The FBI has seized control of domains linked to the BreachForums hacking forum, used by cybercriminals to buy, sell, and trade hacked or stolen data.
It's been used by hacking groups including Baphomet, IntelBroker, and ShinyHunters – the groups now forming Scattered Lapsus$ Hunters, which earlier this month took control of the domain.
These actors are behind recent Salesforce attacks against companies including Google, Palo Alto Networks, Zscaler, and Cloudflare, as well as Disney, Qantas, Air France-KLM, and Toyota, and have been using the site to leak data and carry out extortion attempts.
"This takedown removes access to a key hub used by these actors to monetize intrusions, recruit collaborators, and target victims across multiple sectors," said the FBI.
"It demonstrates the reach of coordinated international law enforcement operations to impose costs on those behind cyber crime."
This isn't the first time the FBI has taken action. It first took the site down in March 2023 following the arrest of its founder, Conor Brian Fitzpatrick. Last year, in a joint operation with Europol, it repeated the action – although within days the site was resurrected and others emerged.
These takedowns are having a cumulative effect, according to Cory Michal, chief security officer at AppOmni.
"Each seizure chips away at its credibility, and repeated takedowns always raise the lingering question within the underground community about whether the site, or its successors, are secretly being run or monitored by authorities. That kind of uncertainty is often as damaging to these forums as the actual takedown itself," he said.
“Each takedown makes these communities more fragile and less trusted, and the logistics of keeping a large, centralized platform online under constant law enforcement scrutiny have become unsustainable."
BreachForums takedown marks end of an era
Interestingly, this appears to be a concern held by the attackers themselves, who have commented that 'the era of forums is over'.
Michal warned that the attackers are likely to continue operating their data leak sites, but with Telegram as their main communications hub.
"Those channels are easy to recreate if taken down, and private messages are end-to-end encrypted, giving them a persistent base of operations. In the near term, they’ll enter a monetization phase, extorting affected companies and attempting to convert stolen data into cryptocurrency," he said.
“Once that cycle runs its course, they’re likely to reinvest both time and funds into new campaigns, focusing on high-value SaaS platforms and enterprise tenants where access can be monetized again through resale, ransomware, or additional data theft. This progression follows a familiar pattern among more organized cyber-extortion groups."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
AWS pledges $50 billion to expand AI and HPC infrastructure for US government clientsNews The company said an extra 1.3 gigawatts of compute capacity will help government agencies advance America’s AI leadership
-
NCSC called in as London councils grapple with cyber attacksNews In what looks likely to be a supply chain attack, councils are warning residents of service disruption
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Logitech says zero-day attack saw hackers copy 'certain data' from internal IT systemsNews The incident is believed to have formed part of a campaign by the Clop extortion group that targeted customers of Oracle’s E-Business Suite
-
Google wants to take hackers to courtNews You don't have a package waiting for you, it's a scam – and Google is fighting back
