Law Enforcement Disrupts BreachForums and Targets Its Administrators
BreachForums, a cybercrime forum widely used to trade and leak stolen data, faced repeated disruption after administrators said they would shut it down over fears of law-enforcement infiltration. The closure concerns emerged after pressure on the forum's operators, underscoring growing operational risk for one of the most prominent marketplaces tied to breached databases and criminal data sales.
Authorities later escalated that pressure by seizing BreachForums infrastructure in an FBI-led action, and subsequent reporting said French police arrested five alleged administrators linked to the site. The combined actions marked a sustained international crackdown on the forum's operators and supporting infrastructure, disrupting a major venue used by threat actors to advertise, sell, and publish compromised information.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
French police reportedly arrest five BreachForums administrators
French police reportedly detained five people described as BreachForums administrators. The arrests represented a further law enforcement action targeting the forum's operators after the earlier seizure.
Authorities seize BreachForums infrastructure
Law enforcement seized BreachForums and replaced the site with a seizure banner, identifying the FBI and international partners as involved. The action disrupted a major cybercrime forum used to trade and leak stolen data.
BreachForums administrators announce forum shutdown
Following the founder's arrest, BreachForums administrators said they would shut down the forum, citing fear of law enforcement infiltration. The decision marked the apparent end of the site in its original form.
BreachForums founder arrested in New York
U.S. authorities arrested BreachForums founder Conor Brian Fitzpatrick, known online as 'Pompompurin,' in New York. The arrest triggered uncertainty about the forum's future and concerns among members about law enforcement access.
Sources
5 references tracked. Mallory keeps watching after this page renders.
French Police Reportedly Bust 5 BreachForums Administrators
govinfosecurity.com
Open sourceFBI seize BreachForums hacking forum used to leak stolen data
web.archive.org
Open sourceFBI seizes BreachForums after arresting its owner Pompompurin in March
bleepingcomputer.com
Open sourceBreachForums to be shut down after all for fear of law enforcement infiltration
web.archive.org
Open sourceBreachForums to be shut down after all for fear of law enforcement infiltration
malwarebytes.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Law Enforcement Seizure of BreachForums Used for Salesforce Extortion
U.S. and French law enforcement agencies, including the FBI and France’s BL2C cybercrime unit, have seized the primary domains of BreachForums, a notorious hacking forum operated by the ShinyHunters group. The forum, previously known for facilitating cybercriminal activity, had recently shifted its focus from a traditional discussion platform to a dedicated leak and extortion portal. This portal was being used to publish and threaten the release of data stolen from Salesforce and its corporate customers as part of an ongoing extortion campaign. High-profile companies such as Qantas, Disney, McDonald’s, and UPS were among the reported victims of this campaign, which relied heavily on social engineering tactics to compromise Salesforce accounts. The seizure notice, now displayed on the forum’s clearnet domain, features the logos of U.S. and French authorities, signaling the international cooperation behind the takedown. Despite the seizure of the clearnet site, the group’s onion (dark web) domain remains operational, continuing to threaten the release of stolen data. ShinyHunters, under the new moniker Scattered Lapsus$ Hunters, confirmed the loss of their infrastructure in a PGP-signed statement, acknowledging that all their domains and backend servers had been taken by law enforcement. They also admitted that database archives and escrow data dating back to 2023 are now under FBI control, effectively compromising years of criminal records and transactions. The group stated that no core administrators had been arrested, but they would not attempt to relaunch BreachForums, warning that such forums are now likely to be law enforcement honeypots. The seizure was timed to prevent the public release of sensitive Salesforce customer data, which the group had threatened to leak at a specified deadline. Law enforcement’s action represents a significant disruption to the infrastructure supporting ransomware and extortion operations targeting major corporations. The operation also highlights the ongoing evolution of cybercriminal tactics, as forums transition from discussion boards to direct extortion platforms. Despite the takedown, the threat actors insist that their Salesforce campaign remains unaffected, and their dark web leak site continues to list affected companies. The incident underscores the persistent threat posed by groups like ShinyHunters and the challenges faced by law enforcement in fully dismantling their operations. The seizure of BreachForums is the latest in a series of law enforcement actions targeting cybercrime forums, following previous takedowns such as RaidForums. The event demonstrates the importance of international collaboration in combating cyber-enabled extortion and data theft. Organizations affected by the Salesforce campaign are advised to monitor for potential data leaks and strengthen their security posture against social engineering attacks. The broader cybersecurity community is watching closely to see if the disruption of BreachForums will have a lasting impact on the underground economy or simply drive activity further underground.
Mar 21, 2026
Operation Leak Takedown of LeakBase Cybercriminal Forum
The **FBI**, working with European and other international law enforcement partners, seized and dismantled the **LeakBase** cybercriminal forum and marketplace in a coordinated action dubbed **“Operation Leak.”** LeakBase, active since 2021 and run as a subscription-based service, was used to buy, sell, and share stolen databases and sensitive data including **compromised credentials**, **PII**, payment data, and other access-enabling information; authorities warned that the forum facilitated activity that could enable access to U.S.-based networks, including potentially **critical infrastructure**. Authorities redirected LeakBase domains (including `leakbase[.]ws` and `leakbase[.]la`) to an FBI seizure banner and moved DNS to bureau-controlled infrastructure (e.g., `ns1.fbi.seized.gov`, `ns2.fbi.seized.gov`). The takedown was executed under U.S. and German court orders, and officials stated they secured and preserved the forum’s content for evidentiary purposes, including user accounts, posts, private messages, and **IP logs**. The operation reportedly included **100 law enforcement actions** against **45 targets** across more than a dozen countries, disruption of hosting infrastructure spanning locations such as the Netherlands and Malaysia, and outcomes including **13 arrests**, **32 searches**, and interviews with **33 suspects**; the investigation was led by the FBI’s Salt Lake City field office, and the FBI solicited tips via `FBI-SU-Leakbase@fbi.gov`.
Apr 13, 2026
BreachForums Data Breach and Dark Web Data Leaks
A major data breach has exposed the entire user database of BreachForums, a prominent English-language hacking forum on the dark web. The breach was announced on the shinyhunte[.]rs platform, which published a message and made the leaked database available for download and analysis. BreachForums, which had previously replaced RaidForums after its seizure, has been a central hub for cybercriminal activity, including the distribution of stolen data and hacking tools. The forum has faced multiple shutdowns and seizures, but continued to operate under new management and through various hosting providers and domains. In addition to the BreachForums breach, recent activity on dark web forums has included the sale and sharing of data from a South Korean university and a Saudi Arabian employment platform. These incidents highlight the ongoing risks posed by data leaks and breaches on dark web marketplaces, where sensitive information is traded and discussed. Security researchers have made related indicators of compromise (IOCs) and analysis available to subscribers, emphasizing the need for vigilance among organizations whose data may be exposed in such forums.
Mar 21, 2026