Understanding RaidForums and its impact on business security

Stolen sensitive data was the most valuable commodity on RaidForums, an underground black market where hackers auctioned off stolen assets to the highest bidder. What began in 2015 as a hub for online trolling quickly spiraled into one of the most notorious (and lucrative) hacker forums.

However, the forum's impressive industrialization of data theft was undone by operational security failures. As law enforcement confirmed the seizure of RaidForums, its user base quickly migrated to its successor, BreachForums. This swift continuation shows that the idea of “winning” the war against cybercrime forums is obsolete.

In this article, you will learn what RaidForums was used for and why it became a systemic risk for corporate data. We will also examine the specific mechanisms that made its business model highly effective, and offer solutions for defending your business against dark web threats.

Key takeaways

• Before its seizure, RaidForums was an illicit marketplace for trading stolen data.
• Hacker forums and marketplaces never truly die. When one is taken down, its users and stolen data simply migrate to a new forum, ensuring the threat persists.
• Once stolen sensitive information appears on a hacker forum, it can create long-term security liabilities.
• Organizations must implement continuous dark web monitoring to detect leaks immediately.
• Proactive defenses, such as multi-factor authentication (MFA) and access controls, are essential for mitigating risks.

What is RaidForums (and why is it still a threat)?

RaidForums began operations in 2015. It was started by a 14-year-old Portuguese national named Omnipotent. The platform officially had more than 500,000 members, with about 20,000 active users on any given day. What began as a platform for trolling quickly shifted to a more profitable focus: brokering stolen data.

This shift allowed the underground forum to morph into one of the world's largest cybercriminal marketplaces. Its main business was trading hacked databases. Threat actors advertised tools for cyber-attacks, sold access to organizations, and dumped breached databases.

RaidForums was ultimately seized by Europol in 2022. Following the investigation, its founder was arrested. However, former users quickly created a successor forum, BreachForums, demonstrating the resilience of the threat. For security teams, this reality demands a proactive defense. Solutions that provide visibility into threat exposure, like NordStellar, help businesses understand what threat actors know and prepare for the next breach attempt.

The business of a breach: how RaidForums worked

RaidForums quickly became the main hub for data thieves. Some of the world's biggest freelance black hats saw the site as the best place to sell their stolen data. The forum's admins, including Omnipotent, were themselves active in data theft, viewing the site as a necessary source of extra income.

The forum developed its own crew of data poachers and malware developers. Their activities escalated beyond simple theft. They performed complex operations, such as extracting invoice data to identify targets or even compromising the FBI's internal email system.

The entire operational model was both sophisticated and profitable, relying on several direct revenue streams:

• Commission-based sales. Users posted databases for sale. The forum took a percentage of the final price as a mediation fee.
• Escrow and transaction guarantee. When hackers did not trust a buyer, an admin, like Omnipotent, stepped in as escrow. They held the money until the data transfer was verified, ensuring the transaction was “legitimate”.
• Tiered access and premium memberships. To reduce scams that often plague high-volume sites, the admins created tiered membership packages. The God Tier provided exclusive access to the most valuable databases, secret auctions, and private bids.

What type of data was traded on RaidForums?

What set RaidForums apart was the volume and variety of data for sale. It became the epicenter for illicit digital transactions. Cybercriminals could source everything from mass identity theft kits to data required for corporate financial fraud. The most critical listings included:

• Databases with personal information. Comprehensive datasets containing sensitive customer or employee details, such as SSNs, DOBs, and home addresses, which were later used for identity theft.
• Password lists and login details. Stolen credentials and combolists, often obtained from data breaches or infostealer malware.
• Financial data: Listings of millions of stolen credit cards, complete payment histories, and financial corporate information.
• Internal business files shared online. Confidential records, such as employee records, strategic plans, or proprietary IP, and R&D documents obtained and sold by threat actors.

RaidForums traded every category of sensitive data, enabling widespread financial crime and systemic corporate risk.

How data leaked on RaidForums affects companies today

Hacker forums never truly die. They simply migrate. Once one is taken down, another emerges to continue the illicit trade. For law enforcement operations, this means a persistent, recurring cycle. Arrests fail to deter the majority of the criminal community. And for organizations, this is a threat that will not disappear.

What’s worse, new forums are launching with the old stolen databases. If your company has experienced a data breach, it remains a current security liability for your company today. This leaked data can be used for phishing, fraud, and account takeover attacks. But even if your sensitive information wasn’t compromised previously, the danger is still present. Threat actors go to great lengths to hunt for your business data.

There are two kinds of risks associated with new hacker forums:

The threat persistence

• Vast spread and reuse of stolen data. Stolen data that appeared on one hacking forum can be reposted and shared across the dark web ecosystem. Once credentials or company records are exposed, they never truly disappear from the internet.
• Long-term credential risk. Usernames and passwords sold on a hacker forum create long-term credential reuse risks for companies. Threat actors use this data for phishing, credential stuffing, and gaining initial access to compromised systems.
• Increased social engineering and fraud risks. Stolen personally identifiable information (PII) is constantly used as fuel to create sophisticated social engineering campaigns. This, in turn, leads to more data breaches.
• Account takeover (ATO) attacks. Shared databases, often containing login details, directly enable account takeover attempts against customers, employees, partners, and vendors. Compromise in one part of the supply chain creates risk for the entire network.

Systemic and reputational damage

• Compliance issues. Organizations face higher breach costs when they are not in compliance with regulations. Data exposure on the dark web signals internal deficiencies, making companies vulnerable to liability from employees, customers, and investors.
• Customer trust and brand reputation. A data breach attracts negative publicity. This damages the company's reputation and results in a long-term loss of customers, decreased sales, and difficulties in talent recruitment.
• Financial and operational costs. The average data breach is costly. Its detection and containment can take longer than 200 days. The long-term consequences include legal fees, operational disruptions, and a loss of business revenue.

Although you can’t eliminate the risk of a data breach, you can neutralize its impact. Addressing these systemic risks requires strategic, continuous visibility. NordStellar provides this essential defense through dark web monitoring and data breach monitoring.

By flagging compromised credentials and assets used in Account Takeover (ATO) attempts the moment they appear, we give your security team the critical time to secure access before the breach escalates. This intelligence shifts your defense from reactive patching to proactive control.

How to build a stronger defense

You can’t stop criminals from trading stolen data, but you can make it much harder for them to use it against you. Moving to a proactive defense is key.

• Implement strong access controls. Follow the principle of least privilege. Give employees only the permissions they actually need to do their jobs. This way, if an account is compromised, the damage remains contained.
• Use multi-factor authentication (MFA). MFA stops most attacks cold. For optimal protection, avoid using SMS codes and opt for phishing-resistant methods, such as hardware keys.
• Update your software regularly. Outdated software is an open invitation for malware. Install security patches as soon as they become available to close the gaps that infostealers exploit.
• Train your team. Most breaches start with human error. Teach your staff to recognize phishing attempts and simulate attacks to keep their guard up.
• Monitor your attack surface. You can't fix what you can't see. Continuously monitor your external assets to identify vulnerabilities before attackers can exploit them.

How NordStellar can help

NordStellar helps you see your organization through an attacker's eyes. As a threat exposure management platform, it consolidates essential threat intelligence tools, so you can identify risks early and act fast.

• Dark web monitoring. Track your company’s keywords across hacker forums, illicit marketplaces, and Telegram channels to know if you are being targeted.
• Data breach monitoring. Detect exposed employee and customer credentials immediately. We provide the context you need to assess the risk and ensure account takeover prevention.
• Attack surface management. Identify security gaps before criminals do. Our external vulnerability scanning maps your internet-facing assets to spot vulnerabilities that attackers could exploit.
• Actionable alerts. Don't just collect data—act on it. NordStellar gives you the early warning you need to intervene before a cyber risk becomes a material breach.