The latest incarnation of the BreachForums cybercrime forum has been seized by U.S. and French law enforcement.
The seizure of the BreachForums[.]hn data leak site by the FBI, Department of Justice and French counterparts came just ahead of an October 10 deadline set by the Scattered LAPSUS$ Hunters threat group for victims of its Salesforce and Salesloft data breaches to pay ransom or face public data leaks.
The FBI placed a seizure notice on the site on October 9, and the seizure was also confirmed by Scattered LAPSUS$ Hunters in a PGP-signed message on the group’s Telegram channel.
The threat group’s Tor data leak site remains operational – as does the group’s threat to release data beginning at 11:59 PM EST tonight.
“BreachForums was seized by the FBI and international partners today,” the threat group’s message said. “This was inevitable and I am not surprised. Neither I and others involved with this group have been arrested. All our BreachForums domains were taken from us by the US Government a few days ago. The era of forums are over.”
BreachForums Seizure Spotted Days Before Official Notice
The BreachForums seizure was apparently spotted days before by a threat actor on Telegram who goes by the name “emo,” who noted that the site shared Cloudflare name servers with other FBI-seized sites.
Scattered LAPSUS$ Hunters also seemed to know that the site was breached because the group apparently took down the site, noting in an October 7 post that “We do not operate a clearnet domain anymore, it will be on the onion.”
In a statement to The Cyber Express today, a Scattered LAPSUS$ Hunters spokesperson said, “We were well aware that our domains were snatched. During that time we did not know by who, but when the NS were changed to Cloudflare, we immediately knew who it was. Our BreachForums TOR onion hidden service was also seized because all of our BreachForums backend servers/infrastructure were also seized and destroyed.”
The threat group said in its PGP-signed message that it “conducted a thorough incident response on the BreachForums infrastructure ever since the domains were taken.”
The group noted that the latest BreachForums database backup “was compromised along with every single database backup since 2023 till now,” all escrow databases were compromised, and backend servers were “seized and destroyed.”
“For your own safety, security, and sanity keep your opsec in check,” the group said in its message. “I have no doubt the FBI and other international partners involved will be cracking down on many individuals in the next coming few weeks to months.”
The message noted that it was the fourth time the forums had been seized, going back to BreachForums predecessor RaidForums, and the forums’ history has also included some dramatic arrests.
“BreachForums is never coming back, if it comes back, it should immediately be considered a honeypot,” the message said.
The message also included some background on the history of BreachForums:
“The following is not common knowledge among the general community and public but when RaidForums was seized and BreachForums was launched shortly after, pompompurin was just a front. We all carefully planned the launch of BreachForums since day 1.”
Scattered LAPSUS$ Hunters Maintains Salesforce Threat
The threat group’s message concluded by noting that the October 10 Salesforce leak deadline remains intact.
“[O]ne thing to note is, the recent action the US Government has took against us, has no impact on our Salesforce campaigns. The fact that our DLS [data leak site] was also hosted on BreachForums clearnet domain and because we planned to re-open the forum to leak the data of companies who have not complied with us when the deadline arrived onto the re-opened BreachForums was likely the cause of todays seizure.”
