Source: www.tripwire.com – Author: Graham Cluley Law enforcement agencies worldwide have coordinated to take down one of the world’s largest hacker forums, scoring a victory against cybercrime. BreachForums, a notorious marketplace for stolen data, was seized by the authorities on Wednesday, according to a message on its website. BREACHFORUMS IS UNDER THE CONTROL OF THE […]

La entrada BreachForums seized! One of the world’s largest hacking forums is taken down by the FBI… again – Source: www.tripwire.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.infosecurity-magazine.com – Author: 1 The US authorities appear to have disrupted a notorious hacking forum, just days after a threat actor advertised data stolen from Europol on the site. Although there’s no official word on the action yet, screenshots posted to X (formerly Twitter) show a takedown notice featuring the logos of the FBI, […]

La entrada BreachForums Hacking Marketplace Taken Down Again – Source: www.infosecurity-magazine.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

The hacking forum BreachForums is displaying a notice claiming that the website is under the control of the FBI.

The post BreachForums Shut Down in Apparent Law Enforcement Operation appeared first on SecurityWeek.

Source: www.darkreading.com – Author: Dark Reading Staff 1 Min Read Source: Convery flowers via Alamy Stock Photo On the morning of May 15, the FBI seized BreachForums’ hacking forum, as well as its Telegram channel. The website is now displaying a message alerting visitors that it has been taken down by the FBI and US […]

La entrada FBI, DoJ Shut Down BreachForums, Launch Investigation – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

The notorious BreachForums seized for the second time in a year. The U.S. law enforcement today seized the clear web domain of the second version of BreachForums - popularly known as a Breached hacking forum in the underground market - that helped sell stolen data and credentials. Hosted at BreachForums[.]st, the domain now shows a seizure banner saying the website was taken down by the FBI and the U.S. Department of Justice with assistance from international partners. Other law enforcement authorities worldwide were also part of this action, including the Australian Federal Police, the U.K. National Crime Agency, New Zealand Police, police department of the canton of Zürich in Switzerland and Icelandic Police, among others. As is common with domain seizure messages, law enforcement displayed the logo for the site. It however took an unconventional approach by also featuring two avatar's - likely of BreachForums' administrators "Baphomet" and "ShinyHunters" - behind bars in the seizure banner.

BreachForums Seized

The message on the banner reads: "We are reviewing this site's backend data. If you have information to report about cybercriminal activity on BreachForums, please contact us." The law enforcement has also shared a link to a form hosted on the Internet Crime Complaint Center. The FBI has put out a questionnaire for victims or individuals that have information to assist in any of the investigations against BreachForums v2, BreachForums v1, or Raidforums. A summary of the takedown of BreachForums on this portal says, "The Federal Bureau of Investigation (FBI) is investigating the criminal hacking forums known as BreachForums and Raidforums. "From June 2023 until May 2024, BreachForums (hosted at breachforums.st/.cx/.is/.vc and run by ShinyHunters) was operating as a clear-net marketplace for cybercriminals to buy, sell, and trade contraband, including stolen access devices, means of identification, hacking tools, breached databases, and other illegal services." Earlier a separate version of BreachForums hosted at breached.vc/.to/.co and run by pompompurin between March 2022 to 2023 was seized by the U.S. law enforcement in June 2023. Raidforums, hosted at raidforums.com and run by an admin under the moniker "Omnipotent" was the predecessor hacking forum to both version of BreachForums and ran from early 2015 until February 2022. *The Telegram channel of "Baphomet," one of the administrators behind the BreachForums, has also been seized, according to a pinned message from the law enforcement on his channel. [caption id="attachment_68571" align="aligncenter" width="446"] Credit: Dark Web Intelligence[/caption]

ShinyHunters Confirms Baphomets Arrest

*Shiny Hunters, one of the administrators of the BreachForums, allegedly confirmed on a Telegram channel called "BF Announcements" the arrest of Baphomet and said that the law enforcement did not get to anyone from the ShinyHunters gang. [caption id="attachment_68843" align="aligncenter" width="300"] Message on BF Announcements Telegram channel[/caption] Later in the same channel the administrator claimed that the domain was recovered back from the law enforcement's control, as was the case during the BreachForums v1 takedown where the cat and mouse game went on for a while between the two. The Cyber Express tried to verify this claim and saw that the domain is now redirecting to a Telegram chat group called "Jacuzzi 2.0" The FBI and Justice Department spokespersons were not immediately available for comment when contacted by The Cyber Express for details on the latest claims. This is a developing story. The article will be updated with the latest information as it becomes available. Update 1*: Added Telegram account seizure details along with screenshot. Update 2* May 16 - 9:40 AM (UTC) : Added details from Shiny Hunters' BF Announcements Telegram channel that allegedly confirmed details of one of the administrators of BreachForums - Baphomets - arrest. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A dark web actor named DuckyMummy claimed responsibility for an alleged data breach at Frotcom International, a prominent player in vehicle tracking and fleet management based in Carnaxide, Portugal.  The Frotcom data breach, disclosed on nuovo BreachForums, exposes a vulnerability in Frotcom's internal systems, potentially compromising sensitive information including GPS IMEI numbers, real-time vehicle tracking data, billing details, and customer account information.

Alleged Frotcom Data Breach Surfaces on Dark Web

DuckyMummy's post on the forum detailed the extent of the Frotcom data breach, indicating access to internal systems across more than 40 countries and over 5,000 companies. The compromised data encompassed a wealth of information crucial to Frotcom's operations, from GPS tracking data to customer billing information.  [caption id="attachment_68365" align="alignnone" width="1732"] Source: Dark Web[/caption] As proof of their claims, the threat actor shared sample records showcasing live GPS vehicle information sorted by country and offered the compromised database for sale at a staggering price of USD 5,000.

“These days I have breached the company security, and I have dumped all information and got access to all internal systems of the company, more than 40 countries, more than 5,000 COMPANIES !”, stated the hacker. 

The Cyber Express has reached out to Frotcom for official confirmation and further details regarding the breach. However, as of the time of writing, no official statement or response has been received, leaving the claims surrounding the Frotcom data leak unverified.

Cyberattacks on Freight Companies 

The Frotcom data leak is not an isolated event and is a reminder of the growing threats faced by the transportation sector in an increasingly digitized world. With transportation systems becoming more reliant on interconnected digital technologies, they have become lucrative targets for cyber threat actors seeking to disrupt operations, extort sensitive data, or inflict financial harm. The ramifications of cyberattacks on transportation infrastructure are profound, ranging from supply chain disruptions to the compromise of sensitive passenger data. Recent incidents such as the ransomware attack on Japan's Port of Nagoya, which halted operations for two days, highlight the real-world impact of such breaches on global trade and commerce. Moreover, the nature of cyber threats poses a significant challenge to the transportation sector. Attack vectors are becoming increasingly diversified, with intrusions often originating from third-party supply chain partners or software vendors. Additionally, the rise of politically motivated threat actors further complicates the domain, as evidenced by the DDoS attacks on US airports claimed by Russian-speaking hackers. Looking back at historical events, cyber incidents targeting transportation infrastructure have resulted in widespread disruption and societal harm. From DDoS attacks on Czech railways and airports to ransomware incidents affecting Italian State Railways, these incidents highlight the vulnerability of transportation systems to malicious cyber activity. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The IntelBroker hacker has allegedly leaked a database belonging to the National Parent Teacher Association (PTA), a cornerstone of child advocacy in America since its establishment in 1897. The National Parent Teacher Association breach, which occurred in March, was posted by the threat actor on May 13, 2024.  Over 70,000 records of registered users, comprising a wealth of sensitive data, were reportedly compromised in this PTA data breach. The leaked data, disclosed on nuovo BreachForums, includes a trove of information ranging from personal identifiers to financial details. 

Dark Web Hacker Discloses National Parent Teacher Association Breach 

Among the exposed data are insured data, college information, client lists, medical insurance records, and payment information. This PTA data breach not only poses a threat to the privacy and security of individuals but also raises concerns about the misuse of such sensitive information. [caption id="attachment_68309" align="alignnone" width="861"] Source: X[/caption] The impact of this breach extends beyond the confines of the PTA itself, affecting individuals across the United States, particularly in the North American region. With PTA.org being the primary platform for engagement, the breach, if true, can have severe consequences.  The post on BreachForums by the IntelBroker hacker, titled "Parent Teacher Association Database, Leaked - Download!" and timestamped May 13, 2024, provides insights into the extent of the PTA data breach. The threat actor proudly claims responsibility for the breach alongside an entity named GodLike. The data dump shared by IntelBroker reveals intricate details, including identifiers, addresses, contact information, and policy-related data.

Cyberattack on Educational Institutions

The Cyber Express reached out to the National Parent Teacher Association for clarification and response regarding the breach. However, at the time of writing this, no official statement or response has been received. Moreover, this isn’t the first time a student-centric organization was targeted in a cyberattack. Educational institutions, from K-12 schools to universities, store vast amounts of personal data, making them prime targets for cyberattacks. The educational sector witnessed a 258% surge in incidents in 2023, with 1,537 confirmed data disclosures, often attributed to vulnerabilities like MOVEit. Ransomware remains a major external threat, while internal risks stem from uninformed users and overworked staff.  Attacks, primarily financially motivated, exploit the emotionally fraught nature of personal data exposure. Common attacks include data breaches, ransomware, BEC, DDoS, and online invasions. Recent high-profile attacks, like those on the University of Manchester and the University of California, highlight the urgent need for enhanced cybersecurity measures in educational institutions. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A dark web hacker, known as "makishimaaaa," has recently advertised a significant data breach on the Nuovo BreachForums. The compromised data originates from Hosocongty, a prominent Vietnamese job search platform. According to makishimaaaa's post on May 12, 2024, the hacker claims to have exfiltrated a PII (Personally Identifiable Information) database from the Hosocongty data breach in 2024. The database, offered for sale at the price of $320, contains approximately 160,000 records. These records include sensitive information such as company names, passwords, contact details, and various other personal identifiers. Interested buyers are instructed to contact the hacker privately, with the option of using escrow systems for transactions.

Hosocongty Data Breach Exposes Thousands of Job Seekers

Hosocongty.vn, the affected platform, serves as a crucial link between job seekers and employers across Vietnam. Its rapid growth highlights its significance in the country's job market. However, this data breach raises concerns about the security and privacy of the platform's users. [caption id="attachment_68133" align="alignnone" width="1622"] Source: Dark Web[/caption] Makishimaaaa's relatively low ransom demand and status as a new member of the hacking forum suggest a developing situation. The hacker joined the platform in March 2024 and has since posted 38 times. This calculated move indicates a deliberate attempt to minimize suspicion while maximizing profits from the stolen data. The compromised database contains a wealth of personal information, including company details, contact numbers, email addresses, and more. Makishimaaaa emphasizes the quality and active rate of the data, reassuring potential buyers of its reliability. However, the ethical implications of purchasing stolen data remain a cause for concern. The Cyber Express has reached out to the recruitment firm to learn more about this Hosocongty data breach. However, at the time of writing this, no official statement or response has been released, leaving the claims for the Hosocongty data leak unverified. 

Cyberattack on the Recruitment Sector

The Hosocongty data breach is indicative of a broader trend of increasing cyberattack on the recruitment sector. In February 2024, Das Team Ag, a prominent job placement agency in Switzerland and Liechtenstein, fell victim to the Black Basta ransomware group, highlighting the vulnerability of recruitment platforms.  Cyber risks in the digital hiring process have intensified over the years, with cybercriminals targeting sites housing sensitive data, such as employment platforms. The surge in digitalization has exacerbated these threats, necessitating enhanced security measures across industries.  Polymorphic attacks, phishing, and malware are among the most prevalent cyber threats facing the recruitment sector, posing risks to both job seekers and companies. As such, users of Hosocongty are urged to exercise vigilance and implement necessary security measures to safeguard personal information.  This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the Hosocongty data breach or any official confirmation from the Vietnamese job portal.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Hacktivist collective R00TK1T ISC CyberTeam has claimed responsibility for breaching the Ministry of Supply and Internal Trade in Egypt. The group's announcement, posted on their platform, boldly declares their successful infiltration into the ministry's systems, accompanied by purported evidence of their access to highly secure networks. This Ministry of Supply and Internal Trade breach claims come on the heels of previous announcements by R00TK1T ISC, including their intention to target the BreachForums and the subsequent closure of their official Telegram channel.  The group cited security considerations for their shift back to operating in secrecy, leaving their private data channel as the sole means of communication for their activities.

Ministry of Supply and Internal Trade Breach Claims

[caption id="attachment_68095" align="alignnone" width="212"] Source: X[/caption] The Cyber Express has tried reaching out to the Egyptian ministry to learn more about this alleged Ministry of Supply and Internal Trade data breach claims. However, efforts to verify the intrusion were hampered by communication difficulties, preventing direct contact with the ministry. As a result, the claims made by R00TK1T ISC remain unconfirmed. The website for the Ministry of Supply and Internal Trade seems to be operational at the moment and doesn’t show any immediate sign of the intrusion. The threat actor has shared several screenshots of the document pilfered through this intrusion.  Talking about the Ministry of Supply and Internal Trade breach in their post, the threat actor said, “We have successfully hacked into The Ministry of Supply and Internal Trade in Egypt, showcasing our deep infiltration into their systems.”

R00TK1T ISC CyberTeam Hacking Spree

Meanwhile, in a separate incident on January 30, 2024, R00TK1T ISC CyberTeam launched an attack on Malaysia's digital infrastructure, further highlighting the global reach and impact of such malicious activities. Their claim to have accessed sensitive information from prominent companies like L'Oreal and Qatar Airways highlights the sophistication and persistence of cyber threats faced by businesses worldwide. In Egypt, the corporate sector has witnessed a surge in ransomware attacks in recent weeks, posing a significant risk to businesses across various industries. This escalating threat necessitates urgent action to bolster cybersecurity measures and mitigate potential damages. Amid ongoing political and security challenges in the Middle East, Egyptian businesses remain prime targets for cyberattacks, with ransomware emerging as a prevalent threat. The consequences of such attacks, including data loss and reputational damage, highlight the critical need for better defense mechanisms to safeguard against cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Hackers IntelBroker and Sanggiero have claimed a data breach allegedly impacting HSBC Bank and Barclays Bank. The HSBC Bank data breach, along with the breach at Barclays reportedly occurred in April 2024, involving a security incident through a third-party contractor, ultimately leading to the leak of sensitive data.  The compromised data, which was being offered for sale on Breachforums, allegedly includes a wide array of files such as database files, certificate files, source code, SQL files, JSON configuration files, and compiled JAR files. Preliminary analysis suggests that the data may have been sourced from the services provided by Baton Systems Inc., a post-trade processing platform, potentially impacting both HSBC Bank and Barclays Bank. However, Baton Systems has not shared any update on this alleged attack or any connection with the sample data provided by the threat actor.

Hacker Duo Claims Barclays and HSBC Bank Data Breach

Barclays Bank PLC and The Hong Kong and Shanghai Banking Corporation Limited (HSBC) are the primary organizations reportedly affected by this breach. With operations spanning across the United Kingdom, United States, and regions including Europe and North America, the threat actor threatens the banking systems and probably targets customers' data, however, there has been no evidence of such data getting leaked.  [caption id="attachment_67347" align="alignnone" width="2084"] Source: Dark Web[/caption] In a post on Breachforums, one of the threat actors, IntelBroker, shared details of the Barclays and HSBC Bank data breach, offering the compromised data for download. The post, dated May 8, 2024, outlined the nature of the breach and the types of data compromised, including database files, certificate files, source code, and more. The post also provided a sample of the leaked data, revealing a mixture of CSV data representing financial transactions across different systems or entities.

While talking about the stolen data, IntelBroker denoted that he is "uploading the HSBC & Barclays data breach for you to download. Thanks for reading and enjoy! In April 2024, HSBC & Barclays suffered a data breach when a direct contractor of the two banks was breached. Breached by @IntelBroker & @Sanggiero".

A Closer Look at the Sample Data 

A closer look at the sample data reveals three distinct datasets, each containing transaction records with detailed information about financial activities. These records encompass a range of information, from transaction IDs and timestamps to descriptions and account numbers involved. The datasets provide a comprehensive view of various transactions, offering valuable insights for financial analysis and tracking. The Cyber Express has reached out to both the banks to learn more about these alleged data breaches. HSBC Bank has denied these allegations about the breach, stating, "We are aware of these reports and confirm HSBC has not experienced a cybersecurity incident and no HSBC data has been compromised.” However, at the time of writing this, no official statement or response has been shared by Barclays, leaving the claims of the data breach related to Barclays stand unverified. Moreover, the two hackers in question, IntelBroker and Sanggiero, have claimed similar attacks in the past, targeting various global organizations. In an exclusive interview with The Cyber Express, one of the hackers, IntelBroker shed light on their hacking activities and the motivations behind their operations. IntelBroker had also praised Sanggiero from BreachForums for “his exceptional intellect and understated contributions to the field are deserving of far greater recognition and respect.” Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The cybersecurity community is on edge after an unidentified threat actor operating under the username 'UAE', claimed responsibility for a massive data breach attack involving the United Arab Emirates government. In a BreachForums post, the threat actor threatened to leak the data from the alleged UAE attack, unless a ransom of 150 bitcoins (USD 9 million) was paid. The victims in the alleged UAE attack include major UAE government bodies such as the Telecommunications and Digital Government Regulatory Authority, the Federal Authority for Nuclear Regulation, and the Executive Council of Dubai, along with key government initiatives such as Sharik.ae and WorkinUAE.ae. Various ministries are also affected, including the UAE Ministry of Health and Prevention, Ministry of Finance, and the UAE Space Agency. In the post, the threat actor claimed to have access to the personally identifiable information (PII) of various government employees, and shared a few samples that included names, emails, phone numbers, roles, and genders of top officials.

Threat Actor Shared Alleged Samples from UAE Attack

[caption id="attachment_65993" align="alignnone" width="1237"] Source: Dark Web (BreachForums)[/caption] The sample screenshots shared by the threat actor allegedly display internal data from several major UAE government bodies. Additionally, the threat actor claimed to have acquired access to personally identifiable information (PII) of top government officials, displaying samples that list names, roles, and contact details. The possession alleged samples by the threat actor, raises concerns over the security of government personnel and the integrity of national operations. The abrupt emergence of the hacker adds complexity to the incident, casting doubt on the veracity of the claims but potentially indicating a high-stakes risk scenario. The implications of such a breach are severe, potentially affecting national security, public safety, and the economic stability of the UAE. The global cybersecurity community is closely watching the developments, emphasizing the need for a swift and decisive government investigation to confirm the extent of the intrusion and mitigate any potential damage.

Experts Advice Caution and Skepticism Regarding UAE Attack

The hacker's emergence from obscurity with no prior credibility or record of such activities, casts doubt over the legitimacy of the claims. Neither the UAE government nor the affected agencies have yet responded to these claims, nor has there been any independent confirmation of the breach. The Cyber Express team has reached out to the Telecommunications And Digital Government Regulatory Authority (TDRA) in Dubai for further information regarding the attacks. The extensive list of affected entities and the nature of the alleged stolen data would suggest a highly sophisticated and coordinated attack, which seems incongruent with the profile of a lone, unestablished hacker. As this story develops, it will be crucial to monitor responses from the UAE government and the cybersecurity community. It is critical for all stakeholders, including government officials and cybersecurity experts, to collaborate urgently to address this potential crisis, ensuring the protection of sensitive government data and maintaining public trust in national security measures. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The threat actor USDoD claimed that they had published the Personally Identifiable Information (PII) of about 2 million members of the Communist Party of China on their new content delivery network (CDN). If the threat actors claims are true, the alleged China data leak might hold significant consequences for the party, given its reputation as being highly secretive and restrictive with regards to the flow of information to the outside world. The Chinese Communist Party (CCP) is the political party responsible for leading modern-day China, officially known as the People’s Republic of China since 1949. The leak is stated to include several bits of sensitive and identifiable data that could be used to facilitate identity theft, social engineering, or targeted attacks on individuals. However, the leak remains unconfirmed and it is difficult to ascertain the veracity of the claims. There have been no official statements or responses regarding the alleged leak.

USDoD Creates New CDN to Publish Alleged China Data Leak

The alleged publication of the Communist Party of China member data leak on the CDN site was accompanied by related posts on X (Twitter) and BreachForums. In the BreachForums post description, USDoD claimed to have held onto the leaked data for several months and cited the alleged leaked database as the first to be hosted on their new content delivery network (CDN). The threat actor further stated that they do not support any government, claiming the published alleged data leak as a wider message and as a gesture of good faith. The threat actor stated on an X(Twitter) post that their content delivery network (CDN) was 'ready and operational' and had been built through the help of a 'secret friend', while upload rights would be private and solely and for their own usage. The site was stated to have an upload limit of 500GB per file. [caption id="attachment_65515" align="aligncenter" width="1180"] Source: X(Twitter)[/caption] [caption id="attachment_65516" align="aligncenter" width="1188"] Source: X(Twitter)[/caption] However, in a later post on their X account, they claimed the CDN was down after they messed with the files. While the goals of the threat actor remain unclear, the new CDN will likely be used to upload and link leaked files to be shared for posts on BreachForums (as suggested by this incident). [caption id="attachment_65518" align="aligncenter" width="1188"] Source: X(Twitter)[/caption] While the breach remains unconfirmed, a Cyble researcher stated, "Our preliminary analysis indicates that this data has 2 million records from 2020 with the following data fields: ID, Name, Sex, Ethnicity, Hometown, Organization, ID card number, Address, Mobile number, Phone number and Education.

USDoD Recently Announced Retirement on BreachForums

The alleged Communist Party of China member data leak comes abruptly as just last week, the threat actor announced retirement on BreachForums in a post about an alleged attack on Bureau van Dijk, claiming to have stolen confidential company and consumer data from the firm. However, after being reached out for confirmation by The Cyber Express, a spokesman from the parent company (Moody's) seemingly refuted the threat actor's earlier claims. It is unknown what persuaded the threat actor to remain and continue making posts within BreachForums despite the stated intent towards retirement and suspension of activities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Threat actor USDoD (previously known as NetSec, ScarFace_TheOne, and Scarfac33) previously known for attacks against U.S. infrastructure and Airbus has claimed Bureau van Dijk as its latest victim. The threat actor also claimed that the alleged attack on Bureau van Dijk would likely be his last and seemed to bid farewell to the BreachForums community. Bureau van Dijk, a leading business intelligence firm owned by Moody's Analytics. The firm offers various consumer and private company intelligence-related products with a primary focus on sales, marketing, and customer support. The firm is known to maintain country-specific databases and the threat actor was likely referring to the US variant of the consumer database. The two shared files combined together form about 11.7 million lines of sensitive data as mentioned in the post description on BreachForums.

USDoD Threat Actor Targets Bureau van Dijk in Farewell Post

In a surprising gesture, USDoD bid farewell to the BreachForums community, federal agencies and ‘friends around the globe’, claiming his post as a way of stating goodbye. The threat actor stated that he did not expect anything further from the community, while expressing gratitude for all the people that he contacted over the years with the forums. The threat actor reiterated that he was a lone individual working alone in his activities while framing his decision to step away as a move to focus on personal life and family. The post description mentions the information in the first stolen database as containing around 8.9 GB of data and being delivered in CSV format. The file included fields such as Last Name, First Name, Email Addresses, Priority Telephone Number, and Priority Email Address. The Cyber Express has reached out to Bureau van Dijk to verify the authenticity of the hackers claims. However, at the time of writing this, no official statement has been received, leaving the claims of the Bureau van Dijk cyberattack stand unverified.

US Consumer Database Included Within Threat Actor's Post

The second database included within the threat actors post was purportedly a US consumer database stolen from the same agency and seemed to include data such as First Name, Last Name, Business Email, Mobile Phone, Direct Number, Job Title, Personal Address and Company Address. The second database was also in .csv format and was stated to include about 2.8 million lines of data records. Both databases were freely available for public download through shared links shared in the post. The attacker previously targeted the defense contractor Thales in a data breach on March 1, 2024 involving 24 GB of data. Prior to the incident the threat actor was responsible for the Airbus data breach on September 12, 2023. Earlier in August 2021 while operating under the NetSec moniker, the threat actor revealed that they had obtained administrator access to several websites belonging to the U.S. Army. This attack was part of a wider individual campaign under the '#RaidAgainstTheUS hashtag' involving large-scale attacks on the U.S. Department of Defense (DoD), U.S. Army websites, and U.S. Defense manufacturers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The clearnet domain of the notorious BreachForums data leak and hacking forum has been taken down by rival threat actors. The threat actor group, R00TK1T, along with the pro-Russian gang Cyber Army of Russia, announced a breach of user data following the BreachForums take down. R00TK1T was previously responsible for an attack campaign targeting the Malaysian government and various private entities including one of one of Malaysia’s leading telecommunications operators. The hackers responsible for the attack on BreachForums also claimed that they would leak a list of the forum's users, IP addresses and emails. Despite the attack, the TOR version of the site remains operational.

Groups Claim More Surprises for Hacker Community and Active Users

[caption id="attachment_63054" align="aligncenter" width="2144"] Source: R00TK1TOFF Telegram channel[/caption] R00TK1TOFF claimed on Telegram, that the site 'has currently crashed due to the extent of our attack, which was executed with extreme precision and efficiency.' The DDoS campaign against the site had been conducted in a joint-effort operation of both groups. However, the BreachForums TOR address remains active and is known to implement DDoS protection. Cybersecurity firm Hackmanac claimed in a note on X (Twitter) that:

R00TK1T is known for making grand claims about significant data breaches, which more often than not turn out to be merely a collection of publicly available data. Given the group's reputation, the threat to publish the IP and email addresses is likely to be a mere republishing of user details that were leaked last year by more credible threat actors.

Baphomet Issues Statement Regarding BreachForums Take Down

Baphomet, the administrator of BreachForums, made a statement about the incident on Telegram: 'The domain is currently suspended. We're working on it. We apologize for any inconvenience.' He further advised its users to access the forums through via the TOR site until the issue was sorted. In a later post via Telegram, Baphomet joked that the action must have been the work of the Five Eyes network along with various other large nations 'working together to silence our forums.' He then downplayed the takedown of the .cx domain, recommending users to switch to a temporary new domain (breachforums.st). [caption id="attachment_63041" align="aligncenter" width="785"] Source: Baphomet Official  Telegram channel[/caption] He stated that the .st domain would temporarily function as their main site while the admins work on 'protection over the next week that'll make these one-time suspensions less effective' while emphasizing on the availability of the TOR domain at all times. He then claimed that nothing had been 'seized, hacked, or even reasonably attacked.' Noting that while their site might experience DDoS attacks and downtime, they would always come back. He advised users to be patient while thanking the community for being patient with such incidents. R00TK1T, later responded in its own channel that Baphomet was denying the attacks and that together with the Cyber Army of Russia would 'unleash a torrent of chaos that will leave you (Baphomet) reeling. BreachForums has faced a series of troubles in recent times, including the arrest of its former owner Conor Brian Fitzpatrick (pompompurin), followed by an official seizure of the site by the Federal Bureau of Investigation(FBI) in cooperation with several U.S. agencies. The FBI stated in an affidavit that during the time of seizure, it had access to the BreachForums database. A forum administrator operating under the screen name "Baphomet" took ownership of the website and its operations after the arrest of Fitzapatrick. The site was temporarily shut down after Baphomet's suspicion of the forum still being compromised. However, Baphomet later reopened the forum to the public with the aid of black-hat hacking group ShinyHunters. ShinyHunters was previously responsible for several large-scale data breach attacks, obtaining about 200 million records of stolen data from various companies. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.