Crime scene tape showing hacking forum takedown

BreachForums Hacking Forum Seized Again After Hosting Data Stolen From Five Eyes, Europol

A string of attacks on government agencies around the world appears to have provoked law enforcement into seizing the BreachForums hacking forum again, in what is becoming an annual event.

That is not to say that the seizures have been entirely ineffective, as arrests of operators have been made in the past. However, the hacking forum has simply been handed off to someone else to run and quickly re-emerged after prior law enforcement actions. It remains to be seen if this one will stick, but it appears that the site’s founder and Telegram channel operator has been arrested.

Top underground hacking forum disrupted yet again after leaks of government data

Though it is not yet clear if there is a direct connection between the events, the raid of the hacking forum follows the auction of stolen data from Europol last week and an April leak of information said to have been taken from a contractor used by the Five Eyes intelligence agencies.

The hacking forum’s landing page now shows a seizure notice posted by the FBI and DOJ, in partnership with international law enforcement agencies. The notice indicates that the site’s backend data is being reviewed by authorities. In addition, the site’s Telegram channel has been seized and displays a similar message.

“Backend data” would imply that the agencies have access to private messages, email and IP addresses, and other identifying information that could create trails back to the hacking forum’s clientele. The site’s founder and Telegram account operator, who goes by the handle Baphomet, appears to have been arrested as part of the action. Some of Baphomet’s private messages were posted publicly to the Telegram channel seemingly in proof of the FBI’s seizure.

The hacking forum has now suffered a string of raids dating back to its original incarnation as RaidForums. That site lasted from 2015 to 2022 and was the leading destination for cyber criminals trading in stolen info until it was taken down by an international law enforcement action, which resulted in the arrest of its operator. The site quickly revived as BreachForums under the direction of a new administrator, going by the handle pompompurin, who was subsequently arrested in another raid that took place in March 2023.

The current version of the hacking forum is headed up primarily by Baphomet, the ShinyHunters hacking group and IntelBroker. IntelBroker seems to have been the direct trigger for much of the recent law enforcement action, opting for a string of brazen attacks on high-level government targets that were sure to draw special attention and retaliation. The prior raid is thought to have been triggered by his 2023 attack on DC Health Link, which exposed the personal and health information of some members of Congress and their staffers.

This operation may well have been percolating since long before April, however. Prior raids on hacking groups have lasted for as long as two years from the investigators establishing some sort of initial penetration, as they gather information and map out the group’s technical assets while also trying to match handles to real-world identities.

IntelBroker remains free for now, future of BreachForums unclear

Cyber crime centered on stolen data is generally based in Russia and allied countries, with these governments giving de facto permission to hackers to attack foreign targets so long as they avoid allies or stirring up too much international drama. BreachForums is part of an increasing trend of criminals based in the US, EU and UK running high-level operations that attack targets within their own jurisdiction. RaidForums turned out to be operated by Diogo Santos Coelho, a resident of the UK, and pompompurin turned out to be Conor Brian Fitzpatrick of New York. And ShinyHunters member Sebastien Raoult, arrested in a separate operation in January of this year, is a native of France who was picked up in Morocco.

The hacking forum played host to major breaches beyond those its operators were directly involved with, however. These include last month’s breach of 49 million Dell customers, and the January breach of 23andMe that involved some amount of genetic data. The board also played host to a breach of Sony in 2023.

BreachForums is estimated to have had at least 340,000 users at the time it was taken down, and is one of the largest underground gathering places for trading in stolen data. So long as central figure InfoBroker is at large it will likely find new operators and reform somewhere at some point.

But Tom Marsland (VP of Technology, Cloud Range, and Board Chairman of VetSec) is optimistic that law enforcement agencies are improving their knowledge of the criminal ecosystem and ability to quickly strike again with each new takedown: “For the second time, US and international law enforcement groups worked together to seize BreachForums, a popular data leak site. Just like with the collaboration between Microsoft, CISA, the FBI, and the NSA, this joint effort shows the importance of public and private sectors working together to secure the cyber domain.  While the information surrounding this seizure is new at this point, it is exciting to see continued efforts to thwart this activity. Inevitably, these actors will show up again in another place, as they did when RaidForums was seized in 2022, but cyber defenders seem ready and poised to seize assets again if they do.”