BreachForums Seized (Yes, Again)
BreachForums Seized (Yes, Again)
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.
The U.S. Department of Justice, FBI, and France’s BL2C cybercrime unit, with support from the Paris Prosecutor’s Office, have seized the latest BreachForums domain, marking another major disruption in the battle against cybercrime group ShinyHunters and its partners, now part of the Scattered Lapsus$ Hunters name.
The seized domain, breachforums[.]hn, had moved away from its usual forum model and was instead running as a leak and extortion portal tied to an ongoing campaign targeting Salesforce and its corporate customers.
Seizure annoucement
Visitors to the site now see a seizure notice displaying U.S. and French law enforcement logos. The clearnet version is down, but the onion site remains active.
From Hacking Forum to Extortion Platform
In early October, BreachForums appeared to post a farewell message that hinted at a shutdown. Within days, the same domain resurfaced as a dedicated extortion site. The portal was built to publish data stolen from Salesforce customers who refused to meet ransom demands.
Onion domain is still active at the of writing
Victims reportedly include Qantas, Disney, McDonald’s, UPS, and several other large firms affected by the group’s social engineering campaign.
“Doomsday” deadline posted on their Telegram channel
The group’s pinned post on Telegram warned that data from non-paying victims would be released at 11:59 PM New York time on October 10, 2025.
Hackers Admit Loss and Confirm the Seizure
Following the domain’s takedown, ShinyHunters published a PGP-signed statement confirming that BreachForums had been seized:
“BreachForums was seized by the FBI and international partners today. All our domains were taken from us by the U.S. Government. The era of forums is over.”
The group said the operation “has no impact” on its ongoing Salesforce campaign but admitted that the BreachForums servers and backups were destroyed. They also claimed that database archives and escrow data from as far back as 2023 were compromised.
ShinyHunters’ PGP-signed statement
A Brief Timeline of BreachForums
To understand how we got here, it helps to look back at BreachForums’ long and chaotic history. What started as a replacement for RaidForums in 2022 turned into one of the most persistent cybercrime hubs of the decade. Each takedown led to a quick comeback, often under new leadership, until the network became a revolving door of seizures, arrests, and rebuilds. The timeline below highlights the key events that shaped BreachForums’ rise and repeated fall.
| Date | Event | Summary |
| Mar 2023 | Arrest of Pompompurin | Original founder Conor Fitzpatrick arrested in New York. |
| Jun 2023 | First domain seizure | 3 months after the arrest FBI and partners seize BreachForums clearnet site. |
| May 2024 | Second major takedown | Rebooted forum by ShinyHunters seized again. |
| Apr–Aug 2025 | Admin arrests | French and U.S. operations capture multiple BreachForums operators. |
| Sep 2025 | Fitzpatrick resentenced | Three-year prison term for the original admin. |
| Oct 10, 2025 | Latest seizure | Clearnet leak portal seized amid Salesforce extortion campaign. |
This pattern of repeated shutdowns and reappearances shows a long cat-and-mouse game between BreachForums operators and law enforcement. However, each new iteration has become shorter-lived, and its recovery slower. They tried so hard and got so far, but, in the end, it wasn’t even a forum.
Who Is Scattered Lapsus$ Hunters?
Scattered Lapsus$ Hunters is a recent alliance combining members or methods from Scattered Spider, LAPSUS$, and ShinyHunters. Their operations focus on social engineering, vishing, and abusing connected applications to gain access to victim systems, especially targeting Salesforce and other SaaS platforms.
Instead of exploiting software flaws, they rely on tricking employees or contractors into granting access or installing tools. Once inside, they move laterally, steal data, and use the threat of leaks to push companies into paying ransoms. Because BreachForums had become their leak and extortion platform, the seizure represents a direct hit to their infrastructure and visibility. Still, the group remains active.
Advanced Dark Web Monitoring with SOCRadar
With the seizure of the domain, law enforcement has delivered another blow to cybercrime. Yet the Dark Web presence remains alive—and that is where threat actors tend to regroup.
Continuous visibility across underground spaces is critical. With SOCRadar’s Dark Web Monitoring, security teams can detect early signs of exposure, track actor movements, and identify leaked data or credentials before they spread. The platform provides real-time alerts on new mentions, compromised assets, and chatter linked to known threat groups.
Article Link: https://socradar.io/breachforums-seized-yes-again/
1 post - 1 participant
Malware Analysis, News and Indicators - Latest topics
Sp123
"An underestimated security threat to organizations is employee apathy and burn out."