After disappearing in early April, hacking forum BreachForums has resurfaced through multiple clone websites which security experts suggest may be part of a covert law enforcement takedown.
BreachForums has provided hackers with a discussion and trading platform since March 2022, with its illicit data brokerage being linked to such cyberattacks as the 2022 Optus attack and this year’s alleged mega breach at cloud giant Oracle.
The platform has long served as the internet's black-hat 'village square' — while ransomware gangs tend to operate on hidden dark web blogs, BreachForums has provided cybercriminals a centralised, mainstream avenue to meet other criminals, discuss data breaches, share hacking tools and trade stolen data.
On 15 April, the platform disappeared in what appeared to be a distributed denial of service (DDoS) attack.
With its domain made unreachable and its criminal userbase left guessing whether the site had been compromised by law enforcement or rival hackers, the site quietly returned on Monday with nothing but a text message signed by an anonymous “BreachForums Administration” member.
The self-declared administrator explained an open-source forum software used by BreachForums had been subject to a zero-day vulnerability – prompting them to “immediately” shut down the platform’s infrastructure and conduct “incident response procedures”.
“In or around April 15, we received confirmation of information that we had been suspecting since day 1 – a MyBB 0day,” they wrote.
“This confirmation came through trusted contacts that we are in touch with, which revealed that our forum is subject to infiltration by various agencies and other global law enforcement bodies.”
The ‘admin’ emphasised BreachForums had not been compromised and no data had been exposed, before apologising to the hacking “community” for a “lack of communication and transparency” in recent weeks.
Soon after, multiple BreachForums clone sites were spotted on the web, leading cybersecurity experts to suggest law enforcement may have initiated a covert operation to draw out the platform’s users.
Evan Vougdis, cyber director at Sydney-based cybersecurity firm NSB Cyber, told Information Age the clone websites were unlikely to be legitimate.
“While many clone sites are popping up, it’s unlikely these sites represent legitimate infrastructure relating to BreachForums, but rather potential law enforcement or scam honeypots designed to monitor, entrap, or defraud cybercriminals,” he said.
Cybercriminals flock to potential honeypots
Information Age has observed three alleged BreachForums platforms operating through new domain names since early April, though it is unclear if any of them are legitimate.
One BreachForums clone turned out to be a scam attempt by hacking group ‘Dark Storm’, while the party running the original domain has expressly warned visitors to be wary of the “growing number of BreachForums clones”.
“We strongly advise against engaging with these BreachForums clones, as they are likely honeypots and cannot be trusted,” reads a warning on BreachForums’ original domain.
Adding to the chaos is that BreachForums’ operators are anonymous, and ownership of the site changes hands frequently.
Its founder, Conor Brian Fitzpatrick, was arrested in March 2023 as part of a Federal Bureau of Investigation (FBI) initiative which saw the platform’s infrastructure seized and shut down.
BreachForums later resurfaced under self-proclaimed operators Shiny Hunters, who famously used the platform to spruik an alleged data breach of ticketing and events giant Ticketmaster in 2024, before being passed to hacker ‘IntelBroker’ and, later, another hacker named ‘Anastasia’.
“This isn’t the first time we’ve seen BreachForums face potential law enforcement disruption, with the FBI seizing its domains multiple times,” said Vougdis.
“While its unlikely to be the end for BreachForums, one thing that isn’t clear right now is who is managing the site.”
Hacker says members arrested by FBI
During its downtime, a functional clone of the BreachForum website ran on ‘breached[.]fi’ until 25 April, at which point the person calling themselves Anastasia replaced the entire infrastructure with a warning that prominent BreachForums members had been arrested by the FBI.
“BreachForums [was] seized,” wrote Anastasia.
“FBI will post announce soonly! [sic]
“[I] resigned and consider BF was down forever and no more want to play with it [sic].”
The hacker went on to offer the infrastructure of BreachForums for sale at $2,000, before claiming they had a backup of the platform dated 10 April.
The FBI has been contacted for comment but did not respond prior to publication.
Nothing to see here
Following Anastasia’s warning of an alleged FBI takedown, Information Age observed yet another BreachForums clone whose admin declared no FBI seizure or arrest had occurred whatsoever.
“Welcome to BreachForums, reincarnated,” they wrote.
“This forum is back with the original team behind BreachForums.”
Despite widespread suspicions of a law enforcement takeover, the admin called for BreachForums users to “restore” their ranking by providing proof of their former payments on the platform.
“Please provide a screenshot of the e-mail you got from the payment provider when you bought the rank,” they wrote.
With authorities staying quiet and hackers seemingly attempting to leverage BreachForums’ downtime for honeypot scams, Vaughan Shanks, chief executive of Melbourne-based incident response vendor Cydarm Technologies, told Information Age the situation remains unclear.
“It's not clear who might have done this — it could have been nation state-backed for law enforcement or intel, or it could have been rival cybercriminals.”
