GLOSSARY

What is Breach Forums?

In this post, we explain what Breach Forums was, and chronicle its beginning, its revival, and the events that led to its shutdown.

The rise of Breach Forums

Breach Forums was an English-speaking illicit forum that was on-track to become the replacement for Raid Forums. Established on March 16, 2022 by the threat actor “Pompompurin”, it became the go-to forum for threat actors attempting to buy and sell compromised datasets. From March 2022 to November 2022, our analysts observed that the site’s membership expanded from 1,500 members to over 192,000.

Connection to Raid Forums

On February 25, 2022, the US Department of Justice (DOJ) seized Raid Forums as part of a US federal interagency and international cooperative law enforcement effort to take down the site. The DOJ released a public statement detailing the seizure on April 12, 2022. The DOJ also replaced the Raid Forums landing page with a seizure notice and unsealed an indictment against the former owner, founder, and head admin of the site.

Following the Raid Forums seizure, threat actors actively sought alternatives to Raid Forums on the site’s official Telegram channel, “RaidForums.” They recommended other cybercrime venues including Russian-language venues. Following the invasion of Ukraine on February 24, a Raid Forums administrator announced that the site would ban all users found to be connecting from Russia. 

Due to the large amount of anti-Russian sentiment from the Raid Forums user base, Breach Forums became a more appealing alternative to Raid’s displaced users. Breach Forums was nearly identical to Raid Forums in appearance and layout. Breach Forums offered incentives for former Raid Forums users to migrate to the platform, including the ability to retain the paid ranking users previously held on Raid Forums on Breach Forums.

Arrest of Pompompurin

Breach Forums continued its vast popularity, until the unexpected arrest of Pompompurin, the forum’s creator. Revealed to be Conor Brian Fitzpatrick, pompomurin was arrested on March 15, 2023.

Pompompurin pleads guilty

According to the plea agreement filed July 13, Pompompurin has pleaded guilty to hacking and child pornography possession charges.

He faces up to a 40-year prison sentence, a fine of $750,000, and a supervised release term ranging from 5 years to life attached to the child pornography possession charges, reported Bleeping Computer.

Court documents released July 13 details the three charges:

  • Conspiracy to Commit Access Device Fraud
  • Access Device Fraud – Unauthorized Solicitation
  • Possession of Child Pornography

Following their arrest, Breach administrators have determined to close the forum. 

Breach Forums announces shutdown

On March 21, 2023, in a Telegram message within the “Breach Forums” channel, the administrator “baphomet” announced that they would be closing the forum. Following pompompurin’s arrest, the admin initially claimed they had access to the infrastructure and would keep the forum online. However, their most recent message indicates that it may not be worthwhile to keep the forum online:

Hello everyone. Please consider this the final update for Breached.

I will be taking down the forum, as I believe we can assume that nothing is safe anymore. I know that everyone wants the forum up, but there is no value in short term gain for what will likely be a long term loss by propping up Breached as it is.

I want to make it clear, that while this initial announcement is not positive, it's not the end. I'm going to setup another Telegram group for those who want to see what follows. You are allowed to hate me, and disagree with my decision but I promise what is to come will be better for us all.

As stated in the attached message please give me 24 hours to get som rest and give thought to how we move on from here. I will be back online after that, and we will talk. I am going nowhere.

The cybercrime underground has continually demonstrated resilience. Short-term disruptions result in an alternative quickly replacing it.

However, given the takedown of Raid Forums and arrest of their administrator, and seeing history almost repeat itself with pompompurin’s arrest, it is unclear what threat actor would be willing to take on that risk.

Breach Forums shuts down

The Telegram channels tied to Breach Forums closed and locked one month after its closure, and have remained so after pompompurin’s arrest in March 2023. Several threat actors attempted to create a replacement forum, attempting to capitalize on the vacuum in venues for compromised databases left by Breach Forums. Displaced Breach Forums users migrated to several existing forums, and enterprising threat actors attempted to create new forums or Telegram channels. Ultimately, “ShinyHunters” with Breach Forums admin baphomet  created the closely-named forum, BreachForums, to replace it by mimicking the appearance of its predecessor. Additionally, it allowed users to maintain the rank that they held on the previous iteration of the forum.

FBI and DOJ moves to shut down BreachForums

The FBI and DOJ moved against Baphomet and seized BreachForums on May 15, 2024. They also took control over various Telegram channels belonging to both Baphomet and BreachForums owners ShinyHunters.

Law enforcement has not shared any additional details surrounding the seizure. This has led to several rumors being circulated within the threat actor community, with ShinyHunters claiming that baphomet had been arrested by the FBI.

Given the FBI and the Department of Justice’s recent shutdown of BreachForums, in addition to baphomet’s rumored arrest, BreachForums is currently unavailable. Breach Forums owners ShinyHunters claim to have regained control of the domain, however, the page currently directs to BreachChat, a new Telegram channel.

The cycle of illicit forums and marketplaces continues as other threat actors move forward to create and advertise alternatives.

BreachForums unavailable

On June 10, 2024, BreachForums administrator “Aegis” on Telegram claims that Telegram banned “ShinyHunters” account. Telegram is often used as an out-of-band communication tool for threat actors, where they can share information during downtime. BreachForums’ other Telegram channels for general communications and announcements, which continued to facilitate communications following BreachForums recent seizure, are no longer available. Those channels appear to be deleted. The BreachForums Surface website and the Tor site do not appear to be operational, leading threat actors to conclude that this is part of a larger law enforcement operation. BreachForums was seized by law enforcement on May 15, 2024, and the admins re-claimed the domain, however, no official statement has been released.

BreachNation and DataBreached

“USDoD,” a member of BreachForums, stated that they will launch their own forum on July 4, 2024 that is not associated with the current iteration of BreachForums. The new forum’s domain is planned to be either breachnation[.]io or databreached[.]io.led, and Sinister also have not experienced a significant migration of users, despite the fact that pompompurin maintained accounts and was active on both Cracked and Nulled. This lack of adoption is likely because those forums do not offer many leaked databases.

Get the latest news and insights delivered to your inbox.

Interested to see top news from Flashpoint hit your inbox directly? Subscribe to our newsletter to receive curated content on a regular basis.