{ "id": "238f9e65-5f63-4fa3-9246-b36ca228b0a4", "created_at": "2026-04-06T00:22:04.39824Z", "updated_at": "2026-04-10T03:34:59.478998Z", "deleted_at": null, "sha1_hash": "db24d94a8891700a7ad0ebfe03ce21efb08bb053", "title": "BreachForums Returns Just Weeks After FBI Seizure - Honeypot or Blunder?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 250485, "plain_text": "BreachForums Returns Just Weeks After FBI Seizure - Honeypot\r\nor Blunder?\r\nBy The Hacker News\r\nPublished: 2024-05-29 · Archived: 2026-04-05 16:30:08 UTC\r\nThe online criminal bazaar BreachForums has been resurrected merely two weeks after a U.S.-led coordinated law\r\nenforcement action dismantled and seized control of its infrastructure.\r\nCybersecurity researchers and dark web trackers Brett Callow, Dark Web Informer, and FalconFeeds revealed the\r\nsite's online return at breachforums[.]st – one of the dismantled sites – by a user named ShinyHunters, who has\r\nsince offered for sale a 1.3 TB database containing details of allegedly 560 million Ticketmaster customers for\r\n$500,000.\r\nThis includes full names, addresses, email addresses, phone numbers, ticket sales and event information, and the\r\nlast four digits of credit cards and their associated expiration dates.\r\nHowever, in an interesting twist, visitors of the site are now being asked to sign up for an account in order to view\r\nthe content.\r\nhttps://thehackernews.com/2024/05/breachforums-returns-just-weeks-after.html\r\nPage 1 of 3\n\nThe development follows a joint law enforcement action that seized all the new domains belonging to\r\nBreachForums (breachforums[.]st/.cx/.is/.vc), while also hinting that the site administrators Baphomet and\r\nShinyHunters may have been arrested.\r\nThe operation also resulted in the seizure of the Telegram channel operated by Baphomet, with the U.S. Federal\r\nBureau of Investigation (FBI) noting that it's reviewing the site's backend data.\r\nIt's not currently clear if the individual(s) using the ShinyHunters persona on BreachForums is the original\r\nShinyHunters hacker. Also unknown is the manner how they came to be in possession of one of the clearnet sites\r\nseized by the FBI, although Hackread.com reported that they reclaimed the domain from domain registrar\r\nNiceNIC.\r\nHowever, the possibility that it may be a honeypot has not been lost among members of the cybersecurity\r\ncommunity.\r\nBreachForums emerged in March 2022 in the aftermath of the shutdown of RaidForums and the arrest of its owner\r\n\"Omnipotent.\" It was dismantled in mid-June 2023, after which it was revived by Baphomet and ShinyHunters to\r\nlaunch a new site under the same name.\r\nBoth the U.S. Department of Justice (DoJ) and the FBI have yet to comment on the takedown, or the re-emergence\r\nof the forum for that matter.\r\nTicketmaster Confirms Breach\r\nTicketmaster's parent Live Nation confirmed on May 31, 2024, that it suffered a breach after its data was stolen\r\nfrom a third-party cloud database environment. Although the name of the provider was not disclosed, it's\r\nsuspected to be Snowflake, based on a report published by Hudson Rock.\r\nThe Israeli cybersecurity firm said that a Snowflake employee's ServiceNow credentials were stolen via a Lumma\r\nStealer campaign on October 5, 2023, allowing the threat actors to gain access to the employee's ServiceNow\r\naccount in a manner that bypassed two-factor authentication (2FA) protections.\r\n\"Info-stealer infections as a cybercrime trend surged by an incredible 6,000% since 2018, positioning them as the\r\nprimary initial attack vector used by threat actors to infiltrate organizations and execute cyberattacks, including\r\nransomware, data breaches, account overtakes, and corporate espionage,\" Hudson Rock said.\r\nIt further said that the credentials were used by the threat actors behind the attack to break into other companies,\r\nincluding Santander. Earlier this month, the bank confirmed it had been compromised, and said it affected\r\ncustomers of Santander Chile, Spain, and Uruguay.\r\nSnowflake has since acknowledged that it's \"investigating an increase in cyber threat activity targeting some of\r\nour customers' accounts\" and that it became of unauthorized access on May 23, 2024. The malicious activity is\r\nhttps://thehackernews.com/2024/05/breachforums-returns-just-weeks-after.html\r\nPage 2 of 3\n\nsaid to have commenced around mid-April 2024.\r\nThe company said it has also notified all customers, urging them to review their account settings and enable 2FA\r\nto secure their data. It, however, refuted assertions that the activity was caused by any vulnerability,\r\nmisconfiguration, or breach of the product.\r\nThat said, Snowflake noted that a former employee's demo account was accessed through stolen credentials, but\r\nsaid it did not contain sensitive data. Nor is it connected to any production or corporate systems, it added.\r\n(The story was updated after publication to include information about the Ticketmaster breach.)\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2024/05/breachforums-returns-just-weeks-after.html\r\nhttps://thehackernews.com/2024/05/breachforums-returns-just-weeks-after.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://thehackernews.com/2024/05/breachforums-returns-just-weeks-after.html" ], "report_names": [ "breachforums-returns-just-weeks-after.html" ], "threat_actors": [ { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434924, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/db24d94a8891700a7ad0ebfe03ce21efb08bb053.pdf", "text": "https://archive.orkl.eu/db24d94a8891700a7ad0ebfe03ce21efb08bb053.txt", "img": "https://archive.orkl.eu/db24d94a8891700a7ad0ebfe03ce21efb08bb053.jpg" } }