BreachForums The Latest Updates
breach forums
  • Table of contents

The author

user_image
Coral Tayar
Share on LinkedIn

Security Researcher at Cyberint

Table of contents

Related Articles

Research

The Lumma Stealer InfoStealer: The Details

Lumma Stealer was initially identified in August 2022. Its specifically crafted to illicitly obtain sensitive...
May 22, 2025
Learn more
PLAY Ransomware
Research

Are They Really Playing? Get to Know Play Ransomware

Play Ransomware is a recent entrant into the ransomware industry, with its initial appearance in...
May 11, 2025
Learn more
Research

BreachForums The Latest Updates

May 28, 2025

Originally Published May 15th 2024

Updated May 28th 2025

On May 15, 2024, the FBI and DOJ, working alongside international partners like the NCA and New Zealand Police, took control of one of the major dark web forums, BreachForums. This action came shortly after a significant data leak from the Europol portal surfaced on the forum. The site was then relaunched by ShinyHunters, but now appears to be offline again. Several copies/potential successors have emerged. See our analysis below. It is important to emphasize that every newly identified source is immediately added to our crawling, although not every source considered to be official.

Figure 1 – dark web forum users referring to the shutdown of BreachForums, taken from the Cyberint Argos platform 
Figure 1 – dark web forum users referring to the shutdown of BreachForums, taken from the Cyberint Argos platform 

BreachForums History

BreachForums has operated as a dark-web marketplace for threat actors, allowing the trade of illicit items such as stolen access devices, identification means, hacking tools, breached databases, and other illegal services. Owned by Baphomet threat actor and linked to the ShinyHunters threat actor group, BreachForums had two versions overseen by different administrators, succeeding its precursor, Raidforums. Both versions eventually fell under law enforcement seizure, with the FBI recently taking control of the site and its data. 

In this operation, the FBI has not only shut down the BreachForums website but also their official Telegram channels and Baphomet telegram channel and website, now under FBI control. The site now displays a notice indicating FBI control, sparking discussions in other dark web forums about Baphomet’s potential collaboration with the FBI, particularly following the arrest of the former forum owner, Pompompurin, last year. 

 

Figure 2 - FBI shut down announcement on the breach forums domain 
Figure 2 – FBI shut down announcement on the breach forums domain 
Figure 3 - FBI announcing the forum shut down on the official breach forums telegram channel 
Figure 3 – FBI announcing the forum shut down on the official breach forums telegram channel 
Figure 4 – FBI messaging from Baphomet official telegram channel   
Figure 4 – FBI messaging from Baphomet official telegram channel   

Has Baphomet Been Arrested?

While the FBI reviewed the site’s backend data and seeks information on threat actor activity, Baphomet’s arrest status remained uncertain. However, avatars of site administrators Baphomet and ShinyHunters are shown with prison bars in the FBI seizure announcement (as can be seen in figure 2), along with additional claims by users in dark web forums suggested Baphomet’s arrest. The new administrator of BreachForums ShinyHunters later confirmed Baphomet’s arrest.

The FBI has launched a website where victims and informants could provide information. This platform encouraged former members of RaidForums or BreachForums to come forward with their experiences and any pertinent data. Victims could also report incidents related to these forums. Contact methods included email, Telegram, TOX account, and the FBI’s Internet Crime Complaint Center (IC3) page, which offered a form for sharing information about BreachForums and its members. 

Figure 4 – FBI messaging from Baphomet official telegram channel   
Figure 5 – The FBI’s Internet Crime Complaint Center (IC3) page 

What Happened Next?

ShinyHunters relaunched BreachForums and it remained online for a while. BUT since April 15th BreachForums is offline and the noise around this case keeps getting louder and messy.

Up until today many aliases of BreachForums were created as Telegram channels, new domains, and other platforms – claiming to be the real and official. We’ve also noted discussions among TAs regarding the FBI’s attempts to catch the real operators by keeping the site offline and causing this noise.

It is important to emphasize that every newly identified source is immediately added to Cyberint, now a Check Point Company’s crawling, although not every source considered to be official.

Currently, the forum has not officially resumed activity.

Here’s a summarized list of the most discussed domains:

  1. breachforums[.]st
    1. The official domain that went offline. The site seems to be back online, with a PGP message claiming the forum was taken down because of a possible infiltration by law enforcement using a MyBB 0day.
  1. breachforums[.]sx
    1. Same address, different suffix. Claims to be the backup forum of the original “.st”
    2. It was launched on April 27th, but there is no mention of this domain on any official group.
    3. Site is online and looks like the original forum.

 

breachforums[.]sx
  1. breached[.]fi
  • This site is an alleged continuation of breached forums, that went online on April 23rd, claiming to be the official forum. However, two owners were allegedly arrested, the website’s management credentials were leaked online, and the site’s infrastructure has been offered for sale.
  • The site was crawled until went offline

 

  1. breached[.]ws
    • This is a forum under construction, created by a Threat Actor called Hasan. Hasan aims to re-create the Breached forum with new features, but lacks credibility
    • The site is currently offline

On May 28th, the official site (.st) was still offline.

Cyberint, now a Check Point Company obtained a statement indicating that the forum will be back in operation by July 1st after addressing the vulnerability in the MyBB platform (the forum management tool). However, the validity of this claim remains uncertain.

Meanwhile,  the above forums that claimed to be replacements have gone offline, suggesting they were initially fake. We have also observed increased traffic on other forums and Telegram channels, suggesting that threat actors are looking for new areas to sell and stay active.

Nonetheless, no primary forum has emerged as a replacement so far.

As this situation develops, it is creating a significant gap in the underground ecosystem, leading to confusion among threat actors.

Law Enforcement’s Involvement

Cyberint, now a Check Point Company has assessed that law enforcement agencies were involved in some way, and this situation benefits them by allowing them to apprehend more activity and threat actors.

This was confirmed by BreachForums in early may when they published an announcement saying that they detected a MyBB 0-day. The forum, they said was infiltrated by government bodies and they therefore took down their infrastructure. They say they have identified the PHP exploit and are now working on a rewrite of the forum backend. They state that the copycat sites cannot be trusted.

 

breach forum announcement

 

Cyberint, now a Check Point Company keeps adding to crawling whatever we identify and we will continue monitoring changes and discussions of any type of source and update accordingly.

About Cyberint, Now a Check Point Company

Cyberint, otherwise known as Check Point Infinity External Risk Management, reduces risk by helping organizations detect and mitigate external cyber threats before they have an adverse impact.

The  solution provides superior visibility through continuous discovery of the evolving attack surface, combined with the automated collection and analysis of vast quantities of intelligence from across the open, deep and dark web.

Schedule Your Demo Now

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start