BreachForums is Taken Down by the FBI, Again

On May 15, both the clear web mirror and the Darknet version of the BreachForums started to display the FBI banner. Neither FBI nor other law enforcement agencies mentioned on the banner published any details regarding the operation. The forum was changing its top-level domains lately, probably maneuvering from the takeovers of the server infrastructure. Was not really effective, by the looks of it.

BreachForums is a major Darknet forum that also serves as a marketplace for various illegal things. Malware, leaked data, hacker services and many other things are (or should I say “were”?) for sale here. It saw a major spike in popularity after law enforcement disrupted another underground forum – RaidForums.

That is not the first time the FBI disrupted BreachForums operations. Back in March 2023, they put the forum offline, but in a different manner – by detaining one of its admins, Pompompurin a.k.a Conor Brian Fitzpatrick. At the same time, feds took quite a lot of data from his computer, putting other admins at risk. This, in fact, was the primary reason for the forum to go offline at that time.

Three months after though it resurfaced, keeping the same format and some of the admins. Group of hackers known as ShinyHunters claimed to be leading the forum’s resurrection. After another month or two, the Darknet facility was running as nothing ever happened. Until this day, of course.

What happened to BreachForums?

I suppose that the FBI managed to seize their network infrastructure, same as they did to several threat actors throughout the last 8 months. The guess is backed by the fact that BreachForums recently went through several TLD changes: from the post-revival breachforums[.]is, that was holding for over half a year, to breachforums[.]cx, and shortly after – to breachforums[.]st. I can hardly imagine what this can be done for, if not for covering the tracks and/or escaping the chase.

But regardless of the way this was done, the result is rather striking. Aside from the forum itself, law enforcement agencies managed to take over the Telegram channel of the forum. As proof, they posted this pretty message from the account of Baphomet, the longtime BF administrator.

This action accompanies a few details from the banner they’ve posted on the Breach main page. Along with the BreachForums logo, they added profile pictures of two admins, Baphomet and The Jacuzzi, with jail bars put on top. That probably supposes the FBI now has access to all the data about the forum admins, or even probably detained them.

Since this all happened just hours ago, and there is no official information from the law enforcement agencies, more and more details will likely surface later on. I will update the post as they appear.

The post BreachForums is Seized, Again, FBI Puts a Banner appeared first on Gridinsoft Blog.

What is BreachForums?

Breached Forums used to be a massive Darknet forum that was acting not only as a communication platform but also as a black market. Hackers from all over the world were selling databases of leaked credentials, banking cards, data stolen from corporations and so forth. Its popularity peaked in early summer 2022, after the FBI closed another Darknet forum – RaidForums – and detained its administrator.

Though, the same but different fate was against BreachForums. One day, Conor Brian Fitzpatrick a.k.a. Pompompurin made a mistake that cost him his freedom – logged into his account without using VPN. That immediately revealed his IP address, and just in a couple of days, pleasant men in uniform were at his doorstep. Despite the servers not being accessed by the law enforcement directly, the other admin of BreachForums decided to shut off the forum, as there was a risk that law enforcement would find him as well.

But, as it turns out, there could be life after death. In late May 2023, several places posted information regarding the Breach revival by ShinyHunters. This infamous gang states they will take over the Breached Forums and run it despite the hazards from the enforcement agencies. And now it is confirmed – BreachForums is back online.

BreachForums Are Revived by ShinyHunters

Probably, the most obvious sign of recognition for the cybercrime gang is the article on Wikipedia. Black hat hackers from ShinyHunters are known for hacking into Microsoft, Bonobos, NitroPDF and many others – enough to get an ill fame. Being active since 2020, they quickly gained a considerable number of victims, especially for peaky guys that are not attacking everyone they see. Despite the detainment of one of their crew members in Morocco, the gang keeps going and, what’s more important, expanding their activities.

The “takeover” of BreachForums is probably the new vector of cybercrime gang development – in all senses. It is probably the first time when a full-fledged cybercrime gang will have an entire forum under their control. Such a behaviour is also a definite sign of hackers having no fairness before law enforcement. This forum was – and still is – a subject of FBI investigation, thus claiming its possession is dangerous to say the least. Possibly, Baphometh, the second admin of Breached, joined or sold all the assets related to this forum to the gang.

Conflict with other forums

Obviously, after the Breached shutdown in late March, its numerous alternatives popped out. Though fellow hackers did not haste using them, because of fears these platforms may be controlled by the FBI or other law enforcement. To bait people, these forums were claiming “cooperation with Breached”, which forced Baphometh to publicly reject any relations. Though some black markets, like Exposed Forum, went further, putting to use incriminating banners like the one they currently have.

Possibly, such a decision and reaction from Exposed admin(s) is dictated by the Breached resurgence. Having to compete with such a large and widely-known brand is pretty tough, thus selling off is an obvious decision. But for me, it looks like shutting down the honeypot which will not be able to attract enough crooks after the rebirth of Breached. This guess is complemented with what appears to be the IP address and hosting name of the Breached back-end server. It is known that the FBI accessed (part of) the network infrastructure of BreachedForums – that’s why, exactly, it was disabled. And I doubt feds are generous enough to allow some hackers to mess around this information.

What then?

It will be pretty interesting to see the fate of such an ambitious step. As I said, after the Breached Forums shutdown, a lot of its alternatives appeared. Some even provided themselves with “promotion” – like Exposed forum, that posted the leaked database of RaidForums. Two months of shutdown never was a pleasant thing for popularity – thus the only thing we can do is simply spectate.

For now, I can warn you about using all such forums. Being a cybercriminal’s nest, any Darknet forum accumulates tons of illegal stuff. Touching it, even if it is a database leaked a couple of years ago, may be the reason for law enforcement to pay a visit to your settlement. Moreover, such places commonly swirl with pitfalls where you can be tricked to install malware. And it is good to remember that all such places are thoroughly controlled by the FBI and other enforcement agencies. Everything you say can and will be used against you!

The post BreachForums Is Back Online, Led by ShinyHunters appeared first on Gridinsoft Blog.

What is BreachForums and who is PomPomPurin?

BreachForums is one of the biggest online communities dedicated to hacking, data leaks, malware and so forth. It goes deeply beyond the boundaries of legitimacy and is considered one of the Darknet markets. It contains numerous offers of leaked data for sale – mainly from corporations and government organisations. BreachForums also was a place to post bids for access to corporate networks and databases with data of specific groups of people. Despite such illegal content, it was available from the surface Web, yet some sections were Darknet-only. The fact that the FBI is interested in stirring this snake ball is estimated.

On March 17, 2023, one of the administrators of BreachForums, PomPomPurin a.k.a Conor Brian Fitzpatrick was detained. The FBI arrested him in his house in Peekskill, NY. That fact was approved by another “chief” of the forum, nicknamed Baphomet. He noticed that Pom did not appear online for over a day without any warning. After that, he banned both the forum account and server infrastructure access of the detainee. Baphomet additionally pointed out that BreachForums’ work will not be interrupted, as he has enough access to maintain the servers. As it turned out, something went wrong.

BreachForums website is not available

On March 19, 2023, users noticed that BreachForums is not accessible. When trying to access the surface Web version, the server returns 502 error code. It also says “Looks like we have got an invalid response from the upstream server. That’s all we know”. The Darknet version shows an Onionsite Not Found error, which generally stands for the situation when servers that were holding the website are not operating. At a glance, it looks like the FBI proceeded from PomPomPurin detainment to seizing the servers.

Baphomet claimed that there is no danger of the FBI taking over the infrastructure, both physically and technically. Nonetheless, after the BreachForums shutdown, he reappeared with another message. It says that currently Baph does his best to migrate the servers and reconfigure everything as quickly as possible. He also tries to give no chance for law enforcement to reveal it.

That contrasts with his claims in the forum post, where he says about doing constant monitoring of logs to uncover anything that may be a sign of infrastructure compromise. If he suddenly decided to migrate the infrastructure – probably the FBI found a way to access it despite the blocks deployed by Baphomet. Another possible cause is that Pompompurin was pretty talkative, especially considering the possible softening of punishment for cooperation.

This or another way, BreachForums is likely entering troubled times. Even if the migration ends up successful, law enforcement may still be on the trail. Possibly, Baphomet is the next to face nice men in uniform – just because of his decision to take over the forum controls. Still, nothing points to the impossibility of the Breached Forums returning and running in a usual manner – as if nothing happened.

Update for 21.03.2023

A message in the BreachForums Telegram channel appeared, claiming that Breached Forums will not be continued. The channel that most likely belongs to the aforementioned Baphomet, posted the following message:

“I will be taking down the forum, as I believe we can assume that nothing is safe anymore”. That already says a lot regarding what happened to Breached Forums after the PomPompurin detainment. Though Baphomet still has a bit of hope, saying that he will establish another Telegram group, where he will notify about possible betterment.

Even more interesting details appear in the text file that Baph offers to download. It finally sheds light on the FBI’s part in this action. It says that Baph detected login activity on one of the non-essential servers on March 19, 2023 – two days after Pom’s arrest. Thus it is logical to assume that law enforcement succeeded at taking over PomPomPurin’s computer and accessing it. The server contained enough information to compromise source code, user information, configurations and other things.

BreachForums epitaph

It is not completely clear whether Baphomet will use assets from BreachForums or not. He states that a number of other hacker forums’ admins and representatives contacted him, offering certain deals. Baph promises “to build a new community that will have the best features of Breached”. Yet, by these words, the actor confirms that BreachForums are completely ceased, with no chance to return.

Breached Forums saw their major boost after the RaidForums shutdown back in April 2022. A huge community of hackers was seeking another place to communicate, and exchange experiences and stolen data. Pom’s brainchild was first on hand. Moreover, he was brave enough to post an offer to join his forum right under the FBI’s Twitter post regarding the RaidForums shutdown.

Will the hacker community suffer because of such a loss? Most probably, other hacker sites will witness a spike in activity – nature always abhors a vacuum. Another edge of the “problem” is a slowdown in hacker operations: there is no usual place to sell the stolen and buy the needed access or applications. Nonetheless, they will definitely adapt to the situation, and we will see the outcome in the near future.

The post BreachForums is down. Things got worse? appeared first on Gridinsoft Blog.