Following the seizure of the BreachForums domain and the arrest of Baphomet, its new owner ShinyHunters seems to have fully regained control over the site after a recent announcement that the forum will be open for account registration. While the domain itself appeared to have been seized back from law enforcement, the site remained dysfunctional for a while as staff redirected visitors to a new Telegram channel. The site slowly resumed operations while initially disabling account registration. However, the arrests and law enforcement activity connected to the operation of the domain, as well as its quick return to operations, have led cybercriminals to fear possible compromise of the forum infrastructure by law enforcement.

BreachForums Seizure and Return

BreachForums, widely recognized as the successor to RaidForums, has faced several downtimes, seizures and disruptions in its eventful history. The original owner, Conor Brian Fitzpatrick AKA "Pompompurin," was arrested last year on cybercrime and device fraud charges. BreachForums administrator "Baphomet" announced that he would step in as successor and opened a new domain to resume forum activity. However, Baphomet himself feared site compromise by law enforcement and temporarily shut down the forums, expressing that "nothing is safe anymore." [caption id="attachment_72568" align="alignnone" width="1536"] Source: Cyble[/caption] However, Baphomet later announced that he would be working on a new domain and resuming forum operations. The forum soon returned with regular facilitation of data leak sharing and discussion. A year later, Baphomet himself faced arrest after a joint operation from law enforcement, which also seized the BreachForums domain and official Telegram channel. The administrator ShinyHunters emerged as the successor, confirming Baphomet's arrest. However, the domain seizure was short-lived, and was soon redirecting users to a new Telegram channel. An allegedly leaked conversation from an FBI operative to BreachForum's previous domain name registrar and hosting provider NiceNic also appeared to indicate that ShinyHunters had regained control over domain ownership despite its court-ordered seizure. [caption id="attachment_72579" align="alignnone" width="326"] Source: Telegram[/caption] After a period of dysfunction, BreachForums has now resumed operations, with threat actors already claiming new victims on its forum postings.

Emerging Alternatives and Criminal Suspicion Over BreachForums

In the wake of the recent seizure, several other individuals expressed their doubts over BreachForums and its possible usage as a "honeypot" by law enforcement to entrap cybercriminals and disrupt operations. The owner of Secretforums and former owner of Blackforums expressed his belief over Telegram that Baphomet was possibly an informant to law enforcement, citing the latter's interest in maintaining the infrastructure of Blackforums. Prominent threat actor USDoD also cast doubt over the succession of BreachForums to the administrator Shiny Hunters, citing his low stats on the previous domain. These concerns were followed by the self-promotion of SecretForum's and USDoD's announced project "Breach Nation" as possible alternatives. More recently, the CyberNi***rs threat actor group also announced its intention to start a new site to coordinate its operations. Despite these activities and the surrounding suspicion, new owner Shiny Hunters seems eager to return to earlier activities and operations, as judged by their claim of responsibility for an attack impacting Live Nation Entertainment Inc., the parent company of Ticketmaster. The results of these events, their effect on the cybercriminal ecosystem, as well as the viability of emerging forums as alternatives to the relaunched BreachForums led by ShinyHunters, remain unclear. But given how vocal the participants are, the picture will almost certainly get clearer with time. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

While the recent takedown of BreachForums by the FBI, in collaboration with international law enforcement agencies, marked a significant victory against cybercrime. Less than 24 hours after this major blow, the renowned threat actor known as USDoD made an announcement stating his plans to resurrect the forum's community, demonstrating the relentless nature of the cyber underworld. BreachForums had long been a central marketplace for cybercriminals, facilitating the trade of stolen data and hacking tools. Its sudden removal from the dark web was a monumental achievement for law enforcement, akin to dismantling a major illicit market. However, the cybercriminal community's response was swift and defiant as demonstrated by the alleged claim by ShinyHunters, one of the leftover administrators just a day later that the site domain itself had been recovered. Alongside the possible domain recovery, USDoD also separately pledged to rebuild and improve upon BreachForums through a newer competitive forum, promising a new beginning for the infamous community.

USDoD Announces Creation of Breach Nation Forum

In a bold statement following the takedown, USDoD assured the community that he had already been working on rebuilding BreachForums, promising that the forum's legacy and user data would be preserved. He emphasized his dedication to creating a new community, presenting the takedown as not the end but an opportunity for a fresh start. [caption id="attachment_69063" align="alignnone" width="523"] Source: X.com (@EquationCorp)[/caption] His announcement also detailed the allocation of resources and infrastructure to support the new forum. The new domains, breachnation.io and databreached.io, are set to launch on July 4, 2024, symbolically coinciding with Independence Day. This new community, dubbed "Breach Nation," aims to offer enhanced features and security. [caption id="attachment_69064" align="alignnone" width="544"] Source: X.com (@EquationCorp)[/caption] USDoD’s vision for BreachForums 3.0 includes robust infrastructure, with separate servers to ensure optimal performance and security. He has assured the community that he is not driven by profit and aims to offer an upgraded member rank to the first 200,000 users as a token of goodwill. He acknowledged the challenges ahead, including potential opposition from law enforcement as well as possible competition from the BreachForums administrator ShinyHunters. He also addressed concerns about compromise within the forum's administration, stating that he would initially manage it alone to ensure security and build trust.

USDoD's Earlier Activities

USDoD's bold promise to create the new Breach Nation forum highlights the persistence of the cybercriminal underworld. The threat actor is a notable figure in the cybercriminal community and was previously known as NetSec on RaidForums. USDoD is known to employ sophisticated social engineering and impersonation techniques to penetrate secure systems. His activities included exposing data related to several high-profile organizations such as InfraGard, Airbus, and several, the U.S. Army, NATO Cyber Center, and CEPOL. He also claimed responsibility for alleged data leaks from the defense contractor Thales as well the Communist Party of China. A newer CDN created by USDoD was first publicized around the same time as the alleged China data leak, this CDN is stated to be incorporated for the new domain's infrastructure and seemingly being reworked and shifted to a new domain. [caption id="attachment_69068" align="alignnone" width="566"] Source: X.com (@EquationCorp)[/caption] While the potential impact of the new forum remains unclear, it may be a key development to watch in the ongoing struggle between law enforcement and cybercrime in the aftermath of the BreachForums domain seizure. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.