Flash: BreachForums Marketplace Seized By Law Enforcement
Key Findings
- On May 15, 2024, the popular English-language deep and dark web (DDW) forum BreachForums was seized by law enforcement agencies in an operation likely coordinated by multiple international law enforcement agencies.
- Since mid-2023, BreachForums has been one of the most popular DDW marketplaces hosting discussions surrounding malicious network access and exploitation, as well as the trading of associated goods such as personally identifying information and personal financial information.
- ZeroFox can neither independently confirm nor deny that a spate of recent posts on the forum advertising the sale of highly sensitive information initiated the law enforcement activity.
- ZeroFox notes the possibility that the law enforcement operation is ongoing, with the potential for further disruption to occur.
Details
On May 15, 2024, the popular English-language DDW forum BreachForums was seized in an operation likely coordinated by multiple international law enforcement agencies. At the time of writing, both clearnet and onion domains display a banner stating that the sites are under the control of the United States’ Federal Bureau of Investigation (FBI) and Department of Justice (DoJ). ZeroFox notes the possibility that the law enforcement operation is ongoing, with the potential for further disruption to occur.
- The FBI and DoJ have allegedly taken control of the domain hosted at breachforums[.]st. Former BreachForum domains hosted at [.]cx, [.]is and [.]vc were not operational at the time of the disruption.
- The FBI has also seized control of the BreachForums Telegram channel, announcing to users via a message that a review of the backend data will be conducted.
- There are unconfirmed reports that an alleged BreachForum’s moderator, Baphomet, has been arrested.
Since mid-2023, BreachForums has been one of the most popular DDW marketplaces hosting discussions surrounding malicious network access and exploitation, as well as the trading of associated goods such as personally identifying information and personal financial information.
- A previous version of BreachedForums was run from March 2022 - March 2023 before being seized by law enforcement following the arrest of the forum’s creator, an individual known as “Pompompurin.”
- The forum’s predecessor, Raidforums, was also disrupted by law enforcement in April 2022.
In April 2024, BreachForum’s surface web domain became unusable for a short period of time. The site's administrator, Baphomet, posted a subsequent PGP-encrypted message to the forum’s Telegram channel announcing the suspension of BreachForums[.]cx and added that the forum’s [.]onion domain was still functioning. The disruption was claimed by the threat actor R00TK1T in a Telegram post.
- R00TK1T’s involvement was quickly disputed by Baphomet, who instead blamed “the five eyes network, and various other large nations.” Baphomet also announced the resumption of the forum on the [.]st Top Level Domain (TLD). As of the time of writing, this site is fully functional.
- Many of R00TK1T’s historical targets are those perceived to be acting against the interests of Russia and Israel. As a primarily English-speaking forum, BreachForums is regularly frequented by actors discussing cyberattacks against both Russia and Israel, which R00TK1T almost certainly perceives as justification for its alleged involvement.
- However, given the forum’s short downtime and the lack of subsequent information posted by R00TK1T as threatened, it is unlikely that R00TK1T was involved in the site’s disruption.
ZeroFox can neither independently confirm nor deny that activity conducted by well-regarded threat actor “IntelBroker” initiated law enforcement’s disruption to BreachForums. A spate of recent posts on the forum advertised data breaches allegedly composed of highly sensitive information.
- In April 2024, IntelBroker claimed to advertise a leaked database associated with “Space Eyes”—a geospatial intelligence company that almost certainly works with the U.S. government. Posts of this nature are not uncommon from IntelBroker; however, they are not usually advertised in clear web forums such as BreachForums[.]st.
- In May 2024, IntelBroker claimed to have breached a European intelligence agency and was selling sensitive personal data pertaining to its employees. This data was reportedly sold by Intelbroker.
Appendix A: Traffic Light Protocol for Information Dissemination
ZeroFox Intelligence Flash Report - BreachForums Marketplace Seized By Law Enforcement
Appendix B: ZeroFox Intelligence Probability Scale
All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.
Tags: Breaches, Deep & Dark Web, Digital Risk Protection, Threat Intelligence