The BreachForums Succession Wars:

Fragmentation and Rivalry Among PWN, Breached, and HasanBroker

Executive Summary

The FBI seizure of BreachForums ֵ(BF) domains in October 2025 created a succession vacuum that multiple threat actors moved to fill. By June 2026 the ecosystem had fractured into a multi-party race rather than a single rivalry, with main parties include:

• The Original Lineage: Led by past BF administrators "Indra" and "N/A".
• The Breached Faction: Currently owned by its co-creator "diencracked" and the TeamPCP hacking group.
• The HasanBroker Projects: Initiated by Breached's other co-creator, HasanBroker, who later splintered off.

The rivalry began when breached[.]st (launched by HasanBroker in January 2026) and matured into operationally aggressive ransomware and supply-chain hub, claiming to have imported approximately 324,000 BF users. Conversely, pwnforums[.]st emerged publicly in April 2026 as a moderator-led successor, formed after the original Indra and N/A lineage collapsed amid an exit-scam scandal.

Critically, on March 26, 2026 the extortion group ShinyHunters - the original 2025-BF brand owners - issued a PGP-signed statement disavowing all current BF sites as fraudulent, stripping legitimacy from both camps. In late May 2026, further fragmentation occurred when "diencracked" and HasanBroker severed their partnership, dividing their projects. 

This report outlines the key events and actors associated with the observed forums, shaping this fragmented landscape.

Please note, there are links to KELA platform throughout this blog, if you would like access to the evidence based intelligence, please contact our team of experts

Figure 1: Timeline of the BreachForums Succession Wars, detailing the key events, rivalries, and fragmentation among the PWN, Breached, and HasanBroker lineages

Background: The Fall of BreachForums

The trigger for the 2026 succession contest was the October 2025 FBI seizure of BreachForums domains, an action widely reported in the security press at the time

A later statement from ShinyHunters pinpointed October 10, 2025, as the exact date they lost control of the forum.

A critical turning point occurred on January 9, 2026, with the "James/Doomsday" leak. Distributed through the shinyhunte[.]rs channel, this exposure of approximately 323,986 user records severely damaged trust in the Indra and N/A faction. This destabilization not only fueled the rise of new successors but also sparked intense speculation regarding whether BreachForums had become an FBI honeypot.

The competitive landscape was further narrowed by two major law enforcement actions:

1. The FBI's seizure of the RAMP ransomware forum on January 28, 2026, (reported by BleepingComputer and Infosecurity Magazine).
2. The FBI and Europol's seizure of the LeakBase clearnet domain on March 4, 2026, see KELA's own analysis, Law enforcement seizes Leakbase.

These interventions effectively cleared the market, allowing the two primary successors to expand.

Comparative Analysis: Breached[.]st vs. PwnForums

Breached[.]st and PwnForums are the two dominant successors, but not two versions of the same thing. Breached[.]st has become active criminal infrastructure — brokering supply-chain compromises and distributing RaaS affiliate access — while PwnForums is closer to a community-continuity effort, rebuilt by the moderators of the collapsed Indra and N/A lineage.

Their origins, operating models, and scale diverge in ways that change how each should be tracked.

Both forums report massive user bases consistent with the imported legacy BF datasets.

Table 1: Comparison of Major BreachForums Successors: Breached (breached[.]su) and PWN (pwnforums[.]st)

PWN emerged to replace the collapsed Indra and N/A BreachForums lineage. Its founding is attributed to the ex-moderators of that lineage, who established PWN after a rapid series of failures in March 2026: 

• March 10: N/A attempted an exit scam.
• March 15: The Indra and N/A forum disappeared. 
• March 25: A failed relaunch of the forum took place under an admin's name "Caine" at breachforums[.]ac, using an old backup from February.
• March 27: The entire moderation team of Indra and N/A resigned en masse after confirming that "Caine" was, in fact, N/A. This mass resignation directly caused the establishment of PwnForums. 

PWN positions itself as a continuity effort through the migration of breachforums[.]as accounts, ranks, and credits. Notably, on May 15, 2026, the PWN administration announced a ban on targeting CIS countries. This rule has long been a hallmark of the Russian cybercrime ecosystem, notably enforced on the XSS forum, but was never applied to any previous version of BreachForums.

Documented staff attribution for PWN is the strongest marker that allows it to be attributed as a direct successor of the .as forum. The known moderators of the .as forum – "Loki", "888", "Tanaka", and "Pine" – moved to the PWN forum and kept their moderator statuses. Two other handles, "John" and "Insane", are stated to be PwnForums admins. A further argument linking PWN to the previous BreachForums is a newly created "Wall of Shame" page, where PwnForums admins not only shamed N/A for the exit scam but also deanonymized the latter, claiming that N/A is a Bulgarian cybersecurity specialist named Angel Tsvetkov. Notably, in an earlier statement about N/A and HasanBroker during the BreachForums period, the moderator team had already attempted to dox one of them, sharing the PII of an individual named Madani Zitouni along with their relatives' information. However, it should be noted that it is unclear whether this individual is in any way connected to either of the threat actors.

Figure 2: PwnForums Admin doxed attack against N/A

Figure 3: The new admins of BreachForums threaten ex-admin N/A, accusing them for scamming, as well as allegedly doxxing HasanBroker

The table below summarizes the transfer of leadership from BreachForums[.]as to PwnForums:

Table 2: A full list of BreachForums[.]as and PWN admins and moderators

Figure 4: BreachForums[.]as

Figure 5: BreachForums[.]as

Origins

Breached initially launched as the HasanBroker / "diencracked" forum on the clearnet at breachforums[.]cz in January 2026 (along with a TOR mirror). Following a reported domain suspension around March 6, 2026, the forum migrated to breached[.]st the day after. Operationally, Breached predates PWN by approximately two months. Additionally, the forum subsequently claimed to have imported roughly 324,000 BF users.

Key Figures

• HasanBroker (aka Hasan, hasanbroker, sextorts): The original owner and public face, currently excluded from the forum.
• diencracked ("dien"): Site developer and self-described "random alias," currently the sole owner of breached[.]su.
• VECT: A partner Ransomware-as-a-Service (RaaS) distributed affiliate programs via the forum. Inferred to have a Russian-language base due to CIS affiliate-fee waivers, they are currently expelled from the forum.
• TeamPCP (aka PCPcat, DeadCatx3, Persy_PCP): A threat group linked to a coordinated campaign of supply chain compromises targeting widely used open-source projects, including Trivy, KICS, and LiteLLM. Through these breaches, the group reportedly distributed credential-stealing malware to downstream users, leveraging the trusted software supply chain to maximize reach and impact. TeamPCP is a supply-chain partner and a co-owner of the forum.
• The Gentlemen – a ransomware group operating as a RaaS and using dual-extortion through file encryption and data theft. Listed as an official RaaS partner of the forum.
• "LAPSUS$" – staff/partner of the forum, with currently no identified link to the original 2022 LAPSUS$. 

Activity

Based on KELA’s investigation, breached[.]st is the most operationally active English-language successor and functions as active criminal infrastructure rather than a passive marketplace: 

• March 12, 2026: HasanBroker and "LAPSUS$" launched "Operation Lebensraum," explicitly aiming to erase the rival Indra and N/A forum. This follows an earlier hostile action on February 4, 2026, when HasanBroker claimed to take down breachforums.bf via #OpVictoria, citing methods such as SQLi, XSS, SSRF, DDoS attacks, and abuse complaints.
• March 19-27, 2026: TeamPCP brokered their supply chain campaign via the forum. Since their collaboration with Breached was announced TeamPCP posted their news and brokered the data via the forum, now tracked as CVE-2026-33634.
• April 16, 2026: VECT distributed affiliate ransomware keys directly to forum members via DM, allowing them to join RaaS operations.
• May 18-21, 2026: The Gentlemen established a RaaS partnership, offering affiliate recruitment through Breached-hosted infrastructure.
• May 19, 2026: TeamPCP advertised stolen GitHub source code on the forum, an attack GitHub later confirmed.

Figure 6: TeamPCP advertises Github’s source code

May 2026 Events

As evidenced by KELA, on May 20, 2026 "diencracked" announced that the administrators' team of the breached[.]st forum had decided to exclude HasanBroker from decision-making and from administering the forum. On the same date the forum shifted to the breached[.]su domain (which was live before the shift and had been a part of the infrastructure since HasanBroker's times). 

Figure 7: “diencracked” announces the exclusion of HasanBroker and VECT 

Since that moment, the breached[.]su iteration is now owned by "diencracked", with admins including "Denil", "GhostSec", "LAPSUS$", "Resolute", and "Shinigami". Although, TeamPCP is still mentioned as a co-owner of the forum, they have not posted anything on the forum since May 19, i.e. before the severance. The screenshot of the post shown in Figure 6 identifies TeamPCP as responsible for actions taken against HasanBroker; however, the edited version of the same post, which remains accessible on the forum, no longer mentions TeamPCP.

In response, HasanBroker, on their Telegram channels ("Breaches" and the contemporary iteration of the Jacuzzi chatroom), accused "diencracked" of betrayal  (  hxxps[:]//t[.]me/breaches/1437  ), announcing they are working on restoring their version of BreachForums. As evidenced by their Telegram posts, they are preparing a new forum named "DoxByte" and a new coalition with an unclear structure that they call BreDox. 

Figure 8: HasanBroker announces their BreDox initiative

(  hxxps[:]//t[.]me/DoxBytes/169  )

DoxByte already has an accessible link to the forum with a simplistic UI, showing a chatroom and a list of 13 registered users (as of May 31, 2026), of which at least seven can be attributed to the official team of the forum ("sad", "yosef", "hasanbroker", "dox", "haha", "jayze", and "xav"). They also mentioned that during the official launch of the forum they will announce "the return of a very oldgen group". 

Figure 9: DoxByte UI as presented by HasanBroker

(  hxxps[:]//t[.]me/DoxBytes/227  )

Conclusions

Based on KELA’s analysis, the following signals can be identified:

• The BreachForums brand is now decoupled from legitimacy and from infrastructure. No 2026 forum holds uncontested succession rights. The original owners have disavowed all claimants, meaning continuity of the name does not equal continuity of capability or operators.
• The successors represent divergent business models, while breached[.]su's is the more dangerous. While PWN resembles a community-preservation effort, Breached has evolved into a "criminal platform-as-a-service," brokering supply-chain compromises and distributing RaaS affiliate keys. Breached[.]su requires priority monitoring for active threats, whereas PWN is better tracked for credential/data-exposure intelligence.
• The ecosystem is highly fragmented. Open hostilities, doxings, and disavowals are generating adversary-on-adversary disclosures highly valuable to law enforcement. This fragmentation disperses aggregate risk rather than lowering it. 
• There is no clean "successor”. Analysts should resist designating a single heir, as rival factions descend from differing lineages and remain openly antagonistic. 

Security Before the Breach

KELA helps security leaders identify exposures, validate controls, and stop threats before they become breaches.

Contact Us



Appendix: Full Timeline of Events