ShinyHunters, the group behind BreachForums, has confirmed the seizure and announced that all forum and escrow database backups since 2023, along with the backend servers, are now in the hands of law enforcement. Despite the takedown, the group claims that no one on the core admin team has been arrested and that their separate data leak site on the dark web is still operational.
The FBI, working alongside French law enforcement, successfully seized all domains for the BreachForums hacking forum last night. Run by the ShinyHunters group, the site was primarily used as a portal for leaking corporate data stolen in ransomware and extortion attacks. The coordinated law enforcement action took control of the site’s web infrastructure just before a hacker affiliated with the group, known as Scattered Lapsus$ Hunters, was set to leak data from a major Salesforce breach targeting companies that refused to pay a ransom.
Following the seizure, the cybercriminals confirmed the takedown of BreachForums through a message on Telegram, which was signed with the ShinyHunters PGP key. In their message, the group stated that the seizure was inevitable and declared that “the era of forums is over.” BleepingComputer independently verified that the site is now under law enforcement control, noting that the most recent domain update occurred on October 9 and the nameservers had been changed to those used by the FBI for seizures.
After analyzing the situation, ShinyHunters concluded that all BreachForums database backups since 2023 have been compromised, along with all escrow databases from the forum’s latest reboot. The group also confirmed that the backend servers were seized. However, they pointed out that their separate data leak site on the dark web remains online. The group’s core admin team confirmed that none of them have been arrested, but they will not be launching another version of BreachForums, advising that such sites should now be viewed as “honeypots.”
According to the hackers, the same core team behind BreachForums had planned multiple forum reboots after the takedown of RaidForums, using figures like “pompompurin” as fronts. The group emphasized that the seizure would not impact their Salesforce campaign and that the data leak, which they claim contains over a billion customer records, was still scheduled for later today. A long list of affected companies, including FedEx, Google, Disney/Hulu, and Marriott, can be found on their dark web leak site.
It’s important to note that the version of BreachForums seized by authorities was different from the previous iteration of the platform. Instead of a general cybercrime forum, this version functioned primarily as a data extortion site for high-profile campaigns, such as the major Salesforce breaches that are currently at the center of the investigation. The focus was on leaking data from specific, targeted attacks rather than serving as a general marketplace for stolen information.
Reference:
