What is BreachForums?

The Rise of Breach Forums

Breach Forums was an English-speaking illicit forum. It was on track to become the replacement for Raid Forums. The threat actor “Pompompurin” established it on March 16, 2022. It became the go-to forum for threat actors. They used it to buy and sell compromised datasets. Our analysts observed that the site’s membership expanded quickly. It went from 1,500 members to over 192,000 between March 2022 and November 2022.

Connection to Raid Forums

The US Department of Justice (DOJ) seized Raid Forums on February 25, 2022. This was part of a cooperative law enforcement effort. The effort was both federal interagency and international. The DOJ released a public statement detailing the seizure on April 12, 2022. The DOJ also replaced the Raid Forums landing page with a seizure notice. It unsealed an indictment against the former owner, founder, and head admin of the site.

Following the Raid Forums seizure, threat actors actively sought alternatives to Raid Forums. They did this on the site’s official Telegram channel, “RaidForums.” They recommended other cybercrime venues, including Russian-language venues. Following the invasion of Ukraine on February 24, a Raid Forums administrator announced that the site would ban all users found to be connecting from Russia.

The Raid Forums user base showed a large amount of anti-Russian sentiment. This made Breach Forums a more appealing alternative to Raid’s displaced users. Breach Forums was nearly identical to Raid Forums in appearance and layout. Breach Forums offered incentives for former Raid Forums users to migrate to the platform. This included the ability to retain the paid ranking users previously held on Raid Forums on Breach Forums.

Arrest of Pompompurin

Breach Forums continued its vast popularity. This lasted until the unexpected arrest of “Pompompurin,” the forum’s creator. Pompompurin was revealed to be Conor Brian Fitzpatrick. He was arrested on March 15, 2023.

Pompompurin Pleads Guilty

According to the plea agreement filed July 13, Pompompurin has pleaded guilty to hacking and child pornography possession charges.

He faces up to a 40-year prison sentence, a fine of $750,000, and a supervised release term ranging from 5 years to life attached to the child pornography possession charges, reported Bleeping Computer.

Court documents released July 13 details the three charges:

• Conspiracy to Commit Access Device Fraud
• Access Device Fraud – Unauthorized Solicitation
• Possession of Child Pornography

Following their arrest, Breach administrators have determined to close the forum. 

Breach Forums Announces Shutdown

The administrator “baphomet” announced they would be closing the forum on March 21, 2023. This was done in a Telegram message within the “Breach Forums” channel. The admin initially claimed they had access to the infrastructure. They said they would keep the forum online following Pompompurin’s arrest. However, their most recent message indicates that keeping the forum online may not be worthwhile:

Hello everyone. Please consider this the final update for Breached.

I will be taking down the forum, as I believe we can assume that nothing is safe anymore. I know that everyone wants the forum up, but there is no value in short term gain for what will likely be a long term loss by propping up Breached as it is.

I want to make it clear, that while this initial announcement is not positive, it's not the end. I'm going to setup another Telegram group for those who want to see what follows. You are allowed to hate me, and disagree with my decision but I promise what is to come will be better for us all.

As stated in the attached message please give me 24 hours to get som rest and give thought to how we move on from here. I will be back online after that, and we will talk. I am going nowhere.

The cybercrime underground has continually demonstrated resilience. Short-term disruptions result in an alternative quickly replacing it.

However, given the takedown of Raid Forums and arrest of their administrator, and seeing history almost repeat itself with pompompurin’s arrest, it is unclear what threat actor would be willing to take on that risk.

Breach Forums Shuts Down

The Telegram channels tied to Breach Forums closed and locked one month after its closure. They have remained so after Pompompurin’s arrest in March 2023. Several threat actors attempted to create a replacement forum. They attempted to capitalize on the vacuum in venues for compromised databases left by Breach Forums. Displaced Breach Forums users migrated to several existing forums. Enterprising threat actors attempted to create new forums or Telegram channels. Ultimately, “ShinyHunters” with Breach Forums admin baphomet created the closely-named forum, BreachForums, to replace it. They mimicked the appearance of its predecessor. Additionally, it allowed users to maintain the rank that they held on the previous iteration of the forum.

FBI and DOJ Moves to Shut Down BreachForums

The FBI and DOJ moved against Baphomet and seized BreachForums on May 15, 2024. They also took control over various Telegram channels belonging to both Baphomet and BreachForums owners ShinyHunters.

Law enforcement has not shared any additional details surrounding the seizure. This has led to several rumors being circulated within the threat actor community. ShinyHunters claimed that baphomet had been arrested by the FBI.

The FBI and the Department of Justice recently shut down BreachForums. This, in addition to baphomet’s rumored arrest, means BreachForums is currently unavailable. Breach Forums owners ShinyHunters claim to have regained control of the domain. However, the page currently directs to BreachChat, a new Telegram channel.

The cycle of illicit forums and marketplaces continues as other threat actors move forward to create and advertise alternatives.

BreachForums Unavailable

BreachForums administrator “Aegis” on Telegram claimed that Telegram banned the “ShinyHunters” account on June 10, 2024. Telegram is often used as an out-of-band communication tool for threat actors. They can share information during downtime. BreachForums’ other Telegram channels for general communications and announcements are no longer available. These channels continued to facilitate communications following BreachForums’ recent seizure. They appear to be deleted. The BreachForums Surface website and the Tor site do not appear to be operational. This leads threat actors to conclude that this is part of a larger law enforcement operation. Law enforcement seized BreachForums on May 15, 2024. The admins re-claimed the domain. However, no official statement has been released.

BreachNation and DataBreached

“USDoD,” a member of BreachForums, stated that they will launch their own forum on July 4, 2024 that is not associated with the current iteration of BreachForums. The new forum’s domain is planned to be either breachnation[.]io or databreached[.]io.led, and Sinister also have not experienced a significant migration of users, despite the fact that pompompurin maintained accounts and was active on both Cracked and Nulled. This lack of adoption is likely because those forums do not offer many leaked databases.

Lost in Transition: A Timeline of Failed Successors to Breach and Raid Forums

BreachForums Resurfaces

BreachForums resurfaced under one of its previous domains within two weeks of the seizure that took place in May 2024. It was under the administration of ShinyHunters.

ShinyHunters provided an account of the shutdown and their operation to regain control on this new iteration of BreachForums. According to the threat actor, the FBI asked a registrar to point the DNS to the FBI’s seizure page. This would display a message about the forum’s shutdown. In response, BreachForums administrators decided to take action. They retrieved the domain from the registrar. They replaced the seizure page with a link to their new Telegram group.

The FBI’s attempt to seize control of the domain was further hampered. BreachForums administrators transferred the domain to another registrar without the FBI’s knowledge.

The administrators began resharing high-profile databases on the forum within a short time. This was likely an attempt to attract users.

BreachForums Ownership Transfers Yet Again

ShinyHunters’ Telegram account was reportedly banned in June 2024. Associated forum channels became unavailable. This led to speculation of a larger law enforcement operation.

Ownership of BreachForums reportedly transferred to a threat actor named IntelBroker after a retirement announcement from ShinyHunters.

A full database backup of the original Breach Forums dating from 2022 was leaked in July 2024. The breach contained internal details of the forum. This included private messages, payment histories, and user information.

BreachForums’ Recent Outage

BreachForums became inaccessible again in April 2025. This coincided with rumors of IntelBroker’s arrest. Flashpoint analysts have observed the creation of several domains claiming to be replacements since mid-April.

A message was shared on the original domain of BreachForums on April 28. It was reshared across several social media and Telegram channels. BreachForums administrators referenced a cyberattack leveraging a MyBB zero-day vulnerability in this message. They claimed that they had shut down infrastructure to access potential compromises. Additionally, they claimed that they would be performing a complete rewrite of the forum’s backend. They also dispelled rumors regarding any arrests.

Flashpoint will continue to monitor news regarding the disruption of BreachForums. We will also monitor any potential replacement if it fails to return.

Frequently Asked Questions (FAQ)

Q: What was the primary function of BreachForums?

A: BreachForums was an English-speaking illicit forum established in 2022. Its primary function was to serve as a marketplace for threat actors to buy and sell compromised datasets and stolen credentials, replacing the seized Raid Forums.

Q: Why did the original Breach Forums shut down?

A: The original Breach Forums shut down shortly after the unexpected arrest of its creator and owner, “Pompompurin,” in March 2023. Administrators closed the site, fearing the entire infrastructure was compromised by law enforcement.

Q: Why has BreachForums experienced instability and multiple closures?

A: The forum has faced instability due to ongoing law enforcement operations (including seizures by the FBI/DOJ and arrests of administrators) and internal conflicts/changes in ownership. This has created a recurring cycle of shutdown attempts, resurfacing, and new outages.