“Oh for f*** sake,” a February 25th message on Signal to me began.
RaidForums had been seized, I was told. But had it been?
[Note: this article does not link to RaidForums’ site as it is may still be a phishing page.]
A WHOIS lookup on the domain today shows that the registration for RaidForums[.]com was last updated on February 25. But what happened that day? And where is the site’s owner?
Weeks earlier, the owner, “Omnipotent,” had seemingly left a message on his Telegram account that he would be away on vacation from January 31 – February 7. But he didn’t return as scheduled. RaidForums was down for a number of days until an administrator issued an announcement that Omnipotent was off dealing with some things and things might be a bit slower and inconvenient for a while for those who wanted to buy forum credits or upgrades.
But normalcy never returned and on February 25, an administrator (“Jaw”) posted a notice on the forum’s Telegram account saying that domain had been seized. In a companion message, a second administrator (“Moot”) locked the chat and instructed everyone to wait for further updates.
Jaw
The raidforums.com domain has been seized. I encourage anybody that attempted logging in to change your passwords and clear any logs you have. The new domain will be https://rf.to for anybody interested in staying.
Although the message said the domain had been seized, there was no seizure notice on the site, and as user @Pompompurin spotted immediately, the home page didn’t look like RF’s normal login page. In fact, as he informed DataBreaches.net, the home page had been replaced by a phishing page to get users’ login credentials.
Attempting to sabotage the as-yet unidentified phishers, Pompompurin began DDoSing the site. That appeared to work for a while until CloudFlare imposed rate-limiting which made that attempt futile.
It is now three days later and there is still no seizure notice on the site. If a government seized it, would they really use such an amateurish looking phishing page? Is it possible it is not a government that is involved?
And what happened to “Omnipotent?”
According to a source with some knowledge of the situation, Omnipotent was allowed to call an administrator to say the domain was seized. But where is he and why hasn’t he been in subsequent communication?
DataBreaches.net reached out to three law enforcement agencies to ask whether they had any involvement in any seizure of RaidForums or any possible arrest of “Omnipotent.”
Because DataBreaches.net believes that Omnipotent may be a British citizen, both the National Crime Agency and Metropolitan Police were contacted. The Met Police (probably better known to Americans as Scotland Yard) responded promptly that they were not the right agency to query and that this site should contact the National Crime Agency.
As it turns out, this site had already queried NCA, who also promptly responded that they weren’t the right agency to query:
Good Evening,
This is not an issue the National Crime Agency can comment on as we
cannot comment on.
The National Crime Agency is not a crime reporting Agency.
In a follow-up inquiry, this site asked the NCA who would be the correct agency, noting that the Met Police had said that NCA was the correct agency. So far, no further reply from NCA has been received.
As to the FBI/USDOJ, well, it took multiple attempts to get a response from their press office. In its last version, this site asked them:
Does DOJ/FBI have any knowledge of or any involvement in any seizure of the hacking website known as RaidForums.com? If so, what can DOJ/FBI tell me? Has the government seized that site and/or server and if so, were other governments also involved?
The response from Joshua Stueve, Spokesman for the U.S. Department of Justice read:
Thanks for reaching out. Decline to comment.
I will let readers speculate about what that means. For my part, I replied to Mr. Stueve by noting that I will obviously need to rule the world to get answers.
Working on it….
Very interesting story, This is strange and mysterious.
I don’t think this is really a wink or anything. The DOJ usually write out the full Glomar response if you send in a FOIA request, but informally this is the answer you will get if you ask if any question in regards to their investigations, or lack thereof, of anything that can be plausibly investigated. So, if you ask “is the DOJ investigating if the moon is made out of cheese”, you’ll get an emphatic “no”, but asking whether an investigation that is at all plausible and the answer, even if it’s something that they in reality have neither the jurisdictional authority nor the interest in investigating, will resemble the answer you get. Variations will exist in terms of wording, but the message is going to be the same.
This goes for any federal agency with enforcement powers of any sort like DHS as well, although if they feel particularly adversarial – if you are an attorney seeking information through legal channels that nevertheless may implicate some sort of wrongdoing they can, and have simply replied to FOIA requests with full redacted pages of black lines, for example – but even that only happens when you know, and they know that you know, what’s being asked is something that exists. At this point it’s clear that cit0day wasn’t a takedown but more of a… rug pull of sorts? But the DOJ have never even confirmed or denied the appropriation of their name for the purpose of the site taking their customers’ money and running with it. Federal law enforcement also are hesitant on admitting the existence, even know it’s not at all a secret, of their policy of leveraging American companies to investigate what may or may not start with sufficient extrinsic sources to establish probable cause. Parallel construction, while frequently criticized as being unethical (and I tend to agree, since it begs for confirmation bias and contesting what may be an unwarranted or imagined wrong can nevertheless result in the loss, however temporary, of one’s liberty), is done as a matter of routine. So there’s no real answer that they can give except a variation on the no-comment answer.
Opportunism abound in times when there’s some sort of greater chaos in the world. Although not a perfect solution – mostly because there’s too much data to sort through on what inevitably will start sealed before eventually unsealed – is to set up an alert on the excellent courtlistener.com service (full disclosure: I donate to the Free Law Foundation every year) to see what pops up. You can set up just an rss feed on the keyword “raidforums” but this is unlikely to get you great results beyond those that use the site as part of the filings in a lawsuit relating not directly to the site but the contents contained within. That rss feed would be https://www.courtlistener.com/feed/search/?type=r&type=r&q=raidforums&order_by=score+desc&
Alternatively, go broad and set the feed for all filings involving “United States v.” in the name and take out all of the defunct/unrelated courts like bankruptcy or tax courts or courts that haven’t existed since the 1800s and filed after say, February 7, ordered by new. https://www.courtlistener.com/?q=&type=r&order_by=dateFiled%20desc&case_name=United%20States%20v.&filed_after=02%2F07%2F2022&court=scotus%20ca1%20ca2%20ca3%20ca4%20ca5%20ca6%20ca7%20ca8%20ca9%20ca10%20ca11%20cadc%20cafc%20dcd%20almd%20alnd%20alsd%20akd%20azd%20ared%20arwd%20cacd%20caed%20cand%20casd%20cod%20ctd%20ded%20flmd%20flnd%20flsd%20gamd%20gand%20gasd%20hid%20idd%20ilcd%20ilnd%20ilsd%20innd%20insd%20iand%20iasd%20ksd%20kyed%20kywd%20laed%20lamd%20lawd%20med%20mdd%20mad%20mied%20miwd%20mnd%20msnd%20mssd%20moed%20mowd%20mtd%20ned%20nvd%20nhd%20njd%20nmd%20nyed%20nynd%20nysd%20nywd%20nced%20ncmd%20ncwd%20ndd%20ohnd%20ohsd%20oked%20oknd%20okwd%20ord%20paed%20pamd%20pawd%20rid%20scd%20sdd%20tned%20tnmd%20tnwd%20txed%20txnd%20txsd%20txwd%20utd%20vtd%20vaed%20vawd%20waed%20wawd%20wvnd%20wvsd%20wied%20wiwd%20wyd%20gud%20nmid%20prd%20vid%20ag%20afcca%20asbca%20armfor%20acca%20uscfc%20tax%20bia%20olc%20mc%20mspb%20nmcca%20cavc%20bva%20fiscr%20fisc%20cit%20usjc%20jpml%20sttex%20stp but again, it brings a lot of results, although it may inadvertently get you information on other cases of interest.
Lastly, if you put out a call on Twitter it’s not unusual for someone – an attorney or otherwise, but pretty much always an attorney or law student – to transfer the documents not in their db from PACER into their db for free and public consumption. #appellatetwitter is helpful even on cases that aren’t actually in appellate court.
Hope that helps. Keep up the good work.
Thanks so much for taking the time to try to help. I follow some of those Twitter hashtags and sources and yes, they’re excellent. As to courtlistener, in this case, I’d have to go broad because the takedown — if there was one — could be a non-U.S. entity.
I really really really hate not knowing some things. 🙂