The FBI last night seized all the domains of the BreachForums hacking forum run by the ShinyHunters group, which operates mostly as a portal to leak corporate data stolen in attacks by ransomware and extortion gangs.
Law enforcement officials in the US and France worked together to take control of the BreachForum web infrastructure before the Scattered Lapsus$ hunters hackers could carry out their threat to leak data from the Salesforce breach on companies that did not pay a ransom.
Backup under FBI control from 2023
Cybercriminals confirmed the acquisition of BreachForum via a message on Telegram signed with ShinyHunters PGP key. He said that seizure was inevitable and said that “the era of platforms is over.”
BleepingCompuer can confirm that BreachForums is now controlled by law enforcement authorities as the latest domain update occurred on October 9 and the nameservers have been changed to those that the FBI uses for seizures.
From analysis conducted after the law enforcement action, ShinyHunters concluded that all BreachForum database backups since 2023 have been compromised, along with all escrow databases since the latest reboot.
The gang also said that the backend server has been seized. However, the gang’s data leak site is still online on the dark web.
The ShinyHunters team said that no one from the core admin team has been arrested, but they will not be launching any other breachforums, noting that such sites should be viewed as honeypots from now on.
According to the threat actor’s message, following RedForum’s takedown, the same core team planned several forum reboots, using admins like Pompompurin as a front.
Source: BleepingComputer
Additionally, the cybercriminals underlined that the seizure will not impact their Salesforce campaign and the data leak, which is still scheduled to occur at 11:59 pm EST today.
The gang’s data leak site on the dark web shows a long list of companies affected by the Salesforce hacking, among them FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald’s, Walgreens, Instacart, Cartier, Adidas, Sec Fifth Avenue, Air France and KLM, TransUnion, HBO Maxx, UPS, Chanel and Ikea are included.
According to the hackers, they stole more than a billion records containing customer information.
It should be clarified that the BreachForum variant that authorities seized yesterday was different from a previous version of the platform with the same name, as it was not a cybercrime forum, but functioned as a data extortion site for high-profile campaigns like the Salesforce breaches.
Source: BleepingCompuer.com
The most recent relaunch of BreachForum in its classic form was announced by ShinyHunters in July 2025, a few days after law enforcement authorities in France arrested four administrators of the previous reboot, including individuals with the usernames ShinyHunters, Hollow, Noct, and Depressed.
At the same time, US authorities announced charges against Kai West, aka ‘IntelBroker’, a high-profile member of the BreachForums cybercrime ecosystem.
In mid-August, BreachForum went offline, and ShinyHunters published a PGP-signed message reporting that the forum’s infrastructure had been seized by France’s BL2C unit and the FBI, warning that there would be no other reboots.
attend Breach and Attack Simulation Summit and experience future of security verificationHear from top experts and see how AI-powered BAS Changing breach and attack simulations.
Don’t miss the event that will shape the future of your security strategy
