BreachForums The Latest Updates

Originally Published May 15th 2024

Updated April 29th 2025

On May 15, 2024, the FBI and DOJ, working alongside international partners like the NCA and New Zealand Police, took control of one of the major dark web forums, BreachForums. This action came shortly after a significant data leak from the Europol portal surfaced on the forum. The site was then relaunched by ShinyHunters, but now appears to be offline again. Several copies/potential successors have emerged. See our analysis below. It is important to emphasize that every newly identified source is immediately added to our crawling, although not every source considered to be official.

BreachForums History

BreachForums has operated as a dark-web marketplace for threat actors, allowing the trade of illicit items such as stolen access devices, identification means, hacking tools, breached databases, and other illegal services. Owned by Baphomet threat actor and linked to the ShinyHunters threat actor group, BreachForums had two versions overseen by different administrators, succeeding its precursor, Raidforums. Both versions eventually fell under law enforcement seizure, with the FBI recently taking control of the site and its data. 

In this operation, the FBI has not only shut down the BreachForums website but also their official Telegram channels and Baphomet telegram channel and website, now under FBI control. The site now displays a notice indicating FBI control, sparking discussions in other dark web forums about Baphomet’s potential collaboration with the FBI, particularly following the arrest of the former forum owner, Pompompurin, last year. 

Has Baphomet Been Arrested?

While the FBI reviewed the site’s backend data and seeks information on threat actor activity, Baphomet’s arrest status remained uncertain. However, avatars of site administrators Baphomet and ShinyHunters are shown with prison bars in the FBI seizure announcement (as can be seen in figure 2), along with additional claims by users in dark web forums suggested Baphomet’s arrest. The new administrator of BreachForums ShinyHunters later confirmed Baphomet’s arrest.

The FBI has launched a website where victims and informants could provide information. This platform encouraged former members of RaidForums or BreachForums to come forward with their experiences and any pertinent data. Victims could also report incidents related to these forums. Contact methods included email, Telegram, TOX account, and the FBI’s Internet Crime Complaint Center (IC3) page, which offered a form for sharing information about BreachForums and its members. 

What Happened Next?

ShinyHunters relaunched BreachForums and it remained online for a while. BUT since April 15th BreachForums is offline and the noise around this case keeps getting louder and messy.

Up until today many aliases of BreachForums were created as Telegram channels, new domains, and other platforms – claiming to be the real and official. We’ve also noted discussions among TAs regarding the FBI’s attempts to catch the real operators by keeping the site offline and causing this noise.

It is important to emphasize that every newly identified source is immediately added to Cyberint, now a Check Point Company’s crawling, although not every source considered to be official.

Currently, the forum has not officially resumed activity.

Here’s a summarized list of the most discussed domains:

1. breachforums[.]st
   1. The official domain that went offline. The site seems to be back online, with a PGP message claiming the forum was taken down because of a possible infiltration by law enforcement using a MyBB 0day.

2. breachforums[.]sx
   1. Same address, different suffix. Claims to be the backup forum of the original “.st”
   2. It was launched on April 27th, but there is no mention of this domain on any official group.
   3. Site is online and looks like the original forum.

3. breached[.]fi

• This site is an alleged continuation of breached forums, that went online on April 23rd, claiming to be the official forum. However, two owners were allegedly arrested, the website’s management credentials were leaked online, and the site’s infrastructure has been offered for sale.
• The site was crawled until went offline

4. breached[.]ws
   • This is a forum under construction, created by a Threat Actor called Hasan. Hasan aims to re-create the Breached forum with new features, but lacks credibility
   • The site is currently offline

At the end of April, the official site (.st) was still offline and it was yet to be determined what was real and official among the alternatives. Cyberint, now a Check Point Company assessed that law enforcement agencies were involved in some way, and this situation benefits them by allowing them to apprehend more activity and threat actors.

This was confirmed by BreachForums in early may when they published an announcement saying that they detected a MyBB 0-day. The forum, they said was infiltrated by government bodies and they therefore took down their infrastructure. They say they have identified the PHP exploit and are now working on a rewrite of the forum backend. They state that the copycat sites cannot be trusted.

Cyberint, now a Check Point Company keeps adding to crawling whatever we identify and we will continue monitoring changes and discussions of any type of source and update accordingly.

About Cyberint, Now a Check Point Company

Cyberint, otherwise known as Check Point Infinity External Risk Management, reduces risk by helping organizations detect and mitigate external cyber threats before they have an adverse impact.

The  solution provides superior visibility through continuous discovery of the evolving attack surface, combined with the automated collection and analysis of vast quantities of intelligence from across the open, deep and dark web.