BreachForums is Offline: A New Twist or Just Another Cyber Shenanigan?

[Update] April 28, 2025: “BreachForums Administration Finally Responds”

[Update] April 25, 2025: “Is BreachForums Finished? Admin Quits, Source Code Allegedly on Sale”

[Update] April 24, 2025: “BreachForums Reboots”

[Update] April 18, 2025: “FBI Seizure Claims and Admin Disappearances”

BreachForums, a hacker forum, has been taken offline again. Early Tuesday morning (ET), claims emerged on Telegram that a group identifying as the Dark Storm Team was responsible for a Distributed Denial-of-Service (DDoS) attack against the site. However, multiple signals and the nature of “hacktivist” groups indicate that these claims should be cautiously approached.

A History of Seizures and Reboots

BreachForums has earned notoriety as a hub for illicit trading of stolen personal data—a role that has repeatedly drawn the attention of law enforcement. Its legacy includes several dramatic episodes:

• March 2023: The arrest of BreachForums’ founder, known by the alias Pompompurin (Conor Brian Fitzpatrick), led to its initial FBI seizure.
• Subsequent Revivals and Takedowns: Despite attempts to resurrect the platform—first by a second-in-command and later by self-proclaimed operators like Shiny Hunters and rival personas like USDoD—the site has repeatedly been shut down by authorities but has come back.

SOCRadar’s article “BreachForums Seized Once Again – What Is Next?” provides insights into the platform’s volatile trajectory and history.

Unconfirmed Claims: The Dark Storm Team and IntelBroker

The latest rumor centers on the assertion made on a Telegram channel that the platform has been attacked by a group calling itself the Dark Storm Team.

A link on the channel allegedly demonstrated that the site was down in more than two dozen countries.

Dark Storm’s Unverified Claim

There is no consensus or confirmation from multiple independent sources validating Dark Storm’s involvement. Many experts have warned that such claims might be part of a broader narrative intended to confuse or manipulate the cybercrime community.

Was IntelBroker Arrested?

Similarly, reports about the arrest of IntelBroker—a key figure associated with BreachForums—are uncorroborated at this time.

For further context on IntelBroker’s profile and the emerging narratives, see SOCRadar’s analysis of IntelBroker.

What’s Really Happening?

Whether the latest disruption is real or just another case of cyber smoke and mirrors, one thing is clear: forums like BreachForums are far from stable ground. Repeated seizures and rebrands show a pattern—one where the underground scene may either continue splintering or regroup under new names we haven’t heard of yet.

As for claims like those from “Dark Storm”? It’s best to stay skeptical. These kinds of posts often serve more to stir the pot than offer anything concrete — and, in some cases, to promote their own services. Dark Storm, for example, sells a DDoS tool, so these claims may also double as marketing stunts.

Meanwhile, the former face of BreachForums—Conor Brian Fitzpatrick (aka Pompompurin)—was back in the legal spotlight. After receiving just 17 days of jail time and a long probation, an appeals court threw out the sentence, calling it far too lenient.

This isn’t directly related to the current forum takedown rumors, but it’s a reminder: law enforcement and the justice system haven’t forgotten about BreachForums. Fitzpatrick’s case still casts a long shadow over the cybercrime forum.

What Can We Conclude?

The latest BreachForums outage follows a pattern of recurring disruptions. Whether it’s a genuine attack, a law enforcement action, or simply another unverified claim, the fact remains that these hacker forums are inherently unreliable. Many claims—like those from “Dark Storm”—appear designed more to promote services, such as their DDoS tools, rather than to report actual events.

Due to the high level of misinformation circulating, we have skipped over some of these claims. We will continue to monitor the situation and update our coverage as verified information becomes available.

To navigate this complex landscape, advanced Dark Web Monitoring by SOCRadar is essential. This solution provides real-time visibility into underground forums and channels, helping organizations filter out the noise and focus on actionable threat intelligence.

FBI Seizure Claims and Admin Disappearances

As of April 18, 2025, rumors have resurfaced that BreachForums may once again have been seized by the FBI. Multiple sources suggest suspicious developments, including HELLCAT ransomware affiliate “Rey” on X and posts from the forum’s Telegram channel.

Rey stated that on April 15, the site went offline without notice and that administrator “Anastasia’s” Telegram handle was taken over and redirected to an FBI-controlled IC3 channel. Around the same time, moderator “ShinyHunter” allegedly removed staff from the internal group and deleted his Telegram account, while another moderator, “Hollow,” stopped responding and changed his visibility settings. These moves, combined with activity seen on the supposed FBI_BreachForums Telegram channel, have fueled speculation that another coordinated law enforcement action has taken place.

BreachForums Reboots

After going offline on April 15, 2025, BreachForums 2 has reappeared under a new domain: breached[.]fi, as confirmed by the forum’s current administrator, “Normal.” According to a public announcement made just hours ago, the forum is officially back online, with a .onion backup also available for redundancy.

However, the revival comes with significant caveats: no user data or prior content from the previous site will be restored. According to administrators, this decision follows the seizure of the breachforums[.]st infrastructure. All past data is being treated as compromised, and users are urged to assume their prior identities and contributions are exposed.

To mitigate risks, several security-first changes have been made:

• Shoutbox has been disabled due to past vulnerabilities.
• A new upgrade system is being developed, though for now, users must manually request account upgrades via private message.
• Mirror domains will be published soon.

Despite the relaunch, skepticism surrounds the forum’s authenticity. Threat actors like “Rey” have voiced concerns that the new domain could be a law enforcement honeypot, casting doubt on whether this is a legitimate continuation or a trap.

The absence of verifiable PGP linkage with the site’s canary further fuels distrust. DarkWebInformer and others in the threat intelligence community have questioned the site’s authenticity, especially given that it is not operated by original BreachForums staff.

Still, some actors like @grepHC have vouched for the platform, stating, “I can confirm this is me. The forum is not run by the Fed and is the unique alternative.” Whether these reassurances are enough to regain trust remains to be seen.

With rising suspicions, many threat actors may choose to migrate to alternative platforms, further fragmenting the cybercrime ecosystem once dominated by BreachForums.

Is BreachForums Finished? Admin Quits, Source Code Allegedly on Sale

Following the sudden reappearance of the site at breached[.]fi, a message briefly appeared on the homepage, allegedly posted by former administrator “Anastasia.” The message claimed that both “IntelBroker” and “Shiny” had been arrested and that the FBI would announce details soon. Anastasia also stated that she had resigned from the forum and considered BreachForums permanently shut down.

In the same post, a full backup of the forum’s database and its source code, dated April 10, 2025, was offered for sale for $2,000, with a Session ID provided for contact. Though the message has since been removed, it fueled a wave of speculation and confusion across dark web circles.

Rumors about the arrests remain unconfirmed, and authorities have released no official statement.

BreachForums Administration Finally Responds

Following a period of uncertainty, BreachForums administrators released a PGP signed message providing further clarification on the situation. According to the statement, the forum was voluntarily taken offline after trusted sources confirmed an infiltration attempt linked to global law enforcement agencies. While no compromise of infrastructure or data breach occurred, the administrators initiated a full incident response process and identified a vulnerability tied to a MyBB zero-day exploit.

Statement of BreachForums Administration

The team apologized for the lack of communication during this period and stated that they are now focused on a full backend rewrite to strengthen platform security. Additionally, they warned users against interacting with emerging BreachForums clones. Despite ongoing rumors, they reaffirmed that no arrests have taken place and that their priority remains the safety of the community and infrastructure.