk. Members of one of the biggest of these marketplaces of recent years received a rude surprise recently when their own registration information was dumped to an up-and-coming forum.
The database leak exposed most of the former members of RaidForums, one of the largest hacking forums dealing in illicit personal information up until its seizure by law enforcement in early 2022. The forum is thought to have had about half a million members over its lifetime, and the database leak contained information on nearly all of them packed into one large SQL file.
RaidForums database leak thought to have happened prior to law enforcement actions
The database leak looks to have taken place in late September 2020, long before international law enforcement moved in on the hacking forum. Someone appears to have been sitting on this information for some time, or at least leveraging it in private before deciding to dump it to the public (possibly due to having exhausted its financial value). The SQL file contains registration information, including hashed passwords, for over 478,000 RaidForums members that created accounts between the site’s launch in 2015 and the date of the leak.
The incident echoes something similar that happened in 2021, when RaidForums was host to multiple dumps of user information from other competing hacking forums. It is not clear if the same parties are involved, but at the time the hacker was demanding large ransoms to keep these database leaks out of the public eye.
This underground economy relies heavily on some degree of trust and reputation-building to function, but it seems things are getting more vicious and unstable as pressure on hacking forums is increasing. RaidForums lasted for seven years before being shut down; its most direct successor, Breached, only lasted a year before also being targeted by law enforcement. Some forum activity has been shifting to encrypted messaging apps like Telegram as a result of this increased scrutiny.
Hacking forum information may help security researchers, police investigators
Any criminal with any amount of intelligence and caution will not register for a hacking forum with any information that could be traced to their personal identity. However, forensic researchers also very often track down these hackers via some connection between accounts that they overlooked. The item of greatest interest in the database leak is likely the hashed passwords; if these are cracked they may open some old account that a threat actor has not bothered to go back and secure.
Hacking forums also often turn out to be owned by young men living in countries in which one would assume it is too dangerous to run such an operation from. Busts of major dark web forums in recent years have turned up founding administrators living in the United States, UK and Portugal, sometimes with their parents. When RaidForums first went online, the founder was 14 years old. This provides law enforcement with the opportunity for seizure of physical hardware and materials that might provide better links to data-trading criminals.
As to legitimacy of the database leak, members of the hacking forum it was posted on (“Exposed”) have confirmed that their prior registration information at RaidForums is valid.