Three months after arresting its administrator, U.S. federal authorities have seized the domain of notorious hacking site BreachForums.
For a time, the forum was the go-to community for English-speaking cybercriminals, who would share, advertise and sell personal data stolen from a variety of websites and companies. In March, the FBI arrested Conor Brian Fitzpatrick in New York, accusing him of being the man behind the nickname “Pompompurin,” the administrator of BreachForums. Shortly after, the site’s new administrator shut down the forum, promising it would never come back.
On Thursday, the content of the old site was replaced with a notice that authorities have seized the domain. The notice displays 10 logos of law enforcement agencies from around the globe, the BreachForums logo and — in what appears to be an epic troll — an image of a handcuffed Pompompurin, a character originally from Hello Kitty.
Earlier this month, however, the new admin, who goes by “Baphomet,” had a change of heart and relaunched the forum on a new domain, teaming up with another notorious hacker group that goes by ShinyHunters.
“Hello, Welcome to BreachForums (reincarnated)! This forum is back with the original team behind Breachforums,” an account called ShinyHunters posted in the new forum.
In another post, Baphomet wrote: “For those somehow not in the loop, I wanted to put out a clear message. We have established the community once again […] This is our only domain, no other domains should be trusted.”
Neither Baphomet nor ShinyHunters immediately responded to requests for comment sent to their Telegram accounts.
The short existence of the new BreachForums has already been rocky. Earlier this week, someone leaked the personal data of more than 4,200 registered members, including nicknames, the associated email addresses, IP addresses, social media handles, scrambled passwords and other data. One of the new site’s administrators wrote on Telegram that there had been a breach, accusing a rival forum of the hack, as first reported by the cybersecurity blog HackRead.
TechCrunch has seen a copy of the leaked forum data, which was briefly published as downloadable links from the old BreachForums page shortly before the domain was seized. The leaked data included the user’s registered email address, IP address and their scrambled passwords. Another file contained the user database for the forum itself, including Telegram handles and forum signatures.
Timestamps found in the dataset suggest the data relates to accounts created as recently as June.
According to the note left on the since-seized site: “BreachForums clone has already been hacked. Do not trust websites impersonating, as said multiple times it wont [sic] be returning.”
The authorities have been going after hacking forums for the last couple of years, shutting down and seizing RaidForums, another well-known hacking forum, in 2022. The original BreachForums was launched after the end of RaidForums.
Do you have information about BreachForums? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email firstname.lastname@example.org. You can also contact TechCrunch via SecureDrop.