BreachForums
BreachForums was an English-language cybercrime forum that operated as a marketplace for the buying, selling, and free distribution of stolen data compromised in hacks targeting corporations, governments, and individuals, positioning itself as the primary successor to the FBI-seized RaidForums.[1][2][3] Launched on March 16, 2022, by administrator Conor Brian Fitzpatrick under the pseudonym "pompompurin," the platform quickly scaled to more than 330,000 registered users by attracting former RaidForums members with incentives like preserved user rankings and roles.[2][1][3] It hosted over 888 datasets encompassing more than 14 billion personal identifiable information records, including financial details, Social Security numbers, passwords, and data from critical sectors such as telecommunications, social media, healthcare, and infrastructure protection groups like InfraGard.[2] The forum's activities facilitated widespread data extortion, tool sharing, and collaboration among threat actors, but it drew intense law enforcement scrutiny, resulting in Fitzpatrick's arrest on March 15, 2023, for conspiracy to commit access device fraud alongside possession of child sexual abuse material, prompting an initial shutdown on March 21, 2023.[3][1] Despite subsequent reopenings under new operators like "baphomet" and groups including ShinyHunters and IntelBroker, BreachForums endured further seizures by the FBI in May 2024 and October 2025, in coordination with international authorities, underscoring its persistent role in underground cybercriminal ecosystems.[1] Fitzpatrick pleaded guilty to the charges and was resentenced in September 2025 to three years in federal prison, with forfeiture of domains, devices, and cryptocurrency proceeds derived from the forum's operations.[2]Origins and Launch
Predecessor Context: RaidForums Shutdown
RaidForums operated as a prominent English-language forum where cybercriminals shared and traded stolen data, hacking tools, and credentials, facilitating activities such as data breaches and extortion.[4] The platform's infrastructure was seized by international law enforcement in early 2022 as part of Operation TOURNIQUET, a coordinated effort led by the United States Department of Justice, Federal Bureau of Investigation, and partners including the UK's National Crime Agency, Sweden's Security Service, and authorities in Romania.[5][4] The seizure was publicly announced on April 12, 2022, with the site's domain displaying a law enforcement notice confirming the takedown.[6] The operation resulted in the arrest of RaidForums' founder and administrator, Diogo Santos Coelho, a 23-year-old British national known online as "Omnipotent," who was detained in the UK on February 18, 2022, and later extradited to the United States.[5] Coelho pleaded guilty in 2023 to charges including conspiracy to commit access device fraud and aggravated identity theft, stemming from his role in operating the forum and personally hacking victims to obtain data for sale.[7] He was initially sentenced to over seven years in prison in 2024 but resentenced to three years in September 2025 after a successful appeal.[7] The shutdown disrupted a key hub for illicit data trading, but it also prompted the rapid emergence of successor platforms, including BreachForums, which launched in March 2022 to fill the void left by RaidForums' users and activities.[7][8]Founding and Early Development (2022)
BreachForums was established on March 16, 2022, by Conor Brian Fitzpatrick, a resident of Peekskill, New York, who operated under the online alias "pompompurin."[1] The forum emerged as a direct successor to RaidForums, an English-language hacking site seized by U.S. law enforcement in February 2022 following an FBI-led operation that resulted in the arrest of its founder, Diogo Santos Coelho (known as "Diogo").[9][8] Unlike its predecessor, BreachForums was initially hosted on the clear web, facilitating easier access for users sharing and trading compromised data, malware tools, and hacking discussions.[10] In its early months, the platform experienced modest growth as it positioned itself as a marketplace for illicit data transactions, with sections dedicated to posting breached databases, credit card dumps, and extortion-related materials.[8] By mid-2022, it had begun attracting active threat actors and users displaced from RaidForums, though initial user numbers remained limited compared to later iterations, reflecting a cautious buildup amid law enforcement scrutiny.[10] Fitzpatrick, then approximately 19 years old, administered the site personally, enforcing basic rules against certain extreme content while allowing the trade of stolen personal information from corporate breaches. This period marked the forum's foundational shift toward specializing in data leaks over broader hacking topics, setting the stage for its expansion into a central hub for cybercriminal activity.[11]Platform Operations
Technical Architecture and Features
BreachForums utilized the open-source MyBB forum software, a PHP-based platform that supported threaded discussions, user accounts, private messaging, and file attachments for uploading large datasets such as breached databases.[12] This architecture mirrored that of its predecessors, enabling structured categorization of content into dedicated sections for data leaks, credential stuffing lists, ransomware claims, and hacking tutorials.[12] The software's modularity allowed administrators to customize permissions, moderation tools, and search functionalities tailored to illicit data trading.[13] The platform maintained dual accessibility through clearnet domains and Tor hidden services (.onion addresses), with the latter providing onion routing for enhanced anonymity and resistance to censorship.[14] [15] Tor integration relied on backend servers configured to handle hidden service descriptors, allowing users to access the forum via the Tor Browser without exposing IP addresses.[16] Clearnet mirrors facilitated easier access for non-Tor users but were vulnerable to domain seizures, as evidenced by multiple takedowns.[15] Key features included optional user verification for trusted status, which unlocked marketplace privileges for buying and selling stolen data, tools, and services, while basic registration permitted anonymous browsing and posting.[16] The forum supported multimedia embeds, reputation systems based on post activity, and announcement boards for administrative updates, fostering a community-driven ecosystem for threat actor collaboration.[17] However, reliance on MyBB exposed the platform to known vulnerabilities, including zero-day exploits that compromised user data in incidents like the April 2025 outage.[13]User Community and Content Moderation
BreachForums attracted a diverse user base centered on cybercriminals, including initial access brokers, data traders, and hackers specializing in breaches and exploits. The forum's English-language interface and focus on illicit data markets drew over 340,000 registered members by mid-2023, with many migrating from the shuttered RaidForums.[17] [18] Users engaged in posting compromised datasets, credential dumps, hacking tools, and services like ransomware access, often verifying leaks through samples to build trust in transactions. While the community emphasized practical cybercrime operations, a subset included security professionals passively monitoring for threat intelligence, though active participation risked legal exposure.[12] [1] Content moderation relied on a team of administrators and volunteer staff to enforce rules prioritizing member protection and transaction integrity over ethical constraints. Core prohibitions barred malware distribution targeting users, doxxing or sharing personal details of members, child sexual abuse material, and unauthorized redistribution of premium or hidden content, with violations triggering permanent bans.[19] Harassment, begging for promotions, or disrespecting staff also warranted warnings or expulsion, while civil discussions on breaches and tools were permitted to sustain forum utility. Advertising confined to specific sections, adult content tagged and isolated in NSFW areas, and direct links without shorteners or surveys ensured operational hygiene, reducing scams that could erode user confidence.[19] [20] Enforcement mechanisms included user reporting systems, where frivolous submissions risked penalties, and staff curation of disputes to maintain credible listings amid high-volume posts.[19] [17] Assisting rule-breakers implicated accomplices in penalties, fostering self-policing within the community. These policies, while curbing internal fraud, imposed few limits on external harms like victim data sales, enabling the forum's role as a hub for over 800 datasets encompassing billions of records. Later iterations introduced revamped moderation to reassure returning users post-disruptions, but core allowances for cybercrime facilitation persisted.[13] [18]Cybersecurity Implications
Facilitation of Illicit Data Trade and Extortion
BreachForums operated as a prominent online marketplace where cybercriminals traded stolen data, including breached databases, login credentials, and personal information harvested from hacks. Users frequently posted "data dumps" containing millions of records, such as email addresses, passwords, and financial details, either for free distribution to build reputation or for direct sale through auctions and fixed-price listings. For instance, in February 2025, threat actors advertised 20 million compromised OpenAI user accounts on the forum, offering stolen credentials for purchase to enable further account takeovers and fraud.[21] These transactions often involved cryptocurrencies, with vendors providing samples to verify data authenticity before full payment, facilitating a supply chain for initial access brokers and fraudsters.[22] The platform's structure encouraged competitive trading, with dedicated sections for categories like "Databases," "Credentials," and "Leaks," where sellers competed on volume and freshness of data—such as records from recent retail or healthcare breaches—to attract buyers ranging from lone hackers to organized groups. Cybersecurity analyses noted that this ecosystem lowered barriers for downstream crimes, as purchased data enabled phishing, identity theft, and ransomware entry points, with forums like BreachForums serving as hubs for verifying and monetizing breaches that might otherwise remain undetected.[22] By March 2023, prior to its initial shutdown, the site hosted threads for selling access to over 100 terabytes of corporate data, underscoring its scale in amplifying the economic value of illicit acquisitions.[3] Extortion activities on BreachForums typically involved threat actors posting partial victim datasets to coerce payments, leveraging the forum's audience for maximum pressure and proof-of-breach dissemination. Ransomware affiliates and data extortion groups, such as ShinyHunters, used dedicated leak threads to threaten full data releases unless ransoms were paid, often targeting enterprises like Salesforce customers whose records—exceeding one billion in volume—were siphoned via vishing and traded or leaked starting in early 2025.[23] [24] In these schemes, actors like ShinyHunters collaborated with affiliates (e.g., Scattered Spider) to auction access or demand payments in Bitcoin, with forum posts serving as public shaming tools to escalate urgency; for example, October 2025 threats against Salesforce victims explicitly used BreachForums domains for leak announcements, prompting immediate data dumps when demands went unmet.[15] This model mirrored broader trends where forums amplified extortion by providing verifiable leak platforms, distinct from private negotiations, and enabled groups to monetize non-encrypted data thefts that bypassed traditional ransomware encryption.[2]Contributions to Threat Intelligence and Breach Exposure
BreachForums served as a centralized platform where threat actors frequently posted stolen datasets from high-profile breaches, enabling cybersecurity researchers and threat intelligence teams to monitor and analyze emerging risks in real time. Security firms, including those specializing in dark web intelligence, routinely scraped the forum for indicators of compromise, such as exposed credentials, internal documents, and victim lists, which could alert organizations to undetected intrusions before public disclosure. For instance, groups like ShinyHunters utilized the site to advertise and partially leak data from incidents involving entities such as Twitter (now X) in early 2022 and subsequent targets, providing raw material for verifying breach authenticity and assessing damage scope.[25][1] This exposure mechanism inadvertently accelerated breach notifications and mitigation efforts, as companies often learned of their compromises through forum postings rather than internal detection alone. Cybersecurity reports highlight cases where monitoring BreachForums led to proactive credential resets and forensic investigations; for example, educational institutions identified leaks of K-12 student directories posted by actors like "Mud," prompting immediate security enhancements.[26] Threat intelligence providers emphasized that such forums offered visibility into actor ecosystems, including sales of access brokers' tools and ransomware payloads, aiding in the development of behavioral profiles and predictive defenses.[27][28] Beyond raw data dumps, the forum's discussions contributed to understanding cybercriminal methodologies, with threads detailing exploitation techniques and victim reconnaissance that informed broader industry threat modeling. Providers like SOCRadar noted the value in tracking actor migrations and tool evolutions post-seizures, as centralized platforms like BreachForums simplified aggregation compared to fragmented channels. However, this intelligence utility depended on ethical monitoring practices, as unrestricted access risked aiding criminals; reputable firms prioritized passive observation to avoid direct engagement.[29][30]Controversies
Accusations of Enabling Cybercrime
BreachForums has faced repeated accusations from U.S. law enforcement agencies of functioning as a primary marketplace that enabled cybercrime by allowing users to buy, sell, and trade stolen personal data, hacking tools, and credentials obtained through breaches. [9] The U.S. Department of Justice (DOJ) specifically alleged that the platform, launched in March 2022 as a successor to the seized RaidForums, attracted over 300,000 users who facilitated the distribution of databases containing millions of records, including bank account details, credit card numbers, and Social Security information from high-profile victims.[31] [2] These activities were said to directly contribute to downstream crimes such as identity theft, financial fraud, and extortion campaigns, with forum sections dedicated to verifying and auctioning breach data to maximize its illicit value.[15] For instance, in January 2023, users advertised tens of thousands of stolen healthcare records from Nonstop Health on the site, including sensitive patient data like Social Security numbers, which an administrator later faced a $700,000 fine for enabling through lax moderation.[32] Law enforcement contended that the forum's structure, including vendor shops and data validation services, lowered barriers for novice cybercriminals to exploit leaked information, thereby amplifying the economic impact of initial hacks.[33] Accusations intensified around specific threat actors like ShinyHunters, who leveraged BreachForums domains in 2025 to host extortion sites for stolen Salesforce customer data, threatening to release records unless ransoms were paid.[15] [24] The FBI described the platform as a "major criminal marketplace" that supported groups such as ShinyHunters, Baphomet, and IntelBroker in trafficking data and coordinating attacks, leading to multiple domain seizures in May 2024, August 2025, and October 2025.[34] [35] Federal prosecutors argued that operators like founder Conor Fitzpatrick knowingly profited from these operations, with the site's resilience after relaunches perpetuating a cycle of data monetization that fueled ransomware groups and phishing operations.[2]Perspectives on Information Freedom and Vigilantism
Monitoring BreachForums and similar platforms provides cybersecurity teams with actionable threat intelligence, as leaked datasets often reveal ongoing or undetected compromises before official notifications. Security firms emphasize that scanning such forums enables early detection of stolen credentials, customer records, and internal documents, allowing organizations to implement countermeasures like password resets or forensic investigations.[28][29] For instance, posts detailing breaches have alerted companies to vulnerabilities exploited by groups like ShinyHunters, who dumped data from entities including Microsoft and AT&T on the forum between 2023 and 2025.[24] Proponents of information freedom argue that restricting access to these forums stifles transparency in an ecosystem where corporations underreport incidents to avoid reputational damage or regulatory scrutiny. By facilitating the public dissemination of breached data, platforms like BreachForums compel entities to address systemic weaknesses, such as inadequate encryption or access controls, that persist due to profit motives over security. This view holds that once data is compromised—often through preventable lapses—the unrestricted sharing aligns with principles of open information, empowering individuals and researchers to verify exposures independently rather than relying on delayed corporate disclosures. Cybersecurity analysts have noted that such forums act as "early warning systems" for threats, with monitoring yielding insights into actor tactics that inform defensive strategies across industries.[36][25] Vigilantism emerges in defenses of actors who leverage BreachForums to release data without ransom payments, positioning dumps as punitive measures against negligent organizations. Hackers affiliated with the platform, including those relaunching versions post-seizure, have invoked free speech rationales to justify operations, claiming they expose elite networks' failures while evading censorship. For example, ShinyHunters' 2025 relaunch of BreachForums v4 framed it as a venue resistant to monitoring mandates, arguing that suppressing leak sites hinders accountability for breaches affecting millions, such as the Salesforce campaign involving over 400 organizations.[37] However, this self-styled vigilantism overlooks collateral risks, including identity theft for non-culpable victims, and prioritizes unauthorized exposure over legal channels like vulnerability disclosures. Empirical data from forum activity shows dumps often follow failed extortions rather than pure ethical imperatives, with over 100 major leaks documented from 2022 to 2025 blending profit and purported public interest.[15][1] Critics within the security community, while acknowledging intel value, contend that the forum's structure incentivizes further breaches by providing markets for stolen goods, undermining any net benefit from vigilance. Law enforcement disruptions, including the FBI's October 10, 2025, seizure of domains tied to Salesforce extortion, highlight how such platforms aggregate harms exceeding isolated exposures. Nonetheless, the persistence of mirrors and Telegram migrations post-takedown underscores a resilient viewpoint that information freedom outweighs containment efforts in a decentralized threat landscape.[38][39]Legal Interventions
2023 Founder Arrest and Domain Seizure
On March 24, 2023, Conor Brian Fitzpatrick, a 20-year-old resident of Peekskill, New York, who operated under the online alias "Pompompurin," was arrested by U.S. federal authorities on charges related to his role as founder and administrator of BreachForums.[9] He faced a one-count criminal complaint for conspiracy to commit access device fraud, stemming from the forum's function as a marketplace where cybercriminals bought, sold, and traded stolen personal data, login credentials, and tools for unauthorized access.[40] The arrest disrupted initial operations, leading to a temporary shutdown of the site, though community members quickly relaunched it under new administrative oversight.[29] Fitzpatrick's platform had succeeded RaidForums, which he acquired after its 2022 seizure by authorities, and emphasized structured categories for data leaks, extortion services, and hacking tutorials, attracting over 150,000 members by early 2023.[9] Federal investigators highlighted the forum's role in enabling real-world harms, such as identity theft and ransomware extortion, through the dissemination of millions of compromised records from corporate breaches.[9] Following his arrest, Fitzpatrick was released on bail posted by his parents, but the case underscored law enforcement's focus on forum operators as key enablers of cybercrime ecosystems.[41] Three months later, on June 23, 2023, the FBI, in coordination with international partners, seized the clearnet domains associated with the relaunched BreachForums, replacing the site's content with an official seizure banner.[29][25] This action targeted the forum's primary accessible web presence, aiming to interrupt ongoing illicit data trading amid heightened scrutiny of platforms hosting breach announcements and extortion demands.[34] The seizure followed the forum's resurgence post-arrest, during which it continued to host leaks from high-profile incidents, but did not immediately affect Tor-hidden services or mirrors used by users to evade restrictions.[29] The June operation reflected a pattern of targeted disruptions against English-language hacking forums, building on prior takedowns like RaidForums, and involved forfeiture of domains linked to Fitzpatrick's activities, though the forum's decentralized user base and backup infrastructures allowed for partial continuity via alternative access points.[25][42]2024 International Law Enforcement Operation
On May 15, 2024, the United States Federal Bureau of Investigation (FBI), in coordination with international law enforcement partners, seized the clearnet domain of BreachForums, displaying a government seizure notice on the site.[34][43] This operation targeted the forum's infrastructure, which had been relaunched approximately a year earlier by administrator "Baphomet" in partnership with the hacking collective ShinyHunters after the prior 2023 disruption.[34][12] The seizures encompassed not only the primary domain but also the forum's official Telegram channel and a secondary channel operated by Baphomet.[34][44] Law enforcement actions disrupted access to these platforms, which facilitated the trading of stolen data, hacking tools, and related services among over 150,000 registered users.[44] While underground discussions speculated on Baphomet's potential arrest, no official announcements from U.S. or partner agencies confirmed such an outcome during the operation.[12] The disruption proved temporary, as forum operators regained control of the domain within hours using its Emergency Provider Portability (EPP) code, enabling a reboot under continued administration by ShinyHunters.[12] By mid-June 2024, BreachForums had reinstated operations at its original domain, underscoring the challenges in permanently dismantling decentralized cybercrime platforms reliant on dark web mirrors and resilient administrative networks.[12] This event represented the second major U.S.-led intervention against the forum within 12 months, highlighting ongoing efforts to interrupt illicit data markets without fully eradicating their underlying ecosystem.[34]2025 MyBB Zero-Day Infiltration and Admin Arrests
In April 2025, BreachForums administrators announced that the forum had been compromised through a suspected zero-day vulnerability in the MyBB forum software, prompting a voluntary shutdown to prevent further law enforcement access.[45][46] The incident, detected around April 15, 2025, involved trusted sources alerting admins to an infiltration attempt attributed to global law enforcement agencies, leading to the site's inaccessibility and data preservation measures.[47][1] While administrators publicly blamed a MyBB-specific exploit for enabling unauthorized access to administrative functions, no independent verification of the zero-day's existence or its exploitation by authorities has been disclosed by involved agencies.[48] The infiltration heightened operational risks for forum operators, resulting in the leak of management credentials and infrastructure details online, which further eroded trust among users and prompted copycat domains to emerge amid community confusion.[49] This event followed prior disruptions but marked a shift toward suspected technical compromise rather than domain seizures, with admins emphasizing the zero-day as a novel vector for surveillance and evidence gathering.[22] Subsequent investigations culminated in arrests of alleged BreachForums administrators and affiliates in June 2025. On June 26, 2025, French cyber police detained four French nationals accused of managing the forum and facilitating major data breaches, in coordination with U.S. authorities who confirmed the apprehension of five individuals linked to high-profile hacks advertised on the platform.[50][51] Among those identified was IntelBroker, revealed as British national Kai West, alongside members of the ShinyHunters group, whose activities included extortion via leaked data hosted on BreachForums mirrors.[52] These actions were part of broader international operations targeting cybercrime forums, though direct causation between the MyBB incident and arrests remains inferred from timing and admin disclosures rather than explicit law enforcement attribution.[29]October 2025 FBI Seizure Involving ShinyHunters
On October 10, 2025, the United States Federal Bureau of Investigation (FBI), in coordination with French law enforcement authorities including the Brigade de Lutte contre la Cybercriminalité (BL2C) and Paris judicial police, seized domains associated with BreachForums, a notorious underground forum facilitating data breaches and extortion.[15][53] The operation targeted a specific portal on the platform exploited by the hacking collective ShinyHunters to threaten the release of stolen Salesforce customer data unless extortion demands were met.[24][25] ShinyHunters had publicly announced via a pinned Telegram post that data from non-paying victims would be dumped at 11:59 PM Eastern Time on that date, escalating pressure on affected organizations.[29] The seizure displayed an FBI takedown banner on the affected BreachForums domains, such as breachforums.hn, redirecting to official FBI contact points like breachforums#fbi.gov and the Internet Crime Complaint Center (IC3).[39][54] This action disrupted ShinyHunters' operations, which had leveraged BreachForums for data leaks tied to high-profile breaches, including those linked to groups like Scattered Spider (also known as Scattered Lapsus$ Hunters).[55][56] According to statements attributed to ShinyHunters post-seizure, the FBI's intervention compromised not only the primary domains but also backup databases, escrow systems, and backend servers, effectively dismantling the forum's infrastructure at that time.[24][15] The FBI formally announced the seizures on October 12, 2025, via its official X (formerly Twitter) account and Facebook, describing BreachForums as a "major criminal marketplace" utilized by actors including ShinyHunters and Baphomet for illicit activities.[57][58] This marked at least the fourth major U.S. law enforcement disruption of BreachForums or its predecessors since the 2023 arrest of alleged founder Conor Fitzpatrick, highlighting persistent challenges in permanently neutralizing such resilient cybercrime platforms.[53][25] Despite the takedown, ShinyHunters issued a PGP-signed message asserting the forum was "officially dead" but vowed to proceed with data releases independently, underscoring the limitations of domain seizures in deterring decentralized threat actors.[55][29]Resilience and Legacy
Patterns of Shutdowns and Relaunches
BreachForums has demonstrated a recurring pattern of operational disruptions through law enforcement seizures and arrests, followed by rapid relaunches under new administrative control or domains, often announced via Telegram channels or successor platforms. This cycle began after the initial 2023 takedown, with the forum re-emerging within weeks or months despite domain forfeitures and admin captures, reflecting the decentralized nature of underground cybercrime communities that migrate to alternative hosting or the Tor network.[29][59] Following the June 2023 FBI domain seizure of breachforums.is—three months after founder Conor Fitzpatrick's arrest—the forum saw informal revivals through mirrors and partial operations, but sustained activity resumed more prominently after subsequent interventions. In May 2024, a multinational operation led by the FBI seized the rebooted site on May 15, yet it resurrected by May 29 under new management, including claims by actors like ShinyHunters, who reinstated it at the original .st domain by June 12. This quick recovery involved re-claiming domains and shifting to resilient infrastructures, with user discussions on Telegram facilitating continuity.[29][12][59] In 2025, the pattern intensified with fragmented outages and relaunches amid escalating law enforcement pressure. April disruptions were attributed to hacking collectives like R00TK1T, but the forum re-emerged with new domains by late April, suffering reputational hits yet retaining core users. French authorities dismantled key admins in June, targeting a May 2024 relaunch variant active into February, but ShinyHunters announced a "classic form" revival in July. An August 12 shutdown followed claims of law enforcement infiltration, only for another iteration to launch mid-year, culminating in the October 10 FBI seizure of servers tied to ShinyHunters' Salesforce extortion campaign. By October 26, the forum had resurfaced again with a new administrator and upgraded infrastructure, underscoring persistent adaptability despite repeated clearnet domain losses.[60][61][15]| Date | Event | Outcome |
|---|---|---|
| June 2023 | FBI domain seizure post-arrest | Informal mirrors; full relaunch delayed |
| May 15, 2024 | Multinational seizure | Relaunch by May 29; reinstated June 12 |
| April 2025 | Outages by collectives | New domain relaunch by late April |
| July 2025 | ShinyHunters revival | Active until August infiltration claims |
| October 10, 2025 | FBI server seizure | Resurfaced by October 26 with new admin |