The Good, the Bad and the Ugly in Cybersecurity – Week 16

The Good

It seems like criminal marketplaces are falling like dominoes these days. After last week’s seizure of servers belonging to Hydra market comes this week’s shuttering of RaidForums in a joint law enforcement operation involving the DoJ, Europol and several other national agencies, codenamed ‘Operation Tourniquet’.

RaidForums, an online forum providing criminals with stolen personal data, was unusual in the world of hacking forums for a couple of reasons: It operated on the open internet rather than the darknet, its primary language was English rather than Russian, and–as revealed this week by the DoJ–its principal operator was only 14 when it came into being in 2015.

21-year old Diogo Santos Coelho of Portugal, aka Omnipotent, was arrested back in January 2022 in the U.K. and is currently awaiting extradition to the U.S. Two other individual have also been arrested in connection with operating the site and the domains,, and Raid.Lol have been seized.

Since its launch seven years ago as a site for coordinating online harassment and swatting (hence the name), RaidForums has sold access to more than 10 billion consumer records stolen in some of the world’s most significant data breaches.

While marketplace takedowns may not solve the cybersecurity problem alone, coordinated law enforcement action like Operation Tourniquet and others we’ve reported on in recent months make it harder for cybercriminals to operate, sell, buy and exchange stolen data, and increases the cost of doing business for those behind cyberattacks. It also shows that law enforcement can work globally to reduce the impact of cybercrime.

The Bad

At the end of March, we learned that $620 million in crypto currency had been stolen from Axie Infinity’s Ronin bridge, making it the largest crypto hack in history. Ronin, an Ethereum sidechain built for the popular play-to-earn nonfungible token game Axie Infinity, confirmed the breach.

While most of the stolen funds are still in the attacker’s wallet, this week, the FBI attributed the breach to North Korean-based Lazarus Group.


In response to the hack, Sky Mavis, the developer behind Axie Infinity and Ronin, was forced to temporarily suspend the Ronin blockchain, preventing anyone from exchanging funds. Mavis pledged to reimburse player losses and has managed to raise $150M in an investment round led by Binance.

The Lazarus group has operated since 2009 and is responsible for some of the most notorious cyberattacks in history, including the Sony breach and WannaCry. They added stealing cryptocurrency to their bow in 2017. At the end of 2019, SentinelLabs connected the Lazarus and TrickBot groups, showing how the DPRK is extending to collaborate with cybercrime groups and take over funds to support their government.

The Ugly

The real-world impact of cybercrime and ransomware is mostly seen through the lens of financial implications, but as we’ve noted before there are other costs, including brand reputation, customer trust, and even stock price. Unfortunately, some businesses are unable to recover and pay the ultimate cost. This week we learned of yet another organization that could not survive after a crippling cyberattack.

After 157 years in operation, Lincoln College in Illinois is closing its doors after a run of financial setbacks in the wake of the COVID-19 pandemic that were further compounded by a ransomware attack last December.

The attack directly impacted the college’s ability to raise funds from admission activities, caused a complete loss of access to all institutional data and resulted in denial of service for systems related to recruitment, retention and fundraising.

The institution, which saw record-breaking enrollment during 2019 but then suffered heavily as the pandemic bit into its financial activities, had put into place a recovery plan that was upended by December’s cyberattack.

Sadly, despite having survived the economic crises of 1887 and 2008, a campus fire in 1912, the Spanish flu in 1918, the Great Depression, and two World Wars, cybercriminals have ensured this venerable institution will not outlive the COVID-19 pandemic. David Gerlach, president of Lincoln College, said “The loss of history, careers, and a community of students and alumni is immense.”