Pierluigi Paganini
April 28, 2025
On April 15, BreachForums, one of the top marketplaces for stolen data, abruptly shut down, fueling widespread speculation. Rumors ranged from FBI raids and the arrest of the administrator.
In the aftermath, several alternative forums emerged, some demanded entry fees, fueling confusion and raising the risk of scams or government-run honeypots.
BreachForums was an English-language cybercrime forum that emerged in March 2022 as a successor to the dismantled RaidForums. It served as a marketplace for threat actors to buy and sell stolen data, hacking tools, and compromised credentials. The forum was founded by Conor Brian Fitzpatrick, known online as “pompompurin,” who had previously claimed responsibility for the 2021 FBI email hack.
After Fitzpatrick’s arrest in March 2023, the forum’s administration changed hands multiple times, including to the hacking group ShinyHunters and later to an individual known as “Baphomet.” Despite efforts to keep it operational, BreachForums faced repeated shutdowns and domain seizures by law enforcement agencies, including the FBI.
According to a statement published by BreachForums, the forum ceased operations after the discovery of a zero-day vulnerability in the open-source forum software MyBB that was used by the platform. Law enforcement agencies may have exploited the flaw to infiltrate the forum. For this reason, the operators behind the platform shutdown it to start the incident response procedure.
“In or around April 15, we received confirmation of information that we had been suspecting since day 1 – a MyBB 0day. This confirmation came through trusted contacts that we are in touch with, which revealed that our forum (http://breachforums.st) is subject to infiltration by various agencies and other global law enforcement bodies.” reads the statement. “Upon learning of this, we immediately took action by shutting down our infrastructure and initiating our incident response procedures.”
Administrators pointed out that no data compromise occurred.
“Our findings indicate that, fortunately, our infrastructure were NOT compromised, and no data was infiltrated.” continues the statement. “Subsequently, we began auditing the MyBB source code and we believe we have identified the PHP exploit.”
BreachForums signed the following message just a short time ago. breachforums[.]st.
— Dark Web Informer – Cyber Threat Intelligence (@DarkWebInformer) April 28, 2025
Thoughts?
—–BEGIN PGP SIGNED MESSAGE—– Hash: SHA512 Hello everyone, We would like to provide an update on recent events over the past two weeks. In or around April 15, we received… pic.twitter.com/NUZvc2Ekj0
The administrators confirmed no arrests and that their infrastructure is intact. They warned users that emerging clones are untrustworthy, likely honeypots set up to lure users. They urged caution, advising users to verify trusted sources and avoid engaging with fake sites.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data leak forum)
