BreachForums returns just weeks after FBI-led takedown

Website whack-a-mole getting worse

BreachForums is back online just weeks after the notorious dark-web marketplace for stolen data was seized by law enforcement.

Online threat hunters spotted the bazaar's resurgence, now seemingly under the control of ShinyHunters - one of the earlier BreachForums admins. The marketplace opened for registration on Tuesday.

The BreachForums website and Telegram channel takedown happened on May 15 with both displaying warnings that they were now "under the control of the FBI."  Additionally, the souk, where ransomware operators and other miscreants trade pilfered information, showed profile pics of admins Baphomet and ShinyHunters behind bars, which several infosec spectators took to mean that both had been cuffed.

While Baphomet's Telegram channel was also seized, and that site administrator was reportedly arrested, the ShinyHunters crew claimed to escape unscathed, bragging that none of its members were arrested. 

ShinyHunters reportedly regained access to the crime market's surface web site and a new dark-web domain just a day after the FBI takedown, according to Hackread.com, which interviewed ShinyHunters and published their account of wrestling control of the domains back from law enforcement. 

Meanwhile, there has been no official statement from the US Department of Justice or the FBI about the takedown — which is unusual, compared to other high-profile cybercrime busts over the past couple of years. The FBI declined to comment about the earlier seizures, or the reemergence of BreachForums.

This particular dark-web souk has been an ongoing thorn in the side for police over the past couple of years, with BreachForums taking over after a similar operation shut down RaidForums in 2022.

Cops seized an earlier version of BreachForums in June 2023. Its former admin Conor Brian Fitzpatrick (aka "Pompourin") was arrested and then sentenced to 20 years of supervised release in January. Still, the site returned, this time with different admins, but again acting as a ransomware brokerage.

"The reconstitution of Breach Forums is not surprising," said Austin Berglas, also a former FBI agent who now works as global head of professional services at BlueVoyant. 

"Complete dismantlement of an online, organized criminal group is extremely difficult. Ensuring that all personnel with access are in custody and offline, identifying and seizing critical infrastructure to include the removal of the entire financial, technical, and communication network is necessary to dismantle and severely limit the ability to reconstitute," he told The Register.

Berglas is a former assistant special agent in charge of the FBI's New York Office Cyber Branch, and during his tenure the bureau dismantled LulzSec, a group linked to Anonymous, and arrested its leader Sabu in June 2011.

He was also involved in the FBI's shutdown of the Silk Road drug market in 2013.

"Although law enforcement may seize the primary domain(s) and related servers, there may be unidentified backup servers and domains which can be operationalized if needed, or previously unidentified individuals that may have administrative or technical access that can be used after a seizure or takedown," Berglas added.

However, the earlier action against BreachForums is "still a success," he opined. "Disrupting a major illegal forum for any period of time should serve as a significant deterrent to cyber criminals and demonstrate that, given the appropriate time and resources, organized crime perpetrated against citizens can be uncovered and will be addressed."

How much of a disruption — and how much a hit to the criminals' ability to profit from pilfered data and extortion attempts — remains to be seen. ®

More about

TIP US OFF

Send us news


Other stories you might like