While the recent takedown of BreachForums by the FBI, in collaboration with international law enforcement agencies, marked a significant victory against cybercrime. Less than 24 hours after this major blow, the renowned threat actor known as USDoD made an announcement stating his plans to resurrect the forum's community, demonstrating the relentless nature of the cyber underworld. BreachForums had long been a central marketplace for cybercriminals, facilitating the trade of stolen data and hacking tools. Its sudden removal from the dark web was a monumental achievement for law enforcement, akin to dismantling a major illicit market. However, the cybercriminal community's response was swift and defiant as demonstrated by the alleged claim by ShinyHunters, one of the leftover administrators just a day later that the site domain itself had been recovered. Alongside the possible domain recovery, USDoD also separately pledged to rebuild and improve upon BreachForums through a newer competitive forum, promising a new beginning for the infamous community.

USDoD Announces Creation of Breach Nation Forum

In a bold statement following the takedown, USDoD assured the community that he had already been working on rebuilding BreachForums, promising that the forum's legacy and user data would be preserved. He emphasized his dedication to creating a new community, presenting the takedown as not the end but an opportunity for a fresh start. [caption id="attachment_69063" align="alignnone" width="523"] Source: X.com (@EquationCorp)[/caption] His announcement also detailed the allocation of resources and infrastructure to support the new forum. The new domains, breachnation.io and databreached.io, are set to launch on July 4, 2024, symbolically coinciding with Independence Day. This new community, dubbed "Breach Nation," aims to offer enhanced features and security. [caption id="attachment_69064" align="alignnone" width="544"] Source: X.com (@EquationCorp)[/caption] USDoD’s vision for BreachForums 3.0 includes robust infrastructure, with separate servers to ensure optimal performance and security. He has assured the community that he is not driven by profit and aims to offer an upgraded member rank to the first 200,000 users as a token of goodwill. He acknowledged the challenges ahead, including potential opposition from law enforcement as well as possible competition from the BreachForums administrator ShinyHunters. He also addressed concerns about compromise within the forum's administration, stating that he would initially manage it alone to ensure security and build trust.

USDoD's Earlier Activities

USDoD's bold promise to create the new Breach Nation forum highlights the persistence of the cybercriminal underworld. The threat actor is a notable figure in the cybercriminal community and was previously known as NetSec on RaidForums. USDoD is known to employ sophisticated social engineering and impersonation techniques to penetrate secure systems. His activities included exposing data related to several high-profile organizations such as InfraGard, Airbus, and several, the U.S. Army, NATO Cyber Center, and CEPOL. He also claimed responsibility for alleged data leaks from the defense contractor Thales as well the Communist Party of China. A newer CDN created by USDoD was first publicized around the same time as the alleged China data leak, this CDN is stated to be incorporated for the new domain's infrastructure and seemingly being reworked and shifted to a new domain. [caption id="attachment_69068" align="alignnone" width="566"] Source: X.com (@EquationCorp)[/caption] While the potential impact of the new forum remains unclear, it may be a key development to watch in the ongoing struggle between law enforcement and cybercrime in the aftermath of the BreachForums domain seizure. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The threat actor USDoD claimed that they had published the Personally Identifiable Information (PII) of about 2 million members of the Communist Party of China on their new content delivery network (CDN). If the threat actors claims are true, the alleged China data leak might hold significant consequences for the party, given its reputation as being highly secretive and restrictive with regards to the flow of information to the outside world. The Chinese Communist Party (CCP) is the political party responsible for leading modern-day China, officially known as the People’s Republic of China since 1949. The leak is stated to include several bits of sensitive and identifiable data that could be used to facilitate identity theft, social engineering, or targeted attacks on individuals. However, the leak remains unconfirmed and it is difficult to ascertain the veracity of the claims. There have been no official statements or responses regarding the alleged leak.

USDoD Creates New CDN to Publish Alleged China Data Leak

The alleged publication of the Communist Party of China member data leak on the CDN site was accompanied by related posts on X (Twitter) and BreachForums. In the BreachForums post description, USDoD claimed to have held onto the leaked data for several months and cited the alleged leaked database as the first to be hosted on their new content delivery network (CDN). The threat actor further stated that they do not support any government, claiming the published alleged data leak as a wider message and as a gesture of good faith. The threat actor stated on an X(Twitter) post that their content delivery network (CDN) was 'ready and operational' and had been built through the help of a 'secret friend', while upload rights would be private and solely and for their own usage. The site was stated to have an upload limit of 500GB per file. [caption id="attachment_65515" align="aligncenter" width="1180"] Source: X(Twitter)[/caption] [caption id="attachment_65516" align="aligncenter" width="1188"] Source: X(Twitter)[/caption] However, in a later post on their X account, they claimed the CDN was down after they messed with the files. While the goals of the threat actor remain unclear, the new CDN will likely be used to upload and link leaked files to be shared for posts on BreachForums (as suggested by this incident). [caption id="attachment_65518" align="aligncenter" width="1188"] Source: X(Twitter)[/caption] While the breach remains unconfirmed, a Cyble researcher stated, "Our preliminary analysis indicates that this data has 2 million records from 2020 with the following data fields: ID, Name, Sex, Ethnicity, Hometown, Organization, ID card number, Address, Mobile number, Phone number and Education.

USDoD Recently Announced Retirement on BreachForums

The alleged Communist Party of China member data leak comes abruptly as just last week, the threat actor announced retirement on BreachForums in a post about an alleged attack on Bureau van Dijk, claiming to have stolen confidential company and consumer data from the firm. However, after being reached out for confirmation by The Cyber Express, a spokesman from the parent company (Moody's) seemingly refuted the threat actor's earlier claims. It is unknown what persuaded the threat actor to remain and continue making posts within BreachForums despite the stated intent towards retirement and suspension of activities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Threat actor USDoD (previously known as NetSec, ScarFace_TheOne, and Scarfac33) previously known for attacks against U.S. infrastructure and Airbus has claimed Bureau van Dijk as its latest victim. The threat actor also claimed that the alleged attack on Bureau van Dijk would likely be his last and seemed to bid farewell to the BreachForums community. Bureau van Dijk, a leading business intelligence firm owned by Moody's Analytics. The firm offers various consumer and private company intelligence-related products with a primary focus on sales, marketing, and customer support. The firm is known to maintain country-specific databases and the threat actor was likely referring to the US variant of the consumer database. The two shared files combined together form about 11.7 million lines of sensitive data as mentioned in the post description on BreachForums.

USDoD Threat Actor Targets Bureau van Dijk in Farewell Post

In a surprising gesture, USDoD bid farewell to the BreachForums community, federal agencies and ‘friends around the globe’, claiming his post as a way of stating goodbye. The threat actor stated that he did not expect anything further from the community, while expressing gratitude for all the people that he contacted over the years with the forums. The threat actor reiterated that he was a lone individual working alone in his activities while framing his decision to step away as a move to focus on personal life and family. The post description mentions the information in the first stolen database as containing around 8.9 GB of data and being delivered in CSV format. The file included fields such as Last Name, First Name, Email Addresses, Priority Telephone Number, and Priority Email Address. The Cyber Express has reached out to Bureau van Dijk to verify the authenticity of the hackers claims. However, at the time of writing this, no official statement has been received, leaving the claims of the Bureau van Dijk cyberattack stand unverified.

US Consumer Database Included Within Threat Actor's Post

The second database included within the threat actors post was purportedly a US consumer database stolen from the same agency and seemed to include data such as First Name, Last Name, Business Email, Mobile Phone, Direct Number, Job Title, Personal Address and Company Address. The second database was also in .csv format and was stated to include about 2.8 million lines of data records. Both databases were freely available for public download through shared links shared in the post. The attacker previously targeted the defense contractor Thales in a data breach on March 1, 2024 involving 24 GB of data. Prior to the incident the threat actor was responsible for the Airbus data breach on September 12, 2023. Earlier in August 2021 while operating under the NetSec moniker, the threat actor revealed that they had obtained administrator access to several websites belonging to the U.S. Army. This attack was part of a wider individual campaign under the '#RaidAgainstTheUS hashtag' involving large-scale attacks on the U.S. Department of Defense (DoD), U.S. Army websites, and U.S. Defense manufacturers. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.