Raidforums.com has been rebuilt?
Author: Sigma| S2W TALON
Last Modified: 2022.05.30.
Raidforums.com was launched by Omnipotent on January 1, 2015, and was operated for about seven years until February 2022. In this forum, user account information on specific corporate-related websites, personal information by country, VPN/RDP credentials, and ransomware-related leakage information were mainly sold.
Raidforums operator is now arrested by the FBI, and the forum is now closed
Omnipotent, the former operator of Raidforums.com, lived in Portugal, and his name is Diogo Santos Coelho. It has been confirmed that he run Raidforums.com since he was 14. The article was released in April that he was arrested by the FBI in the UK on January 31, 2022.
“Raidforums.com Rebuilt (Reopened)”
On May 23, 2022, a message was announced that “@tgomni had begun operating the Raidforums again” on the Raidforums | Darknet Market | Bitcoin Stealer (@raidforumsofficial) Telegram channel.
- (2022–01–31) Omnipotent, the operator of the Raidforums, arrested by the FBI in the UK
- (2022–03–12) The telegram channel RaidForums | Darknet Market | Bitcoin Stealer was launched under the guise of the official Raidforums
- (2022–04–11) The operator of the Breached forum, pompompurin, uploaded a post stating that if someone trolled @tgomni who runs the @reblackhat and @raidforumsofficial channels on telegram, he will pay $100 to the winner.
- (2022–04–30) The telegram channel Omnipotent — @tgomni scammer was found with a message that @tgomni is a scammer
- (2022–05–23) @tgomni wrote a message to reopen Raidforums.com on RaidForums | Darknet Market | Bitcoin Stealer telegram channel.
Win $100 trolling a scammer!
On April 11, 2022, Pompompurin, the operator of the Breached forum, wrote a post claiming the target @tgomni, who impersonates the Raidforums operator Omnipotent on Telegram, and will pay $100 worth of bitcoins to trollers.
Telegram accounts and channels mentioned by Pompompurin are as follows.
- @reblackhat (reblackhat)
- @raidforumsofficial (RaidForums | Darknet Market | Bitcoin Stealer)
Currently, the operator of the @raidforumsofficial channel has been changed to a user other than @tgomni, and it is confirmed that he is operating as a completely separate channel (channel name: “database”) rather than a previous channel.
“@tgomni is scammer”
@tgomni impersonates Omnipotent and distributes fraudulent messages to Raidforums-related users and induces people to access their scam channel on Telegram.
Payment fraud impersonating Omnipotent
The operator of the telegram channel Omnipotent — tgomni scammer suggested that @tgomni said to him that @tgomni would give a discount on the next payment if he paid a certain amount to @tgomni.
Like this, @tgomni is currently running a scam fraud campaign using the reputation of Omnipotent, the operator of the Raidforums.com.
Who is @tgomni?
As mentioned above, @tgomni has been using the nickname @byseller additionally and running a total of three hacking communities, reblackhat.com, owldarknet.com, and darknetworld.com.
Profile of @tgomni
The relation graph of @tgomni is as follows.
darknetworld.com operated by @bySeller (a.k.a. @tgomni)
According to a post uploaded on Darknetworld’s official telegram channel on February 9, 2022, the account @tgomni is also believed to be used by the group, noting that there are a total of 13 people running darknetworld.com and that it consists of Chinese and Russians people.
In addition, it has also been confirmed that they carried out website deface attacks for advertising their forum.
- (2022–03–29) Interview with the operator of REBlackhat forum conducted by DataKnight
According to an interview with the REBlackhat operator conducted by DataKnight, darknetworld.com’s operator is named Nathan Larson, who is the chief operator of the site using the @byseller account.
Reblackhat.com operated by @bySeller (a.k.a. @tgomni)
On March 10, 2022, a notice was uploaded on RE BlackHat Hacking Platform, one of the telegram channels run by @bySeller, that the www.REBlackhat.com site was opened.
In an Interview with DataKnight, the REBlackhat operator said Darknetworld’s operator was Nathan Larson, who had been arrested by the FBI at that time of the interview. Darknetworld was also hosted by the NameCheap and has been closed by the FBI.
- (2022–04–08) Mentioned firstname.lastname@example.org account and shoot at Breached forum
Although the chief operator has been arrested, @tgomni appears to be used by the other members, and the user mentioned an email address which is used to contact with Darknetworld on one of their telegram channels Facebook & Instagram Leaked | Dump. In addition, the message was aimed at the Breached forum run by pompompurin, and induced people to their own forum, saying the Breached forum is a fake site.
Reblackhat.com, which is no longer in operation.
Currently, the mobile phone number (+337 8441 0471) is listed along with telling you to contact @tgomni when you access reblackhat.com. The domain is no longer operational with the phrase “The domain has been taken over by raidforums”, which is also presumed to be a message written to appeal that they are related to Raidforums.
For these reasons, they are advertising with the message that “the Raidforums will back” to the official channel of the Raidforums and in other underground forums.
However, the current operator of Raidforums has been seized by the FBI, and all of the Raidforums-like forums discovered so far are presumed to be scam sites.
@tgomni is believed to be an account used by 13 Chinese and Russian team members and recently operates Bitcoin Stealer channel selling BTC and Ethereum’s private key and wallet.dat files on Telegram.
They regularly upload advertisements for opening new forums and posts about selling databases, and recently, the reblackhat.com was mentioned by the Raidforums forum’s management as if it were a rebrand forum for Raidforums. As a result of the analysis, it was confirmed that it was not a rebranding, it’s a scam campaign for the deep & dark web users who know Raidforums.com using its reputation.
Their claim to be “RaidForums.com Rebuilt (Reopened)” is not true, and the Raidforums forum has not been reopened.
Still, they continue to work on Telegram.