Third time lucky? The FBI just took down BreachForums, again

The hacking forum is down for now, but the group behind it, Scattered Lapsus$ Hunters, isn't going to stop extorting victims of the Salesforce breach

Emma Woollacott's avatar
By
published
in News
Cyber crime concept image showing hacker typing on keyboard in dimly-lit room with tablet pictured on desk.
(Image credit: Getty Images)

The FBI has seized control of domains linked to the BreachForums hacking forum, used by cybercriminals to buy, sell, and trade hacked or stolen data.

It's been used by hacking groups including Baphomet, IntelBroker, and ShinyHunters – the groups now forming Scattered Lapsus$ Hunters, which earlier this month took control of the domain.

These actors are behind recent Salesforce attacks against companies including Google, Palo Alto Networks, Zscaler, and Cloudflare, as well as Disney, Qantas, Air France-KLM, and Toyota, and have been using the site to leak data and carry out extortion attempts.

"This takedown removes access to a key hub used by these actors to monetize intrusions, recruit collaborators, and target victims across multiple sectors," said the FBI.

"It demonstrates the reach of coordinated international law enforcement operations to impose costs on those behind cyber crime."

This isn't the first time the FBI has taken action. It first took the site down in March 2023 following the arrest of its founder, Conor Brian Fitzpatrick. Last year, in a joint operation with Europol, it repeated the action – although within days the site was resurrected and others emerged.

These takedowns are having a cumulative effect, according to Cory Michal, chief security officer at AppOmni.

"Each seizure chips away at its credibility, and repeated takedowns always raise the lingering question within the underground community about whether the site, or its successors, are secretly being run or monitored by authorities. That kind of uncertainty is often as damaging to these forums as the actual takedown itself," he said.

“Each takedown makes these communities more fragile and less trusted, and the logistics of keeping a large, centralized platform online under constant law enforcement scrutiny have become unsustainable."

BreachForums takedown marks end of an era

Interestingly, this appears to be a concern held by the attackers themselves, who have commented that 'the era of forums is over'.

Michal warned that the attackers are likely to continue operating their data leak sites, but with Telegram as their main communications hub.

"Those channels are easy to recreate if taken down, and private messages are end-to-end encrypted, giving them a persistent base of operations. In the near term, they’ll enter a monetization phase, extorting affected companies and attempting to convert stolen data into cryptocurrency," he said.

“Once that cycle runs its course, they’re likely to reinvest both time and funds into new campaigns, focusing on high-value SaaS platforms and enterprise tenants where access can be monetized again through resale, ransomware, or additional data theft. This progression follows a familiar pattern among more organized cyber-extortion groups."

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott
Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.

Latest
You might also like
View More ▸