Cyber crime platform BreachForums has been seized in a joint law enforcement operation led by the FBI, but questions remain over the long-term impact.
Over the last year, the forum had been hosting stolen data from recent breaches affecting the European law enforcement agency Europol before being taken offline.
The FBI reported it had taken control of the servers and domains hosting the forum, and said it was currently reviewing the site’s backend, appealing for any users with further information on criminal activity to report it immediately.
BreachForums is a continuation of another popular hacking forum known as RaidForums, which was active between 2015 and 2022, before its founder, Diogo Santos Coelho, or ‘Omnipotent’, was arrested by UK authorities.
Prominent RaidForums community member, ‘Pompurin’ or Conor Brian Fitzpatrick, then set up the original iteration of BreachForums, which ran from 2022 up until Fitzpatrick’s arrest in March last year.
During this time, the site hosted stolen data related to over 80,000 members of the FBI non profit information portal InfraGard, as well as healthcare information of more than 56,000 individuals stolen from health insurance marketplace DC Health Link.
BreachForums was quickly resurrected, however, with forum member ‘Baphomet’ taking control of the site’s infrastructure, which they quickly overhauled in fear of it still being compromised by law enforcement agencies.
With the help of the ShinyHunters threat collective, Baphomet was able to reopen the forum, which has hosted a database containing 49 million customer records stolen from a Dell partner portal, as well as information exfiltrated from Europpol’s EPE web platform.
This time, the takedown also encompassed the forum’s Telegram channels, clearnet sites, as well as a separate Telegram operated by Baphomet, but despite this new sites will likely pop up in no time as the cyber crime wave continues unabated.
BreachForums highlights the endless game of dark web whack a mole
The ongoing saga between forum administrators and law enforcement agencies is unlikely to be impacted by these latest developments, as new marketplaces have already begun springing up in the aftermath of BreachForum’s demise.
Kevin Robertson, COO and cofounder at cyber security firm Acumen, said that within hours hacking groups had already announced their plans to take the place of BreachForums as the go-to marketplace for selling stolen data.
“It’s been hours since the seizure of BreachForums and there are already new marketplaces on the horizon. The threat actor USDoD has already announced Breach Nation, which is set to launch on 4th July, while there are also indications that ShinyHunters have something in the works”, Robertson advised.
“This shows that when sites are as successful as BreachForums, attackers won’t go down without a fight. While Baphomet, the latest operator of BreachForums, has reportedly been arrested, there are numerous others wanting to take the reins and develop their own marketplace so they can continue to serve users.”
Robertson said that while the FBI and other law enforcement agencies are making strides in targeting these sites, the cyber criminals behind them can spawn new alternatives with relative ease.
“It’s a game of cat and mouse. Law enforcement is making good progress with takedowns, but while there is the ability to rebrand under new identities and infrastructure, there is no permanent disruption of the actors.”
Nonetheless, these takedowns mean operations like BreachForums are consigned to a limited lifespan, as seizure and prosecution becomes more of an inevitability.
Accordingly, Robertson predicted that although the new BreachForums alternatives will only enjoy a brief time in the sun before they are taken down, the vicious cycle is doomed to continue.
“Breach Nation will only have a limited shelf life, we can be sure of that. But we can also be sure that the operators and actors using the site will continue to resurface under new guises, causing just as much chaos in the online world.”
Similar cases where law enforcement operations successfully force cyber criminal networks offline, including operation Duck Hunt targeting the notorious Qakbot botnet, have raised questions around the significance of their impact.
The resilience and resourcefulness of threat actors has been well established in the aftermath of a number of notable breaches and so whether or not these blows constitute a knockout for cybercriminals behind BreachForums remains doubtful.
