Breach, Data Security, Threat Intelligence

BreachForums seized by FBI for 2nd time

FBI seizure notice on BreachForums homepage.

BreachForums, an infamous cybercrime site used to sell and publish stolen data, was seized by the Federal Bureau of Investigation on Wednesday.

Click for more special coverage

The FBI and U.S. Department of Justice took down the site and replaced its homepage with a seizure notice that credits international partners including the Cyber Police of Ukraine, Kantonspolizei Zürich, the Australian Federal Police, New Zealand Police, Icelandic Police and U.K. National Crime Agency.

“We are reviewing this site’s backend data. If you have information to report about cyber criminal activity on BreachForums, please contact us,” the seizure notice states.

Contact information on the seized site includes the email address [email protected], the Telegram contact fbi_breachforums, the website and a QR code to communicate through Tox.

The Internet Crime Complaint Center (IC3) BreachForums page includes a contact form for breach victims or those with information about BreachForums and its predecessor Raidforums to submit information to authorities.

“For individuals and companies whose information had previously been compromised and appeared on the site, this development offers an opportunity to address the specific exposures,” Omri Weinberg, co-founder and Cro at SaaS security firm DoControl, told SC Media. “However, it’s crucial to remember that the underlying data may still be circulating in other channels, or even reappear on new iterations of the BreachForums marketplace.”

The FBI seizure notice also displays the online avatars of BreachForums administrators ShinyHunters and Baphomet portrayed behind bars. A screenshot published by BleepingComputer shows that the forum’s Telegram channel and Baphomet’s Telegram account are also in the FBI’s control.

Second BreachForums takedown in two years

Wednesday marks the second time the BreachForums clearnet site was seized by the FBI. Authorities took control of the group’s previous domain in June 2023, three months after the arrest of original BreachForums founder Conor Brian Fitzpatrick, who went by Pompompurin online.

The forum was briefly revived by Baphomet shortly after Fitzpatrick’s arrest, but the new administrator soon shut the site down due to fears of compromise by authorities. Baphomet subsequently established the new site with the ShinyHunters group in June 2023.

“The FBI’s successful seizure of BreachForums marks a significant achievement in the ongoing battle against cybercrime, representing just one strike in a persistent game of whack-a-mole,” Weinberg said. “The pattern of these sites reappearing under new domains is a stark reminder of the ongoing cat-and-mouse game between law enforcement and criminals. This situation underscores the necessity for international cooperation and robust cybersecurity strategies to combat these adaptive and persistent threats effectively.”

Fitzpatrick ultimately entered a guilty plea for charges related to hacking and possession of child sexual abuse material in June 2023, and was sentenced to time served plus 20 years of post-release supervision in January 2024.

The FBI previously seized RaidForums, widely seen as a predecessor to BreachForums, in 2022. RaidForums’s alleged founder Diogo Santos Coelho was arrested in the UK and was fighting extradition to the U.S. as of March 2024.

“It is highly likely that the forum will eventually reappear under the same or different name. As far as the previously stolen data leaked on the site, I expect that multiple local copies of it have been downloaded by actors participating in the forums, so there’s continued exposure,” warned Zendata CEO Narayana Pappu, in an email to SC Media. “Most people participating in these forums are fairly sophisticated and would have protected their identities. However, some folks could be tracked based on their IP addresses, Telegram account information, email addresses, etc.”

Several major data breaches linked to BreachForums

BreachForums was used by various threat actors to buy, sell, trade and publish stolen data as well as market hacking tools and other illegal services.

Data from several high-profile breaches has been leaked on the forums; for example, one threat actor claimed to have access to 49 million records on Dell customers on April 28, after which Dell confirmed that names and addresses were stolen.

Another recent high-profile breach, involving the theft of data from 6.9 million 23andMe customers, has also been linked to BreachForums.

“It is interesting to know that it appears that the FBI had access to the forum and was monitoring communications and collecting information about members. While these types of actions will not stop bad actors from buying and organizations for a period of time. Anytime we can reduce the number of attacks or prevent information from being bought and sold is certainly welcome,” Erich Kron, security awareness advocate at KnowBe4, told SC Media.

SC Media submitted an inquiry to the DOJ asking how the BreachForums was infiltrated and whether any administrators or users have been arrested, and did not receive a response.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.