FBI Strikes Major Blow Against Global Cybercrime: BreachForums Seizure Disrupts Elite Hacking Network

Breached Company

Breached Company

6 min read
FBI Strikes Major Blow Against Global Cybercrime: BreachForums Seizure Disrupts Elite Hacking Network

International law enforcement operation dismantles marketplace used by ShinyHunters, Baphomet, and IntelBroker amid massive Salesforce extortion campaign

October 2025 — In a coordinated international law enforcement operation, the FBI and French authorities have seized control of BreachForums, one of the world's most notorious cybercrime marketplaces, dealing a significant blow to a criminal ecosystem that facilitated billions of dollars in data theft and extortion.

The October 9-10 takedown, conducted jointly by the FBI, U.S. Department of Justice, France's Brigade de Lutte Contre la Cybercriminalité (BL2C), and the Paris Prosecutor's Office, comes as the latest chapter in an ongoing battle against a resilient network of elite threat actors who have repeatedly resurrected the platform despite law enforcement pressure.

A Critical Strike at a Criminal Crossroads

The seizure occurred just hours before the Scattered LAPSUS$ Hunters hacking collective—a "trinity of chaos" combining members from ShinyHunters, Scattered Spider, and Lapsus$—was set to execute their threatened October 10 deadline to leak nearly one billion records stolen from Salesforce customers.

Visitors to breachforums.hn were greeted with an animated FBI seizure banner, while the site's name servers were redirected to the FBI's standard seized infrastructure at ns1.fbi.seized.gov and ns2.fbi.seized.gov. The operation marks the fourth time law enforcement has targeted the forum and its predecessors since 2022.

In a PGP-signed message posted to Telegram shortly after the seizure, ShinyHunters confirmed the operation's scope, revealing that authorities had compromised not just the domains, but all backend servers, database backups dating to 2023, and escrow databases. "The era of forums is over," the message declared, warning that any future relaunch should be considered a law enforcement honeypot.

The Threat Actors Behind the Operation

The individuals and groups leveraging BreachForums represent some of the most prolific cybercriminals of the past five years:

ShinyHunters: Active since 2020, this English-speaking collective has been linked to massive data breaches affecting billions of users across telecommunications, e-commerce, technology, and retail sectors, including high-profile attacks on AT&T, Salesforce, PowerSchool, Ticketmaster, Advance Auto Parts, and Neiman Marcus. The group earned notoriety for their sophisticated social engineering tactics and their exclusive dealings on RaidForums and BreachForums.

Baphomet: A previous administrator who partnered with ShinyHunters to relaunch BreachForums following the arrest of original founder Conor Fitzpatrick in March 2023. Reports indicate Baphomet was arrested in a 2024 law enforcement operation.

IntelBroker: The notorious data broker rose to prominence through high-profile breaches at Europol, General Electric, AMD, HPE, Nokia, Cisco, and DC Health Link—which exposed sensitive information of U.S. House members and their families. French authorities arrested IntelBroker, identified as Kai West, in February 2025, though this information was not publicly confirmed until June.

The Salesforce Campaign: A New Evolution in Cybercrime

The timing of the BreachForums seizure was no coincidence. The Scattered LAPSUS$ Hunters collective had launched a dedicated data leak site threatening to release approximately one billion records allegedly stolen from 39 major Salesforce customers, including Disney, Toyota, McDonald's, IKEA, FedEx, Cisco, Home Depot, Marriott, Walgreens, and Chanel.

The attacks exploited social engineering techniques, particularly voice phishing (vishing), where hackers impersonated IT support staff to trick employees into authorizing malicious OAuth applications that granted persistent access to Salesforce environments, effectively bypassing multi-factor authentication.

In August 2025, attackers further compromised organizations by breaching a GitHub repository used by Salesloft's Drift chatbot integration, gaining access to OAuth tokens for 760 Salesforce instances. This supply-chain attack demonstrated a sophisticated evolution from traditional ransomware to "extortionware"—leveraging data exposure rather than system encryption for extortion.

Salesforce emphasized that its core platform was not breached, stating the incidents related to third-party integrations and customer-side security lapses, and publicly declared it would not pay or negotiate ransom demands.

A Resilient Criminal Infrastructure

BreachForums' history illustrates the persistent challenge law enforcement faces in combating decentralized cybercrime networks:

  • March 2022: Founded by Conor Brian Fitzpatrick (Pompompurin) as a successor to the FBI-seized RaidForums, the platform quickly gained traction and eventually reached nearly 225,000 members
  • March 2023: Fitzpatrick arrested in New York and later sentenced to 20 years supervised release after pleading guilty to conspiracy charges and possession of child pornography
  • June 2023: ShinyHunters and Baphomet relaunched BreachForums v2, continuing operations as a marketplace for stolen data, hacking tools, and network access
  • May 2024: Second FBI seizure, though ShinyHunters briefly retrieved control of the domain
  • June 2025: French authorities arrested four key administrators operating under the aliases "ShinyHunters," "Hollow," "Noct," and "Depressed," all accused of involvement in major breaches against French entities including France Travail, which compromised 43 million individuals
  • July-August 2025: ShinyHunters relaunched BreachForums v4 under the breachforums.hn domain, but warned in August that the forum had been compromised and was serving as a law enforcement honeypot
  • October 2025: FBI and French authorities execute the latest comprehensive seizure

Law Enforcement's Expanding Reach

The BreachForums operation represents part of an unprecedented acceleration of international law enforcement cooperation in 2025, building on successful 2024 operations that disrupted major ransomware groups like LockBit under Operation Cronos.

FBI Assistant Director Christopher G. Raia stated that the arrests "should serve as a warning to anyone thinking they can hide behind a keyboard and commit cybercrime with impunity; the FBI will find and hold you accountable no matter where you are".

The seizure demonstrated the success of global law enforcement collaboration in combating cybercrime, with similar partnerships expected to help international agencies address cybercriminal activity more quickly and effectively.

The Dark Web Persists

Despite the clearnet seizure, challenges remain. The Tor-based dark web version of the leak site remained operational following the seizure, and the threat actors confirmed their Salesforce extortion campaign would continue. On October 13, the group leaked data from six victims including Qantas Airlines, Gap, Albertsons, and Vietnam Airlines, which exposed 7.3 million unique email addresses.

Security experts note that the forum-free, portable extortion model allows groups to pivot across Telegram, throwaway domains, and bespoke leak sites, making complete disruption difficult.

Implications for the Cybersecurity Landscape

The BreachForums takedown yields several critical insights for the cybersecurity community:

Lowered Barriers to Entry: BreachForums' large user base and degree of anonymity lowered barriers for new and inexperienced cybercriminals, making it easier to locate tools and resources needed for attacks. Its disruption will temporarily fragment this ecosystem.

Evolution of Tactics: The Salesforce campaign highlights a strategic shift from traditional ransomware that encrypts files to data theft and extortion, where leverage comes from threatened public exposure rather than system disruption.

SaaS as Target: Security analysts note that SaaS platforms represent "the new blast radius," often compromised by abusing OAuth and app-to-app trust relationships that interconnected services depend upon.

Youth Movement: Many of these sophisticated attacks originate from "The Com," a loosely organized English-speaking cybercrime youth movement encompassing mainly teens and twentysomethings who share tools, trade access, and collaborate on operations.

What's Next

ShinyHunters' statement that "BreachForums is never coming back, if it comes back, it should immediately be considered a honeypot" suggests the group recognizes traditional forums have become too compromised for safe criminal operations. The threat actors indicated they believe the FBI and international partners will crack down on many individuals in the coming weeks to months.

However, cybersecurity experts remain cautious. The pattern of relaunches suggests that despite infrastructure takedowns, threat actors often resurface under new names or platforms, continuing campaigns from the dark web or encrypted channels like Telegram.

For organizations, security professionals recommend using this disruption as a 30-day grace period to ramp up dark web monitoring tools, audit SaaS configurations—particularly OAuth permissions—and drill incident response playbooks.

Conclusion

The FBI's seizure of BreachForums represents a significant tactical victory in the ongoing battle against organized cybercrime, demonstrating the effectiveness of sustained international cooperation and the willingness of global law enforcement to impose real costs on cyber threat actors.

Yet as the Scattered LAPSUS$ Hunters' continued operations demonstrate, the fight against cybercrime remains an evolving challenge. The marketplace may be gone, but the criminal expertise, social networks, and motivations that fueled it persist—a reminder that defending against these threats requires constant vigilance, international collaboration, and adaptive security strategies.

As organizations worldwide grapple with the implications of the Salesforce campaign and assess their exposure from years of BreachForums operations, one thing is clear: the seizure of this criminal crossroads marks not an ending, but a new chapter in the perpetual cat-and-mouse game between cybercriminals and those working to stop them.

About the Investigation: The FBI is requesting victims and individuals contact them with information about the hacking forum and its members through dedicated channels including a special IC3 portal, email, Telegram, and TOX accounts to aid in their ongoing investigation.

Read more

Qantas Data Breach: 5 Million Customer Records Leaked as Scattered Lapsus$ Hunters Escalate Global Extortion Campaign

Qantas Data Breach: 5 Million Customer Records Leaked as Scattered Lapsus$ Hunters Escalate Global Extortion Campaign

Major Airline Falls Victim to Sophisticated Cybercrime Coalition in Year-Long Supply Chain Attack Australia's flagship carrier Qantas Airways has become the latest high-profile victim of an aggressive extortion campaign orchestrated by Scattered Lapsus$ Hunters, a notorious cybercriminal coalition that has targeted dozens of Fortune 500 companies in what

By Breached Company