May 15, 2025

Overview of April 2025 Turmoil

BreachForums abruptly went offline, prompting a wave of opportunistic copycat domains and widespread confusion within the dark web community. The shutdown—now allegedly confirmed via a PGP-signed statement by former administrators—was attributed to a zero-day exploit targeting the MyBB forum software. This vulnerability was reportedly exploited either by law enforcement or rival threat actors.

The most recent clearnet domain, breachforums[.]st, began returning a 403 error on or around April 15–16. Telegram channels affiliated with the forum and its associated onion service also went offline during this period. A message allegedly authored by “Anastasia,” one of the key administrators, hinted at FBI involvement—though this remains unverified. Speculation flourished across darknet community, with theories ranging from insider betrayal to technical collapse due to outdated software and poor operational security (OPSEC).

Figure 1: BreachForums.st PGP signed message by its admins

Adding to the uncertainty, BreachForums’ backend was reportedly spotted for sale for $2,000, suggesting a deeper compromise. Notably, the site never displayed an official law enforcement seizure banner, which is typically required in such takedowns.

Figure 2: Breached.fi site view on April 20, 2025

Copycats and Chaos

In the aftermath, a proliferation of clone and impersonation domains emerged—breached[.]fi, breachforums[.]uk, and others. Some, such as the .fi variant, were initially perceived as legitimate but were quickly discredited.

The threat actor Rey, reportedly connected to the Hellcat Ransomware group, exposed breached[.]fi as fraudulent. Around the same time, the Telegram-based hacktivist group Dark Storm claimed responsibility for a DDoS attack on the same domain. Other impersonators, including breachforums[.]af, .is, .im, and .lol, featured fake FBI seizure notices or links redirecting to law enforcement sites and suspicious database vendors.

Figure 3: Rey’s X Post Commenting on BF Chaos

Figure 4: Breachforums.im screenshot showing paid registration announcement

Some variants also demanded payment from users to access content, allegedly to prevent law enforcement infiltration.

April 28 Statement and Fragmented Reboots

On April 28, the original .st domain resurfaced with another PGP-signed message, confirming the MyBB zero-day exploit, denying arrests or data loss, and announcing a full backend rewrite. The message warned users that many of the copycat sites could be honeypots or phishing lures.

Despite this message, rumors about the admins’ fate and the legitimacy of emerging replacement sites persisted. Several splinter groups and reboot attempts have since appeared: 

Faction Backed by 888, Technically Led by 302:

Following the April shutdown, a new initiative emerged reportedly backed by the BreachForums user 888, with technical support from another user, 302. Infrastructure linked to this faction surfaced in leaks pointing to IP 176.65.137.250:19191. While specific goals remain unclear, their involvement signals growing fragmentation. Notably, 888 had previously claimed credit for the BMW Hong Kong data leak in July 2024.

HassanBroker’s Initiative (Funded by Rey)

Another reboot attempt came from HassanBroker, who registered multiple lookalike domains, including breach-forums[.]com, .net, .org, and breached[.]ws. Claiming ties to IntelBroker, Hassan framed the project as a tribute to the original forum. It allegedly received a $500 USD donation from Rey, but doubts persist due to questions around the maturity of the moderation team and operational competence.

“Momondo” Reboot Claim

A user under the alias “Momondo” declared intentions to resurrect BreachForums, citing ties to its original founder Conor Brian Fitzpatrick (aka Pompompurin). While distancing himself from figures like Anastasia and ShinyHunters, Momondo emphasized community trust and OPSEC. However, investigations raised concerns that “Momondo” may be an impostor, potentially representing a honeypot or scam.

Context & Law Enforcement Pressure

BreachForums’ history is closely tied to law enforcement actions. Prior admins like “Omnipotent” and “Pompompurin” were arrested between 2022–2023, with roots tracing back to its predecessor RaidForums, launched in 2015. As of this writing, no official law enforcement action or confirmed arrests have been reported in connection with the April 2025 outage, despite the emergence of fake seizure pages on copycat domains.

These developments underscore the increasing volatility and decentralization of cybercriminal ecosystems under sustained law enforcement scrutiny. The BreachForums community now finds itself fragmented—caught between operational failures, mistrust, and intensifying pressure from global authorities.

Figure 7: BreachForums Timeline

Conclusion

Recent events highlight the instability of darknet forums, even those with established reputations like BreachForums. Despite law enforcement pressure and internal conflict, such platforms often re-emerge in new forms. What shape the next version of BreachForums will take—and who will lead it—remains uncertain. DarkOwl will continue to monitor this evolving situation closely.

Don’t miss any updates. Subscribe to email.