bleepingcomputer.com By Bill Toulas
October 10, 2025
The FBI has seized last night all domains for the BreachForums hacking forum operated by the ShinyHunters group mostly as a portal for leaking corporate data stolen in attacks from ransomware and extortion gangs.
The FBI seized a BreachForums domain used by the ShinyHunters group as a data leak extortion site for the widespread Salesforce attacks, with the threat actor stating that law enforcement also stole database backups for the notorious hacking forum.
The domain, Breachforums.hn, was previously used to relaunch the hacking forum this summer, but the site was soon taken offline again after some of its alleged operators were arresteds.
In October, the domain was converted into a Salesforce data leak site by Scattered Lapsus$ Hunters, a gang claiming to consist of members linked to the Shiny Hunters, Scattered Spider, and Lapsus$ extortion groups, to extort companies impacted by the Salesforce data theft attacks.
On Tuesday, both the clearnet breachforums.hn data leak site and its Tor counterpart went offline. While the Tor site was quickly restored, the breachforums domain remained inaccessible, with its domains switched to Cloudflare nameservers previously used for domains seized by the U.S. government.
Last night, the FBI completed the action, adding a seizure banner to the site and switching the domain's name servers to ns1.fbi.seized.gov and ns2.fbi.seized.gov.
According to the seizure message, law enforcement authorities in the U.S. and France collaborated to take control of the BreachForums web infrastructure before the Scattered Lapsus$ Hunters hacker began leaking data from Salesforce breaches.
However, with the Tor dark web site still accessible, the threat actors claim they will begin leaking Salesforce data tonight at 11:59 PM EST for companies that do not pay a ransom.
Backups since 2023 under FBI control
In addition to taking down the data leak site, ShinyHunters confirmed that law enforcement gained access to archived databases for previous incarnations of the BreachForums hacking forum.
In a Telegram message confirmed by BleepingComputer to be signed with ShinyHunters' PGP key, the threat actor said the seizure was inevitable and added that "the era of forums is over."
From the analysis conducted after law enforcement's action, ShinyHunters concluded that all BreachForums database backups since 2023 have been compromised, along with all escrow databases since the latest reboot.
The gang also said that the backend servers have been seized. However, the gang's data leak site on the dark web is still online.
The ShinyHunters team stated that no one in the core admin team has been arrested, but they will not launch another BreachForums, noting that such sites should be viewed as honeypots from now on.
According to the threat actor's message, after RaidForum's takedown, the same core team planned multiple forum reboots, using admins like pompompurin as fronts.
The cybercriminals emphasized that the seizure does not affect their Salesforce campaign, and the data leak is still scheduled for today at 11:59 PM EST.
The gang's data leak site on the dark web shows a long list of companies affected by the Salesforce campaing, among them FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, Transunion, HBO MAX, UPS, Chanel, and IKEA.
According to the hackers, they stole more than one billion records containing customer information.
The most recent relaunch of the BreachForums in its classic form was announced by ShinyHunters in July 2025, a few days after law enforcement authorities in France arrested four administrators of previous reboots, including the individuals with the usernames ShinyHunters, Hollow, Noct, and Depressed.
At the same time, U.S. authorities announced charges against Kai West, a.k.a. 'IntelBroker,' a high-profile member of the BreachForums cybercrime ecosystem.
In mid-August, BreachForums went offline, and ShinyHunters published a PGP-signed message stating that the forum's infrastructure had been seized by France's BL2C unit and the FBI, warning that there would be no further reboots.
Update 10/10/25: Updated story with more details.
Law enforcement authorities from six countries took down the Archetyp Market, an infamous darknet drug marketplace that has been operating since May 2020.
Archetyp Market sellers provided the market's customers with access to high volumes of drugs, including cocaine, amphetamines, heroin, cannabis, MDMA, and synthetic opioids like fentanyl through more than 3,200 registered vendors and over 17,000 listings.
Over its five years of activity, the marketplace amassed over 612,000 users with a total transaction volume of over €250 million (approximately $289 million) in Monero cryptocurrency transactions.
As part of this joint action codenamed 'Operation Deep Sentinel' (led by German police and supported by Europol and Eurojust), investigators in the Netherlands took down the marketplace's infrastructure, while a 30-year-old German national suspected of being Archetyp Market's administrator was apprehended in Barcelona, Spain.
One Archetyp Market moderator and six of the marketplace's highest vendors were also arrested in Germany and Sweden.
In total, law enforcement officers seized 47 smartphones, 45 computers, narcotics, and assets worth €7.8 million from all suspects during Operation Deep Sentinel.
Telegram reveals that the communications platform has fulfilled 900 U.S. government requests, sharing the phone number or IP address information of 2,253 users with law enforcement.
Officials from EU anti-fraud office were allegedly followed, wiretapped and had their laptops hacked by Hungary’s intelligence agency.
Italian probe reveals “gigantic and alarming market of confidential data,” prosecutors say.
This blog post is a response to an investigative news report about a large-scale law-enforcement attack that managed to de-anonymize a user of an old version of the long-retired app Ricochet. This blog post aims to provide insight into what we know so far. Nothing that the Tor Project has learned about this incident suggests that Tor Browser was attacked or exploited. Tor users can continue to use Tor Browser to access the web securely and anonymously.
Ransomware actors have had a rough start this year, as stats from cybersecurity firm Coveware show that the trend of victims declining to pay the cybercriminals continues and has now reached a new record low of 28%.
2023 was a big year for cybersecurity, with significant cyberattacks, data breaches, new threat groups emerging, and, of course, zero-day vulnerabilities.
The FBI says it has released a decryption tool allowing hundreds of ALPHV/BlackCat victims to restore their scrambled files.
Apple says it will now require a judge-approved order before handing over its users' push notification records to government agencies.
‘Facing reality? Law enforcement and the challenge of deepfakes’ is the first report produced through the Observatory function of the Europol Innovation Lab. The Europol Innovation Lab’s Observatory function monitors technological developments that are relevant for law enforcement and reports on the risks, threats and opportunities of these emerging technologies. The report provides a detailed overview of the criminal use...
The Russia-linked ransomware gang demanded $20 million in ransom — and the overthrow of Costa Rica's elected government. Where does that leave smaller, equally vulnerable nation states?
