As we reported last week, the popular data sharing dark web forum, BreachForums was seized by Law Enforcement. At the time of writing one of the clearnet mirrors was still up and pointing to a new Telegram channel promising to be back soon.
By 23 May, BreachForums was back with a new onion address, the administrators ShinyHunters announced the new site on Telegram. Initially only those who had previously had an account were able to enter. Whereas its predecessor had many open areas the new site required users to login before any information could be shared. However, a few days later registration was opened.
Many in the community have speculated that this new site is a honeypot from Law Enforcement and are avoiding it. However, ShinyHunters have been posting large leaks from well know organizations such as Ticketmaster which some have speculated is to increase interest in the site again.
Others have decided to start their own site. Well known threat actor USDoD, who often posted on the now seized BF, announced via Twitter that he would be launching his own site called Breach Nation to be launched in early July.
DarkOwl analysts will continue to monitor both the new version of BreachForums and any new sites which pop up to replace it.
At around 8am PST on May 15 2024, BreachForums (BF), the infamous dark web marketplace known for trading in stolen data was seized by the FBI. The FBI declared that the site had been seized in conjunction with international law enforcement partners. In conjunction they also announced that they had taken control of Telegram channels which were linked to one of the administrators, Baphomet.
However, this is not the first time this site has been subject law enforcement action, with two of its predecessors having been seized.
BreachForums is the third in the line of dark web forums which was set up to trade in stolen data. Threat actors would upload data relating to companies which was usually stolen through hacking activity but also though scraping and unintentional open access. The site was also used to sell access to others, with initial access brokers selling access to corporations for large volumes of money. Other services were also available as well as access to things like stealer logs and malware.
The site which began this model was known as RaidForums, which emerged onto the scene in 2015 and quickly became one of the largest sites dealing in stolen data. The site was live until 2022 when the owner and administrator of the site known as Omnipotent, was arrested and charged with six criminal counts. Omnipotent turned out to be a 21 year old Portuguese national living in London named Diogo Santos Coelho who continues to fight his extradition to the US to be prosecuted. Ironically it was possible to identify Coelho’s true identify using the very breach data that he facilitated on his site.
Not long after the seizure of RaidForums an actor known as Pompompurin, who had been active on the site created a new forum which he named Breach Forums which would fill the gap which had been left by Raid. However the site did not operate for long, Pompompurin was arrested in March 2023 and a few months later the site was seized. The seizure notice included the avatar used by Pompompurin highlighting that he was a target of the investigation and likely how they had gained access to the sites backend. As part of the affidavit the FBI also confirmed that they had access to the BreachForums site.
Pompompurin was exposed as Connor Brian Fitzpatrick, a 20 year old from New York State. He pled guilty to hacking and child pornography possession and was sentenced to 20 years supervised release.
The co-administrator of Breached with Pompompurin was known as Baphomet, he took control of the domain(s) in the period after Fitzpatrick’s arrest, however after a short amount of time he shut down the site claiming the FBI had access and it was not safe to use. A lot of back a forth between actors and across domains ensued, with warning not to trust new forums and leaks of BF users being circulated. Telegram was used heavily to communicate about the arrest and the possibility of a new site. However, Baphomet did later bring back the forum, reportedly partnering with a group known as Shiny Hunters, which were well known for selling stolen data they claimed to have obtained. Many in the community speculated that the new site was a LE (Law Enforcement) honeypot, but users continued to use the new site.
The latest iteration of BreachForums has been operating since mid 2023, operated by Baphomet. As well as being the administrator of the forum, he also maintained several Telegram channels relating to the forum, including on which was used to upload stolen data which was freely available to viewers of the channel.
Although the site was active for just under a year before it was seized some very high-profile breaches have been leaked to that site in that time including AT&T, 23&Me and T-Mobile. DarkOwl analysts have collected over 100 leaks from this site in the last year.
One actor who has been very active in recent weeks on the site and was also a moderator is known as IntelBroker who reports to be part of a hacking collective known as “CyberNi**ers.” (Redacted for sensitivity reasons). He has claimed access to data from corporations such as Hilton, Dell and Government access to the DOD, Canada and United Arab Emirates. As recently as May 15, he posted on BF claiming to have access to an Aerospace and Defense company, the site was seized shortly after.
Last week he claimed to have data stole from Europol, specifically the EC3 group. Europol did confirm the data was from them although stipulated that no sensitive information was stolen. Some in the community have speculated that the release of this information is what led to Law Enforcement taking action against the site.
At the same time the BF site was seized a message was posted on a Telegram channel controlled by Baphomet, claiming that it was now under the control of the FBI. The same was true for a second channel also in his control. The post encouraged subscribers of the channel to report any information they knew to the FBI through a dedicated Telegram channel. DarkOwl analysts observed actors claiming that they had contacted the FBI and received a response although it is unclear if they were sharing any content of value.
This marks one of the first times that the FBI have appeared to take action on the Telegram platform, presumably they have obtained credentials which allow them to control the channel rather than from cooperation with the owners of Telegram given the way the message was posted. This highlights the role that Telegram has with this underground community and how large numbers of actors are communicating.
Indeed, it was on Telegram that rumors started to circulate that Baphomet had been arrested. This was shared by several actors including Shiny Hunters and IntelBroker. Shiny Hunters also moved to make their Telegram channel private, meaning it could not be identified through a global search and only invited users would be able to see the content.
We await confirmation from the FBI as to whether or not this is the case and who the individual behind the alias is. However, perhaps foretelling the arrest, the avatar of both Baphomet and Shiny Hunters was shown on the FBI Seizure notice behind bars.
Multiple Telegram channels have been very active over the last 24hrs with speculation about what has happened to the actors involved in BF and what sites should take its place. Two Breach Forums Telegram channels where data can be uploaded, and chat can be conducted remain active at the time of writing with documents being shared and rampant conversations held speculating on the arrest of Baphomet and the role of undercover agents on the site. There was also speculation about a site called Doxbin which seemed to go down at the same time, although operators are claiming to still have control of the domain.
A new channel was also created to share “news” and claiming they had warned that the site was an FBI honeypot the whole time.
It is therefore clear that Telegram will have a role to play in whatever happens next for BreachForums and the users that make data available and purchase and download it.
There has also been speculation about what sites will fill the void left by BreachForums, with many existing forums being suggested as front runners. From the history of RaidForums to the current iteration of BreachForums it does seem likely that a successor will emerge whether that is a new or existing site.
DarkOwl analysts will continue to monitor the situation to identify what emerges.
Products
Services
Use Cases