BreachForums: Brief History
BreachForums was an English-speaking illicit forum that appeared in March 2022, soon after the seizure of RaidForums. It operated as a clear-net marketplace for cyber-criminals to buy, sell, and trade contraband, including stolen access devices, means of identification, hacking tools, breached databases, and other illegal services. Initially, BreachForums was created by “Pompompurin,” whose real name is “Connor Brian Fitzpatrick.”
However, after U.S. law enforcement arrested “Connor” on March 15, 2023, and seized the forum, a threat actor announced his intention to relaunch the forum under the same name, “BreachForums.” This threat actor is known as “ShinyHunters”. According to the FBI, BreachForums, which has been hosted at breachforums[.]st/.cx/.is/.vc since June 2023, has been operated by “ShinyHunters”.
Before the FBI seized the forum, it witnessed a series of breaches against the U.S by a notorious threat actor called “IntelBroker.” However, the most significant one occurred on May 10, 2024, when “IntelBroker” claimed to be selling data breaches belonging to the Europol.
The FBI seized the forum
On Wednesday morning, the BreachForums website changed to display a banner indicating seizure by the FBI and Department of Justice (DOJ), with assistance from international partners.
The FBI has a history of using images to describe the situation of the threat actors in the seizure; they have placed the profile picture of “Baphomet”, he was an administrator of BreachForums, behind jail bars, just as they did with the previous owner “Pompompurin.” which indicates an arrest of “Baphomet”.
Additionally, the banner featured a statement:
“We are reviewing the backend data of this site. If you have information to report about cybercriminal activity on BreachForums, please contact us.”
They provided contact information, including a Telegram channel username, an email related to the BreachForums case, which is “breachforums@fbi.gov,” a website for the Internet Crime Complaint Center (IC3), “breachforums.ic3.gov,” and a TOX account, which is a popular instant messaging platform among threat actors.
The website provides a questionnaire for victims or individuals with information relevant to
ongoing investigations against BreachForums v2, BreachForums v1, or RaidForums. As
well as, the victims.
FBI Takes Control Over Their Telegram Channel
Right after the FBI took control of their clearnet site as well as their onion site, they posted a message on their Telegram channel:
“This Telegram chat is under the control of the FBI. The BreachForums website has been taken down by the FBI and DOJ with assistance from international partners. We are reviewing the site’s backend data. If you have information to report about cyber criminal activity on BreachForums, please contact us at t.me/fbi_breachforums, breachforums@fbi.gov, or breachforums.ic3.gov.”
This message was sent from Baphomet’s Telegram account.
Also, the FBI took control of Baphomet’s telegram channel and stated the same message on both BreachForums channel and Baphomet’s telegram channel.
Announcements
On the same day of the seizure, “ShinyHunters” created a new Telegram channel called “BF Announcements.” The following day, he posted a statement on the Telegram channel “informing that the administrator “Baphomet” had been arrested, which led to the seizure of almost all of our infrastructure by the FBI. At this point, the future of our forum remains uncertain. No members of ShinyHunters have been arrested. We are currently waiting for further confirmations from our staff, and we will keep you updated with any new announcements in this channel.”
Additionally, he posted on the Announcements Telegram channel, stating that he has recovered the domain.
We can validate this by visiting the forum, where we can see a message stating “Site Temporarily Unavailable” along with a Telegram icon and a link redirecting to their new Telegram channel called “Jacuzzi 2.0”.
In the meantime, while we published the report, it appears that the new “Jacuzzi 2.0” has been deleted. However, “ShinyHunters” created another channel called “BF,” and later on, he changed the name back to “Jacuzzi 2.0.”
Breach Nation – A New Community?
On the other hand, a threat actor named “USDoD-TA / EquationCorp” announced on his X account that he will rebuild a new community with a new name “Breach Nation.” In his announcement, he detailed his extensive efforts over the past 24 hours towards this new project and outlined the infrastructure he’s managing.
He stated that he is currently overseeing two servers for this endeavor:
- Smaller Server (CDN Hosting):
- 8TB storage
- 1Gbps bandwidth
- Unlimited traffic
- 32GB RAM
- Larger Server (Community Hosting):
- 4x10TB storage
- 32GB RAM
- 1Gbps bandwidth
- Unlimited traffic
The larger server is designated to host the entirety of the new CDN for the community, while the smaller one will manage the system and forum operations independently.
Additionally, he disclosed the planned launch date for the new domains, breachnation[.]io and databreached[.]io, scheduled for July 4, 2024.
Furthermore, he highlighted his intention to provide an upgraded version of the member rank to the first 200,000 users as a gesture of goodwill, emphasizing that his motivation isn’t driven by profit but by a genuine desire to revive the community and provide opportunities for all members.
He urged caution in considering other forums, particularly mentioning “Shinyhunters” and his team, advising a review of their past performance on BF V2 before making any decisions.
Despite being the sole admin and staff member currently, he expressed openness to feedback from the community and emphasized the importance of community involvement in decision-making processes. He also acknowledged the need for improvement in the CDN setup and assured ongoing efforts towards that end.
Also, in his announcement he said
“I am not concerned with who is in charge at the Department of Justice or who the FBI director is. My focus is on keeping the system running.”
- Meanwhile, we are awaiting a statement from the Department of Justice regarding the seizure of BreachForums.
- We might have a hypothesis that “IntelBroker” was the reason for the FBI to take down the forum by posting breaches related to Europol and numerous other breaches.