fotokitas - stock.adobe.com

US authorities crack BreachForums for a second time

The BreachForums data leak website has been seized by the FBI and international partners again

An international law enforcement operation led by the United States’ Federal Bureau of Investigation (FBI), with assistance from the UK’s National Crime Agency (NCA) and others, has taken down the English-language BreachForums data leak forum, operated by a hacking collective known as ShinyHunters, for the second time in the space of a year.

BreachForums – which operated in plain sight on the internet, and was itself a successor to the RaidForums service disrupted in 2022 – had been previously disrupted by the authorities in the spring of 2023 after it offered data stolen from DC Health Link, a public health insurance market serving the city of Washington DC and, by extension, many American politicians.

This operation saw the arrest of a New York state resident identified as BreachForums admin Pompompurin. This individual, whose real name is Conor Fitzpatrick, later pled guilty to conspiracy to commit access device fraud, solicitation for said purposes, and possession of child pornography. In January of 2024, he was sentenced to a 20-year term of supervised release for breaching bail conditions.

In the meantime, another high-profile forum member using the handle Baphomet, who had worked under Fitzpatrick, revived the BreachForums brand in the summer of 2023 and used it to leak more data. It is this version of the criminal project, alongside Baphomet’s Telegram channel, that has now been disrupted.

The FBI made no formal announcement of the seizure, and according to US reporting has declined to comment further. However, Computer Weekly has confirmed that the site has been replaced with an official takedown notice stating the site has been taken down by the FBI and Department of Justice (DoJ).

This site now redirects to an official US government ‘tip’ site where the FBI states: “The Federal Bureau of Investigation (FBI) is investigating the criminal hacking forums known as BreachForums and Raidforums.

“From June 2023 until May 2024, BreachForums (hosted at breachforums.st/.cx/.is/.vc and run by ShinyHunters) was operating as a clear-net marketplace for cyber criminals to buy, sell, and trade contraband, including stolen access devices, means of identification, hacking tools, breached databases, and other illegal services.”

The FBI has additionally stated it is reviewing the site’s backend data, which suggests it may have hacked into BreachForums some time ago. There has already been some discussion that the authorities may have been motivated to move up their timeline quickly after BreachForums offered for sale data supposedly stolen from the European Union’s (EU’s) Europol agency.

FBI notice
The FBI’s takedown notice of BreachForums

Commenting on news of the takedown, Michael McPherson, senior vice-president of security operations at ReliaQuest, and a former FBI special agent, said: “The inevitable question that will be asked in the aftermath of the BreachForum takedown is, ‘What comes next?’. With the likely seizure of servers and domains associated with the forum, law enforcement will have significant intelligence opportunities.

“While details are sparse at this time, users of the site will likely have significant concerns over their own operational safety, with the FBI likely in possession of material that could be used to provide attribution of members. Organisations named on BreachForums also may be provided with additional context over material breached on the forum.”

McPherson said that while it was possible that members of the ShinyHunters collective would again attempt to restore the service, suspicions among at-large members over the scope of law enforcement operations against them would be running high, leading to likely recriminations and fallings out.

Additionally, he pointed out, if they do establish another version of BreachForums, they will also face more scrutiny from potential members and service users over the risk that the site may be little more than a police honeypot.

Although exactly what comes next is unclear at the time of writing, McPherson added: “The operation should be seen as a success, continuing the tempo of law enforcement operations that have surged in recent months.”

Read more about recent takedowns

  • Reaction to the takedown of the LockBit ransomware gang is enthusiastic, but tempered with the knowledge that cyber criminals are often remarkably resilient.
  • Multinational law enforcement has targeted the operations of the notorious ALPHV/BlackCat cyber extortion gang, but the group’s members appear to remain defiant.
  • Multinational Operation Cookie Monster takes down Genesis Market, a crucial source of compromised data used by criminals for fraud and other cyber attacks.

Read more on Privacy and data protection