Another One Bites the Dust: The (Apparent) End of Breach Forums
On March 15, 2023, Breach Forums administrator Conor Brian Fitzpatrick (aka “pompompurin”) was arrested and charged with conspiracy to commit access device fraud
The arrest of pompompurin
The cycle of fraud venue shutdowns continued on Wednesday, March 15, 2023, when Breach Forums administrator Conor Brian Fitzpatrick (aka “pompompurin”), was arrested and charged with a single count of conspiracy to commit access device fraud.
“pompompurin” is an English-language threat actor who has been active on English- and Russian-language forums since at least October 2020. pompompurin gained notoriety following an FBI email exploit in October 2021, in which they sent tens of thousands of emails from an FBI domain. pompompurin became a highly reputable threat actor on the now-defunct top-tier hacking forum Raid Forums. Following their arrest, Breach administrators have determined to close the forum.
Coincidentally, the one-year anniversary of Breach Forums occurred around the same time these events unfolded. Let’s examine the rise and fall of Breach Forums, its impact on the cybercrime underground, and what it means moving forward.
The rise of Breach Forums
Breach Forums was an English-speaking illicit forum that was on-track to become the replacement for Raid Forums. Established on March 16, 2022, it became the go-to hacking forum for threat actors attempting to buy and sell compromised datasets. From March 2022 to November 2022, our analysts observed that the site’s membership expanded from 1,500 members to over 192,000.
Connection to Raid Forums
On February 25, 2022, the US Department of Justice (DOJ) seized Raid Forums as part of a US federal interagency and international cooperative law enforcement effort to take down the site. This seizure was not publicly confirmed to have been a US-led law enforcement operation until April 12, 2022, when the DOJ released a public statement detailing the seizure, replaced the Raid Forums landing page with a seizure notice, and unsealed an indictment against the former owner, founder, and head admin of the site.
Following the Raid Forums seizure, threat actors actively sought alternatives to Raid Forums on the site’s official Telegram channel, “RaidForums.” Other cybercrime venues were recommended, including Russian language venues. Following the invasion of Ukraine on February 24, a Raid Forums administrator announced that the site would ban all users found to be connecting from Russia.
Due to the large amount of anti-Russian sentiment from the Raid Forums user base, Breach Forums became a more appealing alternative to Raid’s displaced users. Breach Forums was nearly identical to Raid Forums in appearance and layout. Breach Forums offered incentives for former Raid Forums users to migrate to the platform, including the ability to retain the paid ranking users previously held on Raid Forums on Breach Forums.
Breach announces shutdown
On March 21, 2023, in a Telegram message within the “Breach Forums” channel, the administrator “baphomet” announced that they would be closing the forum. Following pompompurin’s arrest, the admin initially claimed they had access to the infrastructure and would keep the forum online. However, their most recent message indicates that it may not be worthwhile to keep the forum online:
Hello everyone. Please consider this the final update for Breached.
I will be taking down the forum, as I believe we can assume that nothing is safe anymore. I know that everyone wants the forum up, but there is no value in short term gain for what will likely be a long term loss by propping up Breached as it is.
I want to make it clear, that while this initial announcement is not positive, it’s not the end. I’m going to setup another Telegram group for those who want to see what follows. You are allowed to hate me, and disagree with my decision but I promise what is to come will be better for us all.
As stated in the attached message please give me 24 hours to get some rest and give thought to how we move on from here. I will be back online after that, and we will talk. I am going nowhere.
The cybercrime underground has continually demonstrated resilience. While an arrest or takedown can result in a short-term disruption, its activity will likely be replaced by some alternative. However, given the takedown of Raid Forums and arrest of their administrator, and seeing history almost repeat itself with pompompurin’s arrest, it is unclear what threat actor would be willing to take on that risk.
baphomet’s latest message indicated that the forum will likely relaunch in another format, though it remains to be seen whether this will continue in the spirit of Raid or Breach, or be something new entirely. Threat actors will likely continue to have an appetite for breached databases, and it remains to be seen if this can be through an alternative venue, or requires a new forum entirely.
What is next after Breach Forums?
One month after the closure of Breach Forums, the Telegram channels linked to Breach Forums have been closed and locked. A new Telegram channel was created by baphomet to discuss alternative forums and plans. However, that channel was closed just after a few days. Although several new forums have been created aiming to fill the vacuum created by the Breach Forum shutdown, baphomet has claimed that there is no official replacement:
“None of the new forums are related to us, and I do not provide any information on our users for them to confirm your previous identity within our community. Feel free to join these forums, just please be cautious as always.”
Overall, there has been no clear alternative or replacement that has been developed or agreed upon by relevant threat actors and former administrators. The following illicit forums, markets, and threat actor groups have attempted to replace Breach Forums:
PwnedForum was recently launched on March 29, 2023 and is an identically formatted clone of Breach Forums. It quickly started to gain users and share compromised data. However, it was quickly shut down on April 4, 2023, following a disagreement between the site’s creator and forum administrators. Since its closing, one of the former administrators has claimed to be working on a new forum separate from PwnedForum.
KKKSecForum was created as a new alternative to Breach Forums by a user claiming to be linked with the global hacktivist collective “Anonymous.” While the name “kkk” is Brazilian slang for “lol” (“laugh out loud”), the name may lead to challenges in recruiting English-speaking users for the forum due to its potential name association with the Ku Klux Klan, a US far-right extremist hate group.
“Ares” is a threat group with links to other known groups, such as “Adrastea” and “RansomHouse,” that is attempting to fill the data leak void left by Breach Forums. Ares offers various hacking services such as malware development and penetration testing. In addition, it appears that Ares has begun promoting Telegram subscriptions to its leaked data in early February.
The group has advertised affiliations with other recognizable threat actors and hacking groups to build a reputation and a larger community. Ares appears to be growing in popularity, but its subscription and premium model may hinder new users seeking leaked data.
Exploit and XSS
In addition to the new forums being created, threat actors have also been urged to join existing popular Russian-language forums Exploit and XSS, which served as competitors to Breach Forums. However, the language and culture provide a significant barrier to many users. Flashpoint has not observed any significant increases in activity or users on XSS or Exploit since Breach Forums’ closure.
These two platforms already harbor well-known communities with interests and threat actors that differ from those of Breach Forums. Exploit and XSS have historically featured discussions and sales of malware and ransomware, while Breach Forums attracted users with free or low-cost leaked data and hacking services.
Cracked, Null, and Sinister
Other existing and popular English-language hacking forums Cracked, Nulled, and Sinister also have not experienced a significant migration of users, despite the fact that pompompurin maintained accounts and was active on both Cracked and Nulled. This lack of adoption is likely because those forums do not offer many leaked databases.