Flash Report: BreachForums Allegedly Relaunched With New Domain

Key Findings

• On April 23, 2025, ZeroFox observed an announcement posted to the allegedly relaunched BreachForums site, breached[.]fi-made by the user “Normal”, stating that the forum is “officially back online”.
• Administrators of the previous [.]st BreachForums domain appear to have launched the new domain and have publicized efforts to reinstate the existing reputations of previous users.
• It is likely that BreachForums will have suffered reputational damage as a result of the April 15, 2025 outage. Returning users will very likely approach the [.]fi domain with increased caution, due to circulating speculation on deep and dark (DDW) forums regarding the potential involvement of law enforcement (LE).
• As of the writing of this report, ZeroFox has observed some users reporting difficulties in registering for accounts, which is likely attributed to initial launch issues. It is very likely that it will take some weeks before a fully functioning user interface is restored.

Details

On April 23, 2025, ZeroFox observed an announcement posted to the allegedly-relaunched BreachForums site, breached[.]fi-made by the user Normal, stating that the forum is “officially back online”, accompanied by further details and plans.

• On April 15, 2025, ZeroFox observed that popular deep web hacking forum BreachForums was no longer online, with the domain breachforums[.]st displaying an error message.
• Conflicting information has also been circulating amongst threat actors, with many instead claiming that the Federal Bureau of Investigation (FBI) is behind BreachForums’ closure.
• As of the writing of this report, it remains unclear whether a LE operation or a hacktivist group, such as Dark Storm (who has not indicated any specific motive), is responsible for the BreachForums outage.

The [.]fi domain referenced in Normal’s post was launched on April 19, 2025, with a user interface notably similar to the previous [.]st domain. On April 20, 2025, an update was posted on the [.]fi domain site by positive reputation actor “Anastasia”, to say that they were doing “everything they could to restore the forum as quickly as possible”. On April 23, 2025, Anastasia announced on breached[.]fi that they have successfully completed upgrades to the infrastructure and management procedures of the forum, stating that it would undergo a restart before launching with additional functionality.

There is ongoing speculation within DDW forums surrounding what caused the unexpected outage of BreachForums, and whether any relaunched domain can be trusted. 

• On April 18, 2025, well-regarded and established threat actor “Rey” took to the social media platform X (formerly Twitter), posting a series of messages that alleged BreachForums had been seized by the FBI.

On April 23, 2025, Rey posted on X stating “I don’t vouch for breached[.]fi, It's fake”.¹ Notably, some of the original moderators from breachforums[.]st such as “Loki”, “Tanaka”, “Addaka”, and “888”, have not yet been observed in the new domain breached[.]fi.

A separate post by Anastasia offered to restore the ranks of users that were held on the previous BreachForums site, should they send proof of payment to the admins of the new domain. This is very likely an attempt to lend credibility to the site, attract previous BreachForums users, and gain traction.

On 20 April, 2025, the Telegram-based hacktivist collective “Dark Storm” seemingly claimed responsibility for a distributed denial of service (DDoS) attack targeting the [.]fi domain, which they allegedly conducted between April 19-20, 2025. In the post, Dark Storm claimed they had taken down the site temporarily, also providing a check-host URL which seemingly confirmed the forum's outage.² As of the writing of this report, it remains unclear whether Dark Storm carried out this attack.

• On April 15, 2025, Dark Storm posted to its Telegram channel, seemingly claiming responsibility for a previous DDoS attack against the [.]st domain.

As BreachForums is a popular and highly-frequented hacking forum, it is very likely that many of its previous users will seek to register accounts at the new domain, in order to restore their previous reputations. While other deep web hacking forums exist, none are likely perceived as a legitimate alternative to BreachForums. 

It is likely that BreachForums will have suffered reputational damage as a result of the April 15, 2025 outage. Returning users will very likely approach the [.]fi domain with increased caution, due to circulating speculation on DDW forums regarding the potential involvement of LE. 

It is very likely that numerous threat actors will seek to capitalise on the uncertainty surrounding the new domain by creating alternative forums, whether intended as a replacement or created for the purposes of scamming visitors seeking to register. As of the writing of this report, ZeroFox has observed some users reporting difficulties in registering accounts, which is very likely attributed to initial launch issues. It is likely to take some weeks before a fully functioning user interface is restored.

Appendix A: Traffic Light Protocol for Information Dissemination

Appendix B: ZeroFox Intelligence Probability Scale 

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.