The US authorities appear to have disrupted a notorious hacking forum, just days after a threat actor advertised data stolen from Europol on the site.
Although there’s no official word on the action yet, screenshots posted to X (formerly Twitter) show a takedown notice featuring the logos of the FBI, the Department of Justice (DOJ), the UK’s National Crime Agency (NCA) and other international law enforcement agencies.
“This website has been taken down by the FBI and DOJ with assistance from international partners,” reads the notice. “We are reviewing this site's backend data. If you have information to report about cyber-criminal activity on BreachForums, please contact us.”
The notice also features the profile images of the site’s alleged administrators “Baphomet” and “ShinyHunters,” behind prison bars.
On X, Dark Web Informer posted an apparent announcement from ShinyHunters claiming Baphomet had been arrested and “pretty much all of our infrastructure” had been seized – but that no ShinyHunters members had yet been arrested.
🚨#BREAKING🚨BreachForums has been seized.#DarkWeb #Cybersecurity #Security #Cyberattack #Cybercrime #Privacy #Infosec pic.twitter.com/GT5ZmeZsCB
— Dark Web Informer (@DarkWebInformer) May 15, 2024
Other posts on X claimed the FBI had also seized the official BreachForums Telegram channel and others run by Baphomet.
The FBI is also reaching out to both victims and potential informants for more information on the site. A notice on a dedicated FBI domain explains the history of the site, including its predecessor and namesake and a forerunner known as RaidForums.
“From June 2023 until May 2024, BreachForums (hosted at breachforums.st/.cx/.is/.vc and run by ShinyHunters) was operating as a clear-net marketplace for cybercriminals to buy, sell, and trade contraband, including stolen access devices, means of identification, hacking tools, breached databases, and other illegal services,” it reads.
“Previously, a separate version of BreachForums (hosted at breached.vc/.to/.co and run by pompompurin) operated a similar hacking forum from March 2022 until March 2023. RaidForums (hosted at raidforums.com and run by Omnipotent) was the predecessor hacking forum to both version of BreachForums and ran from early 2015 until February 2022.”
Pompompurin (aka Conor Brian Fitzpatrick) was arrested last year and pleaded guilty to hacking charges in July.
Read more about BreachForums: BreachForums Admin Pleads Guilty to Hacking Charges
A Game of Whack-a-mole
The latest law enforcement move comes just days after notorious threat actor IntelBroker advertised for sale a trove of data they alleged was stolen from Europol. The European police agency confirmed to Infosecurity it had suffered a breach.
However, experts believe it’s only a matter of time before another version of BreachForums appears.
“In the least surprising infosec news of the year, BreachForums has been taken down by law enforcement. That site replaced the old BreachForums, which was taken down by law enforcement,” wrote security expert Troy Hunt on X. “The old BreachForums replaced RaidForums, which was taken down by law enforcement. What’s next?”
Narayana Pappu, CEO at Zendata, said it was “highly likely” the site would reappear, and that the current law enforcement effort would provide only a limited deterrent.
“As far as the previously stolen data leaked on the site, I expect that multiple local copies of it have been downloaded by actors participating in the forums, so there’s continued exposure,” he added.
“Beyond that, the forum operators may have backups of this information, unless the FBI/DOJ also got the operators/backups. Most people participating in these forums are fairly sophisticated and would have protected their identities. However, some folks could be tracked based on their IP addresses, Telegram account information, email addresses, etc.”