BreachForums Seized by FBI: Inside the Notorious Cybercrime Marketplace

under control of fbi breachforums


Seizure notice displayed on BreachForums on May 15, 2024


Background

From June 2023 to May 2024, BreachForums, run by ShinyHunters and Baphomet, was an active hacking forum for cybercriminal activities, facilitating the trading of stolen goods and services, such as access devices, personal identifiers, hacking tools, and breached data. 

Prior to this, another iteration of BreachForums was operational from March 2022 until March 2023, managed by “pompompurin” and hosted at different domains. This platform similarly served as a hub for cybercriminal exchanges. Last year, authorities seized it three months after arresting its administrator, Conor Brian Fitzpatrick, aka pompompurin. After that, the second administrator going by the online handle Baphomet took over and re-established the site, which had several different domains over the last year. The ShinyHinters group joined Baphomet as administrators.

Both versions followed the closure of RaidForums, a precursor hacking forum that operated under Omnipotent’s management from early 2015 until February 2022. 


By the Numbers: Post Volume Across BreachForums' Iterations

The average number of posts per month for each forum was: 

  • RaidForums: Approximately 57,730 posts per month.
  • BreachForums: Approximately 30,800 posts per month.
  • BreachForums version two: Approximately 32,400 posts per month.
breachforums statitstics of posts-final


The Inner Circle: Top Actors Across Forums

From top 100 actors across all three forums (based on number of posts), 36 were active on at least two of them under the same name. For actors active on two or three forums, the most popular combination was two versions of BreachForums. In general, the forums were known to have the same community, migrating from one forum to another.


What Was Traded? Shedding Light on Popular Threads

The most popular threads for BreachForums version two, based on number of posts, associated with specific victims (meaning not generic discussions), were:

  1. Pandabuy, Leaked download!
  2. KPU.GO.ID 2024 VOTERS RAW DATABASE
  3. [LEAK] MalDevAcademy 5.7 – Full Malware Development Course
  4. 50 ”ChatGPT” OpenAI Premium Accounts
  5. AT&T 70M Database (2021)

Stolen and leaked databases, such as data associated with Pandabuy and AT&T, were widely shared both on BreachForums’ recent interaction and its predecessors. 


Current Situation

On Wednesday, May 15th, the FBI, in collaboration with various international law enforcement agencies, successfully seized the infamous cybercrime forum, BreachForums.



BreachForums_announcement_resize

Alleged ShinyHunters’ announcement


The Aftermath: What's Next for the BreachForums

While BreachForums was one of the most popular cybercrime forums to share stolen databases and other information, it’s not the only one. Previously, during the inactivity of BreachForums/RaidForums, other platforms gained popularity, for example, LeakBase, founded in 2021 and still active. 

We expect that BreachForums’ community (at least those who are not scared by FBI analyzing backend data of the seized site) will migrate to the existing platforms or will try to create new ones, possibly heavily relying on Telegram channels and chats to share information too. 

Active members of BreachForums have already claimed to be ready to recreate the forum, while alleged ShinyHunters have claimed to get the control of the seized domain back and started a new Telegram group for the community and promised to come back.



Looking to boost your threat intelligence to stay ahead of emerging cyber threats?

Request a Free Trial of KELA’s Cyber Threat Intelligence Platform.