S2W BLOG
Published in

S2W BLOG

Raidforums.com has been rebuilt?

Author: Sigma| S2W TALON

Last Modified: 2022.05.30.

About Raidforums.com

Raidforums.com was launched by Omnipotent on January 1, 2015, and was operated for about seven years until February 2022. In this forum, user account information on specific corporate-related websites, personal information by country, VPN/RDP credentials, and ransomware-related leakage information were mainly sold.

Raidforums.com

Raidforums operator is now arrested by the FBI, and the forum is now closed

Omnipotent, the former operator of Raidforums.com, lived in Portugal, and his name is Diogo Santos Coelho. It has been confirmed that he run Raidforums.com since he was 14. The article was released in April that he was arrested by the FBI in the UK on January 31, 2022.

“Raidforums.com Rebuilt (Reopened)”

On May 23, 2022, a message was announced that “@tgomni had begun operating the Raidforums again” on the Raidforums | Darknet Market | Bitcoin Stealer (@raidforumsofficial) Telegram channel.

Source: https://t.me/raidforumsofficial/173 (has been removed)
Source: https://telegra.ph/RaidForumscom-Rebuilt-Reopened-05-23

Timeline

  • (2022–01–31) Omnipotent, the operator of the Raidforums, arrested by the FBI in the UK
  • (2022–03–12) The telegram channel RaidForums | Darknet Market | Bitcoin Stealer was launched under the guise of the official Raidforums
  • (2022–04–11) The operator of the Breached forum, pompompurin, uploaded a post stating that if someone trolled @tgomni who runs the @reblackhat and @raidforumsofficial channels on telegram, he will pay $100 to the winner.
  • (2022–04–30) The telegram channel Omnipotent — @tgomni scammer was found with a message that @tgomni is a scammer
  • (2022–05–23) @tgomni wrote a message to reopen Raidforums.com on RaidForums | Darknet Market | Bitcoin Stealer telegram channel.

Win $100 trolling a scammer!

On April 11, 2022, Pompompurin, the operator of the Breached forum, wrote a post claiming the target @tgomni, who impersonates the Raidforums operator Omnipotent on Telegram, and will pay $100 worth of bitcoins to trollers.

pompompurin, Win $100 trolling a scammer!

Telegram accounts and channels mentioned by Pompompurin are as follows.

Telegram accounts

  • @tgomni
  • @byseller

Telegram channels

  • @reblackhat (reblackhat)
  • @raidforumsofficial (RaidForums | Darknet Market | Bitcoin Stealer)

Currently, the operator of the @raidforumsofficial channel has been changed to a user other than @tgomni, and it is confirmed that he is operating as a completely separate channel (channel name: “database”) rather than a previous channel.

“@tgomni is scammer”

@tgomni impersonates Omnipotent and distributes fraudulent messages to Raidforums-related users and induces people to access their scam channel on Telegram.

“Hackers Bitcoin | Crypto Hack Software” Telegram Channel, run by @tgomni

Payment fraud impersonating Omnipotent

The operator of the telegram channel Omnipotent — tgomni scammer suggested that @tgomni said to him that @tgomni would give a discount on the next payment if he paid a certain amount to @tgomni.

Like this, @tgomni is currently running a scam fraud campaign using the reputation of Omnipotent, the operator of the Raidforums.com.

Who is @tgomni?

As mentioned above, @tgomni has been using the nickname @byseller additionally and running a total of three hacking communities, reblackhat.com, owldarknet.com, and darknetworld.com.

Profile of @tgomni

The relation graph of @tgomni is as follows.

darknetworld.com operated by @bySeller (a.k.a. @tgomni)

According to a post uploaded on Darknetworld’s official telegram channel on February 9, 2022, the account @tgomni is also believed to be used by the group, noting that there are a total of 13 people running darknetworld.com and that it consists of Chinese and Russians people.

In addition, it has also been confirmed that they carried out website deface attacks for advertising their forum.

Source: https://teletype.in/@btcstealer/bitcoin-stealer-cracking-the-mnemonic-code
darknetworld.com team member Mr#’s website deface attack
  • (2022–03–29) Interview with the operator of REBlackhat forum conducted by DataKnight

According to an interview with the REBlackhat operator conducted by DataKnight, darknetworld.com’s operator is named Nathan Larson, who is the chief operator of the site using the @byseller account.

Reblackhat.com operated by @bySeller (a.k.a. @tgomni)

On March 10, 2022, a notice was uploaded on RE BlackHat Hacking Platform, one of the telegram channels run by @bySeller, that the www.REBlackhat.com site was opened.

Announcement of RE BlackHat Hacking Platform telegram channel

In an Interview with DataKnight, the REBlackhat operator said Darknetworld’s operator was Nathan Larson, who had been arrested by the FBI at that time of the interview. Darknetworld was also hosted by the NameCheap and has been closed by the FBI.

  • (2022–04–08) Mentioned reblackhat@protonmail.com account and shoot at Breached forum

Although the chief operator has been arrested, @tgomni appears to be used by the other members, and the user mentioned an email address which is used to contact with Darknetworld on one of their telegram channels Facebook & Instagram Leaked | Dump. In addition, the message was aimed at the Breached forum run by pompompurin, and induced people to their own forum, saying the Breached forum is a fake site.

Announcement of Facebook & Instagram Leaked | Dump telegram channel

Reblackhat.com, which is no longer in operation.

Currently, the mobile phone number (+337 8441 0471) is listed along with telling you to contact @tgomni when you access reblackhat.com. The domain is no longer operational with the phrase “The domain has been taken over by raidforums”, which is also presumed to be a message written to appeal that they are related to Raidforums.

Reblackhat.com

Conclusion

For these reasons, they are advertising with the message that “the Raidforums will back” to the official channel of the Raidforums and in other underground forums.

Raidforums forum mentioned in LEAK DATA CHAT telegram channel

However, the current operator of Raidforums has been seized by the FBI, and all of the Raidforums-like forums discovered so far are presumed to be scam sites.

@tgomni is believed to be an account used by 13 Chinese and Russian team members and recently operates Bitcoin Stealer channel selling BTC and Ethereum’s private key and wallet.dat files on Telegram.

They regularly upload advertisements for opening new forums and posts about selling databases, and recently, the reblackhat.com was mentioned by the Raidforums forum’s management as if it were a rebrand forum for Raidforums. As a result of the analysis, it was confirmed that it was not a rebranding, it’s a scam campaign for the deep & dark web users who know Raidforums.com using its reputation.

Their claim to be “RaidForums.com Rebuilt (Reopened)” is not true, and the Raidforums forum has not been reopened.

Still, they continue to work on Telegram.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
S2W

S2W

S2W is specializing in cybersecurity data analysis for cyber threat intelligence.