BreachForums Seized Once Again, What is Next?

BreachForums Seized Once Again, What is Next?

The FBI has taken control of the BreachForums, which was known for leaking and selling stolen corporate data to cybercriminals. The seizure happened yesterday, shortly after the site was used to leak data stolen from a Europol law enforcement portal. In this way, the forum experienced the same fate once again. But let’s see what is behind this event and what will happen in the future.

Seizure announcement

Seizure announcement

From RaidForums to Breached

BreachForums quickly emerged as a hot topic among mainstream media discussions about dark web forums, especially after RaidForums was closed and Breached took its place. So, the story began when a known threat actor, Pompompurin, launched Breached after RaidForums’ demise.

A year later Breached Forum was quite popular. Thus, this infamous reputation led to Pompompurin’s arrest by US law enforcement on March 15, 2023. However, the subsequent closure of Breached did not mark the end. Instead, a new team revived the forum as BreachForums, swiftly becoming the focal point and succeeding where previous forums had been silenced.

For more information about Breached and pompompurin.

The Rebirth Under ShinyHunters

On June 12, 2023, Breached returned as BreachForums under the banner of ShinyHunters, one of the most active threat groups in the Breached. Despite initial skepticism over its legitimacy, with some fearing it was an FBI trap, a PGP-signed message from a former administrator, Baphomet, confirmed its return. ShinyHunters, notorious for significant alleged data breaches targeting companies like Tokopedia and Microsoft’s GitHub, continued to draw attention for selling stolen data.

For more information about ShinyHunters.

Judgement Day

Yesterday, on May 15, 2024, the FBI seized the notorious BreachForums, which leaked and sold stolen corporate data to other cybercriminals. The seizure occurred soon after the site was used last week to leak data stolen from a Europol law enforcement portal.

Telegram post about the seizure

Telegram post about the seizure

The website displayed a message stating that the FBI has taken control over it and the backend data, indicating that law enforcement seized both the site’s servers and domains. The seizure message also shows the two forum profile pictures of the site’s administrators overlaid with prison bars.

The Federal Bureau of Investigation (FBI) is investigating the criminal hacking forums known as BreachForums and Raidforums. (ic3.gov)

The Federal Bureau of Investigation (FBI) is investigating the criminal hacking forums known as BreachForums and Raidforums. (ic3.gov)

If law enforcement has gained access to the hacking forum’s backend data, as they claim, they would have email addresses, IP addresses, and private messages that could expose members and be used in law enforcement investigations. The FBI has also seized the site’s Telegram channel and other channels owned by Baphomet, with law enforcement sending messages stating it is under their control.

The Aftermath and Speculations

Following the takedown of BreachForums, rumors about it being a honey-pot and key members being arrested have been rife. While ShinyHunter, one of the administrators, has stated that Baphomet has been arrested, there is no official confirmation from law enforcement agencies. ShinyHunter, the other administrator, has claimed that almost all infrastructure has been seized by the FBI, and the forum’s future remains uncertain.

According to a message from ShinyHunters, forwarded by IntelBroker (an important member and recent moderator of BreachForums). Baphomet was the second-in-command at Breached and a founder of BreachForums with ShinyHunters. The image and text reference Cowboy Bebop, whose main protagonist was in Baphomet’s profile picture."

According to a message from ShinyHunters, forwarded by IntelBroker (an important member and recent moderator of BreachForums). Baphomet was the second-in-command at Breached and a founder of BreachForums with ShinyHunters. The image and text reference Cowboy Bebop, whose main protagonist was in Baphomet’s profile picture.”

Also, check out the threat actor profile for CyberNiggers and IntelBroker.

However, USDoD, another threat actor in the forum, has assured the community that efforts are underway to reopen the forum. He stated, “This is not the end, it is an opportunity for a new beginning.

USDoD’s message on X

USDoD’s message on X

An important detail about USDoD was that he claimed that there were suspicious things going on with BreachForums, as if he saw this day coming. He was even asked a question about this in his interview on DailyDarkWeb.

An earlier message of USDoD on X

An earlier message of USDoD on X

A part of the interview: What are your thoughts on the current state of BreachForums? You mentioned some of your doubts in a tweet. Is this suspicion one of the reasons why you have your own channel on Telegram now?

– “I took this as an opportunity. Astounding trusted me a lot to keep his legacy and I’m doing it right now and about The breachforums situation: That is what my intuition is telling me about.

I don’t have any concrete evidence but still I have that intuition telling me that something is coming. But after my posts on twitter seems that the staff fixed most of the issues but they still have a way to go on it.

I hope everyone keep a eyes open and I hope everything stay good and ok with Breachforum system and staff.”

For more information about the USDoD-TA.

Apart from the USDoD, just recently, in the official announcement on BreachForums’ Telegram channel by ShinyHunters, it was confirmed that Baphomet has been arrested, resulting in the FBI seizing nearly all of their infrastructure.

A final message stated that the domain has been recovered. Now, when attempting to access the forum, instead of seeing the FBI seizure notice, you will be redirected to the Telegram channel Jacuzzi 2.0 (formerly Jacuzzi), which is used by the hacking forum community.

Domain address has been recovered for now by ShinyHunters(?)

Domain address has been recovered for now by ShinyHunters(?)

However, that channel also appears to have been seized, and another Telegram channel is currently open for the community.

Most recent Telegram channel

Most recent Telegram channel

Conclusion

In summary, BreachForums was the successor of a string of hacking forums used to trade, sell, and leak stolen data, as well as sell access to corporate networks and other illegal cybercrime services. Despite the significant law enforcement actions, the community remains resilient. While BreachForums may be down for now, history suggests that another forum will eventually rise to fill the power vacuum left behind.

As cybersecurity professionals, it’s crucial to stay informed about these developments, as they underscore the ever-evolving landscape of cyber threats. The battle between law enforcement and cybercriminals is ongoing, and each new forum that emerges continues to challenge global cybersecurity efforts.

The SOCRadar blog post will continue to be updated as events develop, stay tuned!

Article Link: https://socradar.io/breachforums-seized-once-again-what-is-next/