{
	"id": "c58b4df0-ab21-460e-adbf-23c5c8b30ccd",
	"created_at": "2026-04-06T15:53:00.320658Z",
	"updated_at": "2026-04-10T13:12:48.267224Z",
	"deleted_at": null,
	"sha1_hash": "0361bb7c9a12e2689a1f6e838a41074f34823363",
	"title": "FBI seize BreachForums hacking forum used to leak stolen data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1146198,
	"plain_text": "FBI seize BreachForums hacking forum used to leak stolen data\r\nBy Lawrence Abrams\r\nPublished: 2024-05-15 · Archived: 2026-04-06 15:27:20 UTC\r\nThe FBI has seized the notorious BreachForums hacking forum that leaked and sold stolen corporate data to other\r\ncybercriminals.\r\nThe seizure occurred on Wednesday morning, soon after the site was used last week to leak data stolen from a Europol law\r\nenforcement portal.\r\nThe website is now displaying a message stating that the FBI has taken control over it and the backend data, indicating that\r\nlaw enforcement seized both the site's servers and domains.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-seize-breachforums-hacking-forum-used-to-leak-stolen-data/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/fbi-seize-breachforums-hacking-forum-used-to-leak-stolen-data/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\n\"This website has been taken down by the FBI and DOJ with assistance from international partners,\" reads the seizure\r\nmessage.\r\n\"We are reviewing this site's backend data. If you have information to report about cyber criminal activity on BreachForums,\r\nplease contact us,\" continues the seizure banner.\r\nThe seizure message also shows the two forum profile pictures of the site's administrators, Baphomet and ShinyHunters,\r\noverlaid with prison bars.\r\nIf law enforcement has gained access to the hacking forum's backend data, as they claim, they would have email addresses,\r\nIP addresses, and private messages that could expose members and be used in law enforcement investigations.\r\nThe FBI has also seized the site's Telegram channel and other channels owned by Baphomet, with law enforcement sending\r\nmessages stating it is under their control.\r\nSome of the messages posted to the seized Telegram channels by law enforcement came directly from Baphomet's account,\r\nlikely indicating that the threat actor was arrested and his devices are now in the hands of law enforcement.\r\nSeized BreachForums Telegram channel\r\nSource: BleepingComputer\r\nIn a Telegram message shared with BleepingComputer, the threat actor known as IntelBroker is also claiming that Baphomet\r\nwas arrested in the law enforcement operation.\r\nThe FBI is requesting victims and individuals contact them with information about the hacking forum and its members to\r\naid in their investigation.\r\nThe seizure messages include ways to contact the FBI about the seizure, including an email, a Telegram account, a TOX\r\naccount, and a dedicated page hosted on the FBI's Internet Crime Complaint Center (IC3).\r\nhttps://www.bleepingcomputer.com/news/security/fbi-seize-breachforums-hacking-forum-used-to-leak-stolen-data/\r\nPage 3 of 5\n\n\"The Federal Bureau of Investigation (FBI) is investigating the criminal hacking forums known as BreachForums and\r\nRaidforums,\" reads a dedicated subdomain on the FBI's IC3 portal.\r\n\"From June 2023 until May 2024, BreachForums (hosted at breachforums.st/.cx/.is/.vc and run by ShinyHunters) was\r\noperating as a clear-net marketplace for cybercriminals to buy, sell, and trade contraband, including stolen access devices,\r\nmeans of identification, hacking tools, breached databases, and other illegal services.\"\r\n\"Previously, a separate version of BreachForums (hosted at breached.vc/.to/.co and run by pompompurin) operated a similar\r\nhacking forum from March 2022 until March 2023. Raidforums (hosted at raidforums.com and run by Omnipotent) was the\r\npredecessor hacking forum to both version of BreachForums and ran from early 2015 until February 2022.\"\r\nThis IC3 subdomain hosts a form that victims and other individuals can use to share information about BreachForums and\r\nits members.\r\nWhen contacted by BleepingComputer about the seizure, both the FBI and the Department of Justice declined to comment.\r\nThe notorious BreachForums\r\nBreachForums was the successor of a string of hacking forums used to trade, sell, and leak stolen data, as well as sell access\r\nto corporate networks and other illegal cybercrime services.\r\nThe first of these sites was known as RaidForums, which initially launched in 2015 and became the largest site for\r\ndistributing stolen data, and was commonly used by ransomware and extortion groups.\r\nThe site was eventually seized by law enforcement, with the police arresting the owner known as \"Omnipotent\".\r\nSoon after, one of its more active members, Pompompurin, created a new forum called 'Breached' to fill the void left behind\r\nby RaidForums.\r\nThe site quickly grew in popularity and was used by thousands of members to brag about their cybercrime activities and to\r\nleak and sell stolen data.\r\nHowever, the site soon drew the ire of law enforcement after one of its members, IntelBroker, leaked the stolen data of D.C.\r\nHealth Link, a healthcare provider for U.S. House members, their staff, and their families.\r\nSoon after, Breached was seized by law enforcement, and its admin, Conor Fitzpatrick (aka Pompompurin), was arrested.\r\nOnce again, those in this cybercrime community were left without a home, so one of Breached's previous admins, known as\r\nBaphomet, teamed with ShinyHunters, a notorious seller of stolen data, to launch a new site named BreachForums.\r\nLike the other sites, BreachForums quickly became popular with stolen corporate data being leaked from new breaches,\r\nincluding those on AT\u0026T, 23andMe, Hewlett Packard Enterprise, Home Depot, Dell, PandaBuy, and The Post Millenial.\r\nToday's seizure message indicates that law enforcement has had access to the site's servers, potentially for a long time, as\r\nthey monitored threat actors' activities.\r\nHowever, the breach that went too far may have been the recent leak of data stolen from Europol's Platform for Experts\r\n(EPE) portal by a threat actor known as IntelBroker, forcing law enforcement to take action.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-seize-breachforums-hacking-forum-used-to-leak-stolen-data/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fbi-seize-breachforums-hacking-forum-used-to-leak-stolen-data/\r\nhttps://www.bleepingcomputer.com/news/security/fbi-seize-breachforums-hacking-forum-used-to-leak-stolen-data/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/fbi-seize-breachforums-hacking-forum-used-to-leak-stolen-data/"
	],
	"report_names": [
		"fbi-seize-breachforums-hacking-forum-used-to-leak-stolen-data"
	],
	"threat_actors": [
		{
			"id": "c071c8cd-f854-4bad-b28f-0c59346ec348",
			"created_at": "2023-11-08T02:00:07.132524Z",
			"updated_at": "2026-04-10T02:00:03.422366Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "MISPGALAXY:ShinyHunters",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2",
			"created_at": "2025-10-24T02:04:50.086223Z",
			"updated_at": "2026-04-10T02:00:03.770068Z",
			"deleted_at": null,
			"main_name": "GOLD CRYSTAL",
			"aliases": [
				"Scattered LAPSUS$ Hunters",
				"ShinyCorp",
				"ShinyHunters"
			],
			"source_name": "Secureworks:GOLD CRYSTAL",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "0263e1e1-4568-410a-a5e4-6932db1d40da",
			"created_at": "2024-06-26T02:00:04.854969Z",
			"updated_at": "2026-04-10T02:00:03.667295Z",
			"deleted_at": null,
			"main_name": "IntelBroker",
			"aliases": [],
			"source_name": "MISPGALAXY:IntelBroker",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d8dff631-87b0-4320-8352-becff28dbcf1",
			"created_at": "2022-10-25T16:07:24.565038Z",
			"updated_at": "2026-04-10T02:00:05.034516Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "ETDA:ShinyHunters",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775490780,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0361bb7c9a12e2689a1f6e838a41074f34823363.pdf",
		"text": "https://archive.orkl.eu/0361bb7c9a12e2689a1f6e838a41074f34823363.txt",
		"img": "https://archive.orkl.eu/0361bb7c9a12e2689a1f6e838a41074f34823363.jpg"
	}
}