SOCRadar® Cyber Intelligence Inc. | BreachForums Seized Once Again, What is Next?
Home

Resources

Blog
May 16, 2024
14 Mins Read

BreachForums Seized Once Again, What is Next?

[Update] July 24, 2024: “Threat Actor Emo Leaks Personal Information of 212,414 BreachForums 1.0 Members

[Update] June 13, 2024: “BreachForums Back Online, Again”

[Update] June 10, 2024: “ShinyHunters Disappeared”

[Update] May 28, 2024: “BreachForums’ Clearnet Domain Returns”

[Update] May 17, 2024: “Breach Nation – A New Community on the Horizon”

The FBI has taken control of the BreachForums, which was known for leaking and selling stolen corporate data to cybercriminals. The seizure happened yesterday, shortly after the site was used to leak data stolen from a Europol law enforcement portal. In this way, the forum experienced the same fate once again. But let’s see what is behind this event and what will happen in the future.

Seizure announcement

Seizure announcement

From RaidForums to Breached

BreachForums quickly emerged as a hot topic among mainstream media discussions about dark web forums, especially after RaidForums was closed and Breached took its place. So, the story began when a known threat actor, Pompompurin, launched Breached after RaidForums’ demise.

A year later Breached Forum was quite popular. Thus, this infamous reputation led to Pompompurin’s arrest by US law enforcement on March 15, 2023. However, the subsequent closure of Breached did not mark the end. Instead, a new team revived the forum as BreachForums, swiftly becoming the focal point and succeeding where previous forums had been silenced.

For more information about Breached and pompompurin.

The Rebirth Under ShinyHunters

On June 12, 2023, Breached returned as BreachForums under the banner of ShinyHunters, one of the most active threat groups in the Breached. Despite initial skepticism over its legitimacy, with some fearing it was an FBI trap, a PGP-signed message from a former administrator, Baphomet, confirmed its return. ShinyHunters, notorious for significant alleged data breaches targeting companies like Tokopedia and Microsoft’s GitHub, continued to draw attention for selling stolen data.

For more information about ShinyHunters.

Judgement Day

Yesterday, on May 15, 2024, the FBI seized the notorious BreachForums, which leaked and sold stolen corporate data to other cybercriminals. The seizure occurred soon after the site was used last week to leak data stolen from a Europol law enforcement portal.

Telegram post about the seizure

Telegram post about the seizure

The website displayed a message stating that the FBI has taken control over it and the backend data, indicating that law enforcement seized both the site’s servers and domains. The seizure message also shows the two forum profile pictures of the site’s administrators overlaid with prison bars.

The Federal Bureau of Investigation (FBI) is investigating the criminal hacking forums known as BreachForums and Raidforums. (ic3.gov)

The Federal Bureau of Investigation (FBI) is investigating the criminal hacking forums known as BreachForums and Raidforums. (ic3.gov)

If law enforcement has gained access to the hacking forum’s backend data, as they claim, they would have email addresses, IP addresses, and private messages that could expose members and be used in law enforcement investigations. The FBI has also seized the site’s Telegram channel and other channels owned by Baphomet, with law enforcement sending messages stating it is under their control.

The Aftermath and Speculations

Following the takedown of BreachForums, rumors about it being a honey-pot and key members being arrested have been rife. While ShinyHunter, one of the administrators, has stated that Baphomet has been arrested, there is no official confirmation from law enforcement agencies. ShinyHunter, the other administrator, has claimed that almost all infrastructure has been seized by the FBI, and the forum’s future remains uncertain.

According to a message from ShinyHunters, forwarded by IntelBroker (an important member and recent moderator of BreachForums). Baphomet was the second-in-command at Breached and a founder of BreachForums with ShinyHunters. The image and text reference Cowboy Bebop, whose main protagonist was in Baphomet’s profile picture."

According to a message from ShinyHunters, forwarded by IntelBroker (an important member and recent moderator of BreachForums). Baphomet was the second-in-command at Breached and a founder of BreachForums with ShinyHunters. The image and text reference Cowboy Bebop, whose main protagonist was in Baphomet’s profile picture.”

Also, check out the threat actor profile for CyberNiggers and IntelBroker.

However, USDoD, another threat actor in the forum, has assured the community that efforts are underway to reopen the forum. He stated, “This is not the end, it is an opportunity for a new beginning.

USDoD’s message on X

USDoD’s message on X

An important detail about USDoD was that he claimed that there were suspicious things going on with BreachForums, as if he saw this day coming. He was even asked a question about this in his interview on DailyDarkWeb.

An earlier message of USDoD on X

An earlier message of USDoD on X

A part of the interview: What are your thoughts on the current state of BreachForums? You mentioned some of your doubts in a tweet. Is this suspicion one of the reasons why you have your own channel on Telegram now?

– “I took this as an opportunity. Astounding trusted me a lot to keep his legacy and I’m doing it right now and about The breachforums situation: That is what my intuition is telling me about.

I don’t have any concrete evidence but still I have that intuition telling me that something is coming. But after my posts on twitter seems that the staff fixed most of the issues but they still have a way to go on it.

I hope everyone keep a eyes open and I hope everything stay good and ok with Breachforum system and staff.”

For more information about the USDoD-TA.

Apart from the USDoD, just recently, in the official announcement on BreachForums’ Telegram channel by ShinyHunters, it was confirmed that Baphomet has been arrested, resulting in the FBI seizing nearly all of their infrastructure.

A final message stated that the domain has been recovered. Now, when attempting to access the forum, instead of seeing the FBI seizure notice, you will be redirected to the Telegram channel Jacuzzi 2.0 (formerly Jacuzzi), which is used by the hacking forum community.

Domain address has been recovered for now by ShinyHunters(?)

Domain address has been recovered for now by ShinyHunters(?)

However, that channel also appears to have been seized, and another Telegram channel is currently open for the community.

Most recent Telegram channel

Most recent Telegram channel

Breach Nation – A New Community on the Horizon

Shortly after the BreachForums seizure, USDoD announced plans to establish its own hacker forum. There is even a set date for the resurrection of BreachForums. Let’s take a look at USDoD’s post on X regarding this development.

“Dear Community,

I hope this message finds you well.

I have been working tirelessly for the past 24 hours on a new community project. Currently, I am managing two servers:

A smaller server hosting my Content Delivery Network (CDN) with the following specifications:

8TB storage, 1Gbps bandwidth, Unlimited traffic, 32GB RAM

A larger server acquired recently, equipped with:

40TB storage, 32GB RAM, 1Gbps bandwidth, Unlimited traffic

The larger server will host the entire new CDN for the community, while the smaller one will run the system and forum. They will operate independently to ensure optimal performance.

The new domains will be breachnation.io and databreached.io, with a planned launch date of July 4, 2024, coinciding with Independence Day.

As you may know, the BF V2 community has grown to 150,000 members. Unlike the previous owner, I am not driven by profit. As a token of goodwill, the first 200,000 users will receive the latest upgraded version of the member rank.

There are others, such as Shinyhunters and his team, who plan to create their own forum. However, I urge you to consider Shinyhunters’ past performance on BF V2 before making a decision.

Why should you join a new forum led by a team with a poor track record? Instead, consider giving a chance to someone who genuinely cares, loves the work, has proven their value, and has worked their way to the top without the luxury of an unlimited budget.

I am here to lead, and whether you like it or not, I am determined to succeed, even without the support of the former staff.

My goal is to revive the community and provide opportunities for everyone. I am not affiliated with the old staff, but I promise to do a better job and keep the legacy alive.

I am not concerned with who is in charge at the Department of Justice or who the FBI director is. My focus is on keeping the system running.

Regarding the CDN with all databases, I have a plan. I cannot promise to have a full CDN at launch, but I am working on it.

At present, I am the sole admin and staff member. I am aware of individuals who were active previously, but for now, I do not plan to appoint anyone as staff for security reasons and due to a limited circle of trust.

I appreciate all the support and feedback. If a significant portion of the community dislikes the domain, I am open to providing a new one. Your feedback is crucial in every decision.

To make things right, I need the community on my side. You don’t need to be staff to have a voice or to help us in this new phase. It will be a process, and everyone is welcome.”

As the statement suggests, USDoD is seizing the opportunity and appears to be inciting conflict among threat actors. Although ShinyHunters has not provided any new information about their “novel” forum, they did comment on USDoD in a recent message.

USDoD’s answer to ShinyHunters

USDoD’s answer to ShinyHunters

Lastly, the BreachForums domain redirects to the Jacuzzi 2.0 (mentioned above) Telegram channel for now.

Conclusion

In summary, BreachForums was the successor of a string of hacking forums used to trade, sell, and leak stolen data, as well as sell access to corporate networks and other illegal cybercrime services. Despite the significant law enforcement actions, the community remains resilient. While BreachForums may be down for now, history suggests that another forum will eventually rise to fill the power vacuum left behind.

As cybersecurity professionals, it’s crucial to stay informed about these developments, as they underscore the ever-evolving landscape of cyber threats. The battle between law enforcement and cybercriminals is ongoing, and each new forum that emerges continues to challenge global cybersecurity efforts.

The SOCRadar blog post will continue to be updated as events develop, stay tuned!

BreachForums’ Clearnet Domain Returns

In a surprising turn of events, the previously seized clearnet domain of BreachForums, breachforums[.]stis back online. The domain was initially taken down by FBI during the recent law enforcement crackdown on the infamous hacking forum.

ShinyHunters made an announcement about BreachForums’ comeback on Telegram (X)

ShinyHunters made an announcement about BreachForums’ comeback on Telegram (X)

The forum’s unexpected resurgence indicates its operators’ resilience and adaptability, raising concern. As BreachForums regains its footing, the tug-of-war between cybercriminals and law enforcement continues unabated.

  • Update May 30, 2024

The statement about BreachForums was posted on the Telegram channel of a threat group

The statement about BreachForums was posted on the Telegram channel of a threat group

The unexpected reappearance of BreachForums online has fueled rumors among threat actors, reignited discussions about the forum potentially being a law enforcement honeypot, and raised suspicions about ShinyHunters.

ShinyHunters Disappeared

Following the recent seizure of BreachForums, more details keep emerging through various sources. As we last mentioned, BreachForums returned with both a clear net and TOR address, and even though it was not as populated as before, due to the suspicions of threat actors, it still hosted major breaches even in a very short time.

Lastly, as reported by Daily Dark Web, the forum’s latest remaining administrator -ShinyHunters – has disappeared, and their Telegram accounts have been banned. We might even speculate that ShinyHunters have been identified and apprehended by law enforcement agencies and the current domains for BreachForums are down. This has led to increased concerns about the forum’s future and the potential exposure of its users’ identities once again.

Clearnet and Tor domains for BreachForums are down (DDW)

Clearnet and Tor domains for BreachForums are down (DDW)

Other threat actors also claim that ShinyHunters have disappeared for good.

A Telegram message in SecretForums’ chat

A Telegram message in SecretForums’ chat

They even took advantage of this situation and started trying to attract BreachForums members to their forums.

Pinned message on SecretForums’ Telegram

Pinned message on SecretForums’ Telegram

The USDoD also commented on the situation on X, stating that he anticipated this outcome for BreachForums. He further mentioned that he would soon provide details about his plan to establish a new “BreachForums.”

USDoD-TA’s last post about BF (X)

USDoD-TA’s last post about BF (X)

BreachForums Back Online, Again

BreachForums and ShinyHunters have returned online following a series of setbacks. According to ShinyHunters, the forum faced several issues, including their SMTP host being blacklisted by Spamhaus, NGINX configuration problems, and the banning of their Telegram account along with the “Jacuzzi 2.0” group. Due to these challenges, ShinyHunters announced that they are leaving Telegram and feel less motivated to maintain the forum, although it will remain operational. They mentioned that Hollow is likely to take over as the new owner.

ShinyHunters’ statement (DDW)

ShinyHunters’ statement (DDW)

Threat Actor Emo Leaks Personal Information of 212,414 BreachForums 1.0 Members

The BreachForumsV1 database allegedly leaked. The threat actor making the leak is Emo. He/she reports that Fitzpatrick, while out on bail in June 2023, attempted to sell data for $4,000. Emo claims that three threat actors eventually bought it. Fitzpatrick was later rearrested in January 2024 for violating his pretrial release conditions, including using an unmonitored computer and VPN. It’s unclear if this is related to the BreachForums data sale.

In July 2023, someone using ‘breached_db_person’ tried to sell the BreachForums database for $100,000–$150,000. Troy Hunt confirmed this data to match the data Emo leaked and was added to Have I Been Pwned.

The leak post in Telegram (Daily Dark Web)

The leak post in Telegram (Daily Dark Web)

Emo said the leaked data is from a November 2022 backup of the BreachForums database, containing user IDs, login names, email addresses, and IP addresses. This data, formatted as tab-separated values rather than in MyBB format, appears to be a manual export. While law enforcement likely has access to this data, it remains valuable for security researchers tracking threat actors.