Both the clearnet domain as well as the onion darkweb domain of the infamous BreachForums appear to be down in a move that has confused both security researchers and cybercriminals. Attempting to visit these sites leads to a ‘502- Bad Gateway’ error.
While the site has suffered several disruptions due to law enforcement attempts to take down the site, no direct connection has been made to law enforcement activities so far.
BreachForums Down with ‘502- Bad Gateway’ Error
BreachForums had earlier faced an official domain seizure by the FBI in a coordinated effort with various law enforcement agencies. However, shortly after, ‘ShinyHunters’ managed to recover the seized domains, with allegedly leaked FBI communications revealing they had lost control over the domain while the BreachForums staff claimed that it had been transferred to a different host.
However, the site appears to be down again, but with no seizure notice present, leading to speculation over what has struck the site as well as its admin ShinyHunters.
On X and LinkedIn, security researcher Vinny Troia claimed that ShinyHunters had made a direct message through Telegram indicating that he was retiring from the forums, as it was ‘too much heat’ and has shut it down.
Both the researcher’s X and LinkedIn post attribute this incident to the FBI ‘nabbing’ ShinyHunters, even congratulating the agency.
BreachForums Telegram Channels Deleted
Shortly after the official domains went down, several official Telegram accounts that were associated with Breach Forums, including the main announcement channel and the Jacuzzi 2.0 account, were deleted. Forum moderator Aegis stated in a PGP signed message that Shiny Hunters had been banned from Telegram.
In a new ‘Jacuzzi’ Telegram channel created shortly afterwards, a pinned message appears to confirm that the administrator ShinyHunters had quit after wishing to no longer maintain the forum. The message affirms that Shiny had not been arrested, but rather quit, while the forum has not been officially seized but taken down.
A while later, a database allegedly containing data from the ‘breachforums.is’ domain (the previous official domain associated with BreachForums before it shifted to the .st domain) had been circulating among Telegram data leak and sharing channels. Another threat actor stated that the circulating leaks were likely an attempt to gain attention and subscribers in light of recent events, stating that the info is unverified and password-protected.
Several threat actors had attempted to use these disruptions to promote their own alternatives such as Secretforums and Breach Nation. However, the administrator Astounded, who owned Secretforums, had himself announced his retirement from involvement from forum activity recently.
The threat actor USDoD still appears to be promoting their Breach Nation as an alternative to BreachForums, even appreciating the move as a take down of ‘competitors.’
These incidents, along with ShinyHunter’s disappearance, the deletion/unavailability of official channels as well as the arrests and disruptions associated with the forums, raise uncertainty over the community’s future prospects as well as larger implications for data leak sharing. This article will be updated as we gather more information on events surrounding BreachForums.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
