Cyber Incident Victim: BreachForums

BreachForums emerged as the successor to RaidForums after the latter’s seizure by U.S. authorities in 2022 and quickly became one of the largest English‑language crime forums, hosting discussions on data breaches, illegal sexual content, ransomware and hacking tools. In 2023 the site’s alleged founder and administrator, Conor Brian Fitzpatrick, was arrested and its clearnet domains were seized three months later; Fitzpatrick was later sentenced to three years in prison by a U.S. court. A replacement administrator known as Baphomet was reportedly arrested in 2024, and in 2025 five additional individuals accused of ties to the forum were taken into custody. The forum’s dark web extortion site was finally taken down by law enforcement in October 2025, following threats from the Scattered Lapsus$ Hunters to release one billion records stolen from Salesforce customers. On August 11 2025 the forum’s administrators announced that the site was being shut down for fear that it had been compromised by law enforcement, a date that later appeared on the leaked database. Public knowledge of the breach surfaced on January 9 2026 when a zip archive containing a MySQL database of 323,986 BreachForums users was posted on the domain shinyhunte[.]rs. According to Have I Been Pwned, the actual data theft occurred in August 2025, two months prior to the October takedown. A day later, on January 10 2026, a password‑protected PGP private key file was released, which Resecurity identified as likely used to sign messages from BreachForums’ administrators, accompanied by a 4,400‑word manifesto titled “Doomsday” authored by someone using the name “James” who claimed responsibility for the leak.

The leaked database contains email addresses and IP address information; analysis indicated that many of the IP entries are loopback addresses, while the most common email service used for registration was Gmail, potentially offering a forensic link for users who failed to conceal their tracks. Michael Jepson, penetration testing manager at CybaVerse, stated that the breach significantly undermines trust in the platform, which he described as critical for any cybercrime forum, and that the exposure damages confidence in BreachForums as a secure environment, likely prompting more sophisticated cyber criminals to migrate to smaller, invite‑only communities. Michael Tigges, senior security operations analyst at Huntress, noted that while the database could be useful for authorities and security professionals researching adversarial activities, its forensic value is ultimately limited, and he questioned its integrity if the data had been derived from another cybercrime group, warning that such leaks could serve as a cover for disinformation campaigns and that any lines drawn between nuclei of activity must be highly scrutinized. Resecurity’s analysis highlighted the inclusion of the PGP key and the manifesto as novel elements not present in earlier disclosures, emphasizing the leak’s role in the ongoing series of takedowns and legal actions against the forum’s operators and administrators. Law enforcement agencies have continued to monitor the situation, relying on the leaked data where permissible, while acknowledging the challenges posed by anonymizing services and the questionable reliability of the information. The incident adds to the cumulative impact of prior arrests, domain seizures and site takedowns that have progressively degraded BreachForums’ operational capacity and reputation within the cybercriminal ecosystem.