Portuguese national Diogo Santos Coelho launched one of the world's biggest hacking forums in 2015 when he was just 14 years old. The FBI chose not to intervene until he was old enough to be tried as an adult.
In the coming months, a UK judge will decide whether to grant a US extradition request for a 14-year-old boy who started one of the world’s most popular hacking forums, RaidForums.
Known online as 'Omnipotent', the teenager ran the online forum which began with innocent pranks on streaming service Twitch users, but soon led to life-threatening hoaxes and selling stolen data.
The FBI long knew who Omnipotent was – Portuguese national Diogo Santos Coelho. But they didn’t arrest him until he was old enough to be tried as an adult, leading some to question whether authorities should have intervened earlier.
RaidForums: Pranks, bomb threats, and data leaks
"Omnipotent, he started RaidForums so he could start his own raiding platform. The idea basically emerged with pranking people by abusing the live stream. If one livestream is over on Twitch, Twitch would allow all of those viewers to go to someone else's Twitch," explained Waqas Ahmed, Cybersecurity Writer at HackRead Media.
"It started as a good idea that turned into disastrous pranks. They would bully people. They would give bomb threats."
"Raidforums was the go-to-forum for leaks and hacks. It was a huge, not only forum, but also a trading platform, exchange platform," said Marco Preuss, Director of GReAT at Kaspersky Europe.
"The intention behind leaking data was initially just to show off that how good a hacker that person is. They would leak data and they would get compliments from others and they would go for even bigger fish," Waqas Ahmed revealed.
The young hackers soon realised the value of the data they were able to access and began selling it.
"That's when Omnipotent, he started to allow everything. He started providing middleman services for cybercriminals and hackers [...] Raidforums made millions of dollars. The FBI, they knew Omnipotent's identity for the last five years, when he was a teenager."
"The FBI knew because he went to the United States on a visit. He was immediately taken into custody where his devices were seized, but they didn't arrest him," said Waqas Ahmed.
"He was a minor. He wouldn't get much time in prison. So they let him run the platform [...] they use it as a honeypot to collect as much information they can on buyers and vendors and then shut it down."
On 12 April 2022, the US Attorney's Office announced that the FBI had seized the RaidForums' database and that the US had filed an extradition request with the UK for Diogo Santos Coelho after he was arrested in the United Kingdom, at the request of US law enforcement.
Now faced with a potentially lengthy prison sentence in the US, experts have raised concerns over the mental well-being of the suspect, and whether the fact he was a minor when he launched the site will be taken into consideration by the judge.
Accountability and consequences
"Children should absolutely never be tried as adults for their crimes," says Dr Kelli Dunlap, a Clinical Psychologist and Game Designer.
"Should they be held accountable? Yes. Should there be consequences for their actions? Yes. Should those consequences be the same as an adult that has a fully functioning prefrontal cortex? No."
"It's not uncommon for the defendants to be exposed to de facto life sentences in the US," said specialist extradition lawyer, Ben Cooper KC.
"The US prosecutors will essentially start from the point of adulthood, ignoring the fact that some of the conduct may have taken place when the defendant was a minor."
"Quite often, particularly in the cybercrime cases, the defendants are undiagnosed with autism spectrum disorder. There's a long-standing underfunding of the federal penitentiary system in the United States. And so particularly with autism, the prisons are not attending to the vulnerabilities that arise with that condition," Ben Cooper added.
"I think we have to cut these people some slack," admitted Alexander Urbelis, a Cybersecurity Lawyer at Crowell and Moring.
"We have an extraordinarily talented group of individuals who are figuring out how systems work. They may transgress a lot of boundaries acquiring that knowledge, and they may wreak a lot of havoc. But I think it would be wrong to mete out extraordinarily harsh or disproportionate criminal consequences to people who may not necessarily understand the consequences of their actions," he concluded.