BreachForums Saga Continues. What’s Next? | Intel 471 Skip to content

BreachForums Saga Continues. What’s Next?

Jul 18, 2024
Background

The execution of cybercrime depends on the flow of data, tools and services supplied by cybercriminals to other cybercriminals. These cybercrime-as-a-service offerings enable malicious threat actors to source the tools they need and focus on their illegal speciality or interest such as fraud, scams or attacks. These resources are sourced in illegal markets hosted on clear web forums, Tor hidden services, Telegram channels and through private chats. BreachForums is one such cybercrime forum that allows threat actors to sell these tools, services, stolen databases, access credentials, personal data, financial data and more.

The site, which has been hosted on clear web domains along with a Tor hidden service, allowed anyone to register, which drew a majority user base of low- to mid-level cybercrime actors. False claims about data breaches for sale often appear on the site. However, legitimate breaches are also announced on BreachForums. More advanced threat actors, known by either the same or different personas across other underground cybercrime sites, also maintained profiles on BreachForums. Those included well-known and prolific initial access brokers (IABs). These threat actors specialize in stealing credentials that can be used to illegally access systems or other means of gaining access, which are then offered and sold to others.

On May 15, 2024, the domain breachforums[.]st displayed a notice that it had been seized by the U.S. FBI along with international law enforcement partners. A message posted on the domain indicated the operation resulted in the seizure of the forum’s back end, which contained forum member data. Telegram channels associated with BreachForums were also seized. Threat actors expressed belief that BreachForums administrator Baphomet had been arrested but no official sources have confirmed. However, law enforcement’s splash notice on breachforums[.]st, one of the several seized domains, showed Baphomet’s avatar was modified to show it behind bars.

Breach Forums v2 takedown splash page copy
A screenshot of the takeover notice as posted on breachforums[.]st May 15, 2024.

The action marked the third time in less than two years that authorities have disrupted forums that have linked legacies. However, law enforcement has yet to publicize the scope and scale of the latest disruption.

FBI screenshot
The FBI posted this message on its Internet Crime Complaint Center (IC3) website along with a submission forum soliciting information from victims or individuals about BreachForms and its predecessors.

BreachForums was the third iteration of two previous sites that used the same open source MyBB forum software and similar website structures. The first was Raid Forums, which ran from 2015 until 2022. Raid Forums was notable for its very large user base of about 500,000 registered users, with about 20,000 active on any one day. The site became one of the most prominent places where data breaches first appeared. However, Raid Forums’ long run ended in April 2022, when the U.S. Department of Justice announced that one of the “world’s largest hacker forums” had been seized. The site’s alleged administrator, Diogo Santos Coelho of Portugal — known by the handle Omnipotent — was arrested in the U.K. Coelho, who reportedly is autistic and is a suicide risk, is contesting an extradition request by the U.S.

The seizure of Raid Forums left a vacuum, which was soon taken up by the threat actor pompompurin, a persona with a history of compromising organizations, including an FBI law enforcement sharing portal. The actor launched breached[.]co, also sometimes referred to as BreachForums, in March 2022. Breached emulated Raid Forums but did not grow to the same size. Authorities arrested Conor Brian Fitzpatrick of Peeskill, New York, March 15, 2023, accusing him of using the alias pompompurin and running Breached. Fitzpatrick was sentenced in January 2024 to 20 years of supervised release. Soon after Breached went offline, a threat actor going by the nickname Baphomet announced that they would be assuming ownership of the forum.

The actor Baphomet changed course, however, writing March 21, 2023: “This will be my final update on Breached, as I’ve decided to shut it down. I’m aware this news will not please anyone, but it’s the only safe decision now that I’ve confirmed that the glowies likely have access to Pom’s machine.” It wasn’t the end of the efforts to create a new forum. On June 13, 2023, the persona ShinyHunters posted on a Telegram group that the Breached cybercrime forum was active again at the new breachforums[.]vc domain name. The actor Baphomet confirmed the claim and mentioned forum members could restore their forum ranks and statuses by contacting the actor.

In April 2024, two significant incidents affected BreachForums. First, on April 15, 2024, the pro-Israeli actor R00TK1T claimed via a Telegram channel to have disrupted the availability of BreachForums with a distributed denial-of-service (DDoS) attack in collaboration with the pro-Russian hacktivist group CyberArmyRussia. The actor and the group pledged to release user information from the forum including email addresses and IP addresses, but it’s unclear if their goal was achieved. The actor Baphomet later released a statement on Telegram announcing that the forum's clearnet domain was suspended until further notice but failed to confirm the attack or provide more details.

One day later, Baphomet released a follow-up statement addressing the alleged compromise of the forum by R00TK1T. The actor claimed the disruption was limited to the suspension of the breachforums[.]cx domain name and accused unspecified law enforcement agencies of this action. The actor also refuted the forum compromise or data breach claims and stated R00TK1T’s claim was an attempt to capitalize on the forum's domain suspension. The actor also announced the launch of the new domain breachforums[.]st as well as further security measures to thwart DDoS attacks.

After the takedown May 15, 2024, a variety of activity related to BreachForums occurred. First, threat actors claimed they were able to recover the breachforums[.]st domain. The FBI notice was replaced with a link to a new Telegram channel administered by the actors Aegis and ShinyHunters. Also, a second Telegram channel was launched. Other discussions indicated that ShinyHunters, a threat actor who also had a hand in running BreachForums, had apparently not been arrested. Shortly following the disruption, the threat actor USDoD aka NetSec (with the @EquationGroup handle on X) announced plans to launch a new replacement with a copy of the same user records.

New Alleged Ownership

On June 10, 2024, BreachForums was again inaccessible via known clearnet and Tor-based domain names, and the associated Telegram channels were inaccessible. By June 12, 2024, BreachForums was reinstated at the original breachforums[.]st domain. The same day, ShinyHunters blamed technical issues for the unavailability and claimed the termination of the channel and group, as well as the actor's own Telegram account, was done by Telegram. The actor claimed to no longer have the motivation to keep the forum running and mentioned the project likely would be transferred to the actor using the Hollow handle. However, on June 14, 2024, ShinyHunters announced the actor’s retirement and claimed the new owner of BreachForums would be a newly registered member who uses the handle Anastasia. ShinyHunters claimed the individual behind the newly registered handle is an “OG" aka an old member of the underground community. We believe ShinyHunters is referring to a moderator of the now-defunct Raid Forums underground forum who used this handle. As of July 5, 2024, BreachForums remains online. Intel 471 continues to monitor.

Assessment

The BreachForums underground forum and its predecessors — notable for their large user bases and quantity of leaked data — continue to be a focus for law enforcement agencies which have had success in disrupting predominantly English-language underground forums. In the short term, we almost certainly will see falling user activity. But history has shown these groups are resilient. Underground communities can be difficult to suppress. There’s both money and notoriety in running these types of forums.

Some have raised questions why law enforcement continues taking down sites such as this one when new iterations are likely to appear. The argument goes: Would the efforts not be better spent, say, fighting ransomware groups, given the deep economic damage and havoc those groups inflict?

It’s a reasonable question to ask. We contend there’s a thinner line between these communities than one might think. For example, we’ve observed prolific IABs, data sellers and credible threat actors on BreachForums who have accounts across other cybercriminal forums. One such group that leverages numerous handles on BreachForums is one of the most prolific vendors of compromised access and data since it first appeared in 2014. The group actively advertises compromised databases, personally identifiable information (PII) and documents of corporate, military and government entities. In another example, the actor mont4na (see Intel 471’s white paper about mont4na here) maintained a handle on BreachForums. The actor compromises PII and credentials, often by exploiting structured query language-injection (SQLi) and remote code execution (RCE) vulnerabilities. Some of the same organizations that mont4na has previously sold access to have later fallen victim to ransomware, although a direct connection between those incidents and this actor cannot be made. Ransomware is a significant threat, of course, but that doesn’t mean it’s the only one. Sites such as BreachForums can act as training grounds for cybercrime, and it’s an important deterrent to show these sites can’t continue to run without scrutiny.

Another point made about BreachForums is that it’s a distraction because it is a venue to publicize false breach claims, causing misleading media headlines and forcing researchers to expend resources on disinformation. However, false claims are not unique to BreachForums, and it’s one of the persistent challenges when collecting and analyzing cyber threat intelligence: Is a threat actor telling the truth? What skills does the person have? Is the person a threat? By using a combination of techniques, from human engagement to historical threat actor reputation to cross-checking data leak samples with previous breaches, it’s often possible to quickly determine whether an actor is bluffing or in fact has accomplished what is claimed. Despite the frequent misleading claims, BreachForums had been used to advertise real breaches, including ones affecting clients of data warehousing company Snowflake, a European Union Agency for Law Enforcement Cooperation (Europol) system called Platform for Experts and one involving customer data belonging to Dell Technologies.

Europoladvert
On May 10, 2024, the threat actor IntelBroker advertised a breach of Europol, which supports law enforcement organizations across the EU and the world. (Screenshot via Fastfire on X)

There are other benefits to these takedowns, as they also yield new intelligence about threat actors. Authorities indicated with this takedown that they were reviewing BreachForums’ back-end data. This data could include IP addresses, email addresses, usernames and more, all of which can be leveraged in future investigations. This will add to data that has been circulating. The user database of Raid Forums, which comprised information on nearly 480,000 accounts, was publicly dumped in late May 2023. Breached also had a breach in November 2022, and that data also leaked. The database contained 212,000 records, which included usernames, IP addresses, email addresses, private messages between registered users and hashed passwords. A threat actor later tried to sell it. The Breached administrator Baphomet said the sale of the database was a "continued campaign attempting to destroy the community.”

The exposure of these databases represents a risk of attracting law enforcement attention for any person who interacted on those forums. The situation with BreachForums closely mirrors that of the previous disruption where pompompurin was arrested and the forum closed due to fears of compromise. These parallels likely will be drawn again, with forum members cautious to return in fear of further law enforcement action. If someone decides to create another look-alike forum, they will need to provide reassurances that the new infrastructure is sufficiently secure and user anonymity is guaranteed — and also that they themselves have not been compromised. But after three takedowns in two years, those guarantees may be hard to provide.