Law Enforcement Seizure of BreachForums Used for Salesforce Extortion
U.S. and French law enforcement agencies, including the FBI and France’s BL2C cybercrime unit, have seized the primary domains of BreachForums, a notorious hacking forum operated by the ShinyHunters group. The forum, previously known for facilitating cybercriminal activity, had recently shifted its focus from a traditional discussion platform to a dedicated leak and extortion portal. This portal was being used to publish and threaten the release of data stolen from Salesforce and its corporate customers as part of an ongoing extortion campaign. High-profile companies such as Qantas, Disney, McDonald’s, and UPS were among the reported victims of this campaign, which relied heavily on social engineering tactics to compromise Salesforce accounts. The seizure notice, now displayed on the forum’s clearnet domain, features the logos of U.S. and French authorities, signaling the international cooperation behind the takedown. Despite the seizure of the clearnet site, the group’s onion (dark web) domain remains operational, continuing to threaten the release of stolen data. ShinyHunters, under the new moniker Scattered Lapsus$ Hunters, confirmed the loss of their infrastructure in a PGP-signed statement, acknowledging that all their domains and backend servers had been taken by law enforcement. They also admitted that database archives and escrow data dating back to 2023 are now under FBI control, effectively compromising years of criminal records and transactions. The group stated that no core administrators had been arrested, but they would not attempt to relaunch BreachForums, warning that such forums are now likely to be law enforcement honeypots. The seizure was timed to prevent the public release of sensitive Salesforce customer data, which the group had threatened to leak at a specified deadline. Law enforcement’s action represents a significant disruption to the infrastructure supporting ransomware and extortion operations targeting major corporations. The operation also highlights the ongoing evolution of cybercriminal tactics, as forums transition from discussion boards to direct extortion platforms. Despite the takedown, the threat actors insist that their Salesforce campaign remains unaffected, and their dark web leak site continues to list affected companies. The incident underscores the persistent threat posed by groups like ShinyHunters and the challenges faced by law enforcement in fully dismantling their operations. The seizure of BreachForums is the latest in a series of law enforcement actions targeting cybercrime forums, following previous takedowns such as RaidForums. The event demonstrates the importance of international collaboration in combating cyber-enabled extortion and data theft. Organizations affected by the Salesforce campaign are advised to monitor for potential data leaks and strengthen their security posture against social engineering attacks. The broader cybersecurity community is watching closely to see if the disruption of BreachForums will have a lasting impact on the underground economy or simply drive activity further underground.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Hackers claim Salesforce data leak plans will continue after seizure
After the forum seizure, threat actors said they still intended to leak the allegedly stolen Salesforce data despite the takedown. This indicated the law enforcement action had not ended the extortion campaign.
Authorities link seized BreachForums portal to Salesforce extortion activity
Reporting said the seized BreachForums portal had been used to promote or facilitate extortion tied to stolen Salesforce-related data, including activity associated with Scattered Spider. The takedown occurred as a threatened data-release deadline was approaching.
BreachForums is seized again by law enforcement
Law enforcement agencies, including the FBI and French authorities, seized BreachForums infrastructure and replaced the site with a takedown banner. Multiple reports on October 10, 2025 described the action as another disruption of the cybercrime forum.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
BreachForums seized, but hackers say they will still leak Salesforce data
bitdefender.com
Open sourceCops nuke BreachForums (again) amid cybercrime supergroup extortion blitz
go.theregister.com
Open sourceFBI takedown banner appears on BreachForums site as Scattered Spider promotes leak
therecord.media
Open sourceFBI takes down BreachForums site used to extort Salesforce customers
scworld.com
Open sourceFBI seizes BreachForums servers as threatened Salesforce data release deadline approaches
csoonline.com
Open sourceFBI takes down BreachForums portal used for Salesforce extortion
bleepingcomputer.com
Open sourceBreachForums Seized (Yes, Again)
socradar.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Law Enforcement Disrupts BreachForums and Targets Its Administrators
BreachForums, a cybercrime forum widely used to trade and leak stolen data, faced repeated disruption after administrators said they would shut it down over fears of law-enforcement infiltration. The closure concerns emerged after pressure on the forum's operators, underscoring growing operational risk for one of the most prominent marketplaces tied to breached databases and criminal data sales. Authorities later escalated that pressure by seizing BreachForums infrastructure in an FBI-led action, and subsequent reporting said French police arrested five alleged administrators linked to the site. The combined actions marked a sustained international crackdown on the forum's operators and supporting infrastructure, disrupting a major venue used by threat actors to advertise, sell, and publish compromised information.
May 25, 2026
ShinyHunters Leaks 300,000 BreachForums User Records After Exiting Forum
ShinyHunters said it has abandoned **BreachForums** and released an updated database affecting more than **300,000 users** of the cybercrime marketplace. Reports say the leak goes beyond basic credentials and includes full account profile and activity data, including usernames, email addresses, hashed passwords, salts, IP addresses, login metadata, and forum activity timestamps. The group said maintaining the forum ecosystem became a "waste of time" after the FBI seizure of BreachForums and claimed that all currently active BreachForums domains are fake. ShinyHunters also threatened to publish fuller backups — including private messages, posts, and additional user data — unless the remaining forums shut down, while asserting it holds exploits for all **MyBB 1.8** versions; the identity of the operators behind current BreachForums instances remains unclear, with speculation ranging from opportunistic criminals to possible law enforcement honeypots.
Apr 30, 2026
BreachForums Data Breach and Dark Web Data Leaks
A major data breach has exposed the entire user database of BreachForums, a prominent English-language hacking forum on the dark web. The breach was announced on the shinyhunte[.]rs platform, which published a message and made the leaked database available for download and analysis. BreachForums, which had previously replaced RaidForums after its seizure, has been a central hub for cybercriminal activity, including the distribution of stolen data and hacking tools. The forum has faced multiple shutdowns and seizures, but continued to operate under new management and through various hosting providers and domains. In addition to the BreachForums breach, recent activity on dark web forums has included the sale and sharing of data from a South Korean university and a Saudi Arabian employment platform. These incidents highlight the ongoing risks posed by data leaks and breaches on dark web marketplaces, where sensitive information is traded and discussed. Security researchers have made related indicators of compromise (IOCs) and analysis available to subscribers, emphasizing the need for vigilance among organizations whose data may be exposed in such forums.
Mar 21, 2026