Breachforums: Deception or Disappointment?
Introduction
Since the beginning of the year, authorities have conducted numerous large-scale operations against cybercrime. Whether discussing Operation Cronos against the Lockbit cybercriminal group or, more recently, Operation Endgame targeting botnet vendors and operators, these events have made headlines.
However, some operations, despite their significant scale, have not received as much media coverage. Actions such as the seizure of Breachforums‘ servers and the arrest of its administrator, carried out by police forces from several countries, including the FBI, have had a substantial impact on the fight against cybercrime.
Established in 2022, Breachforums quickly became essential for cybercriminals following the shutdown of Raidforums. The similarities between the two, both in structure and in the types of information exchanged, are notable. These forums, ranging from the buying and selling of leaked data and malicious code to broader discussions on cybersecurity and even pornography, create a sort of cyber lawless zone governed by anonymous administrators.
Speaking of administrators, their arrests and the attempts to dismantle these platforms cannot be overlooked. The first in the series was the arrest of Conor Brian Fitzpatrick, aka “Pompurin,” the initial administrator and creator of Breachforums. This event temporarily halted the forum until “Baphomet” and “ShinyHunters” took over its management.
On May 15, 2024, another site seizure occurred. According to available information, “Baphomet” was also arrested by the FBI. Despite the FBI’s messages sent from his Telegram account, there has been no official confirmation of this arrest to date. Despite the seizure of numerous servers, Breachforums resurfaced a few weeks later, now administered by “ShinyHunters.”
Unlike the other administrators, ‘Shinyhunters‘ is not an unknown pseudonym in the world of cybercrime. In fact, a group bearing the same name has existed since 2020, and three French individuals have been arrested for their involvement in this malicious actor’s activities. However, it is important to note that apart from the name and claims, no official information confirms the hypothesis that this group is behind the forum’s resurrection.
A Revival Too Quick?
Following the intervention and seizure of the servers, many discussions emerged about the successor to Breachforums.
Its disappearance was short-lived, as only a few weeks later, the forum resurfaced. On several other forums and Telegram channels, the legitimacy of the forum is highly questioned. Here is an example of communication from the Lapsus$ cybercriminals, known for their ransomware and extortion activities against numerous companies:
They are not the only ones to point out this rapid resurrection. Some are questioning the potential collaborations between the FBI and former or current administrators. As seen on this forum:
Furthermore, according to the trial transcripts of “Pompurin“, Conor Brian Fitzpatrick signed a cooperation agreement with the U.S. authorities. As part of the investigations and prosecutions against Breachforums users and administrators, he committed to collaborating with the American justice system. At the time of Mr. Fitzpatrick’s arrest, his access to the site had not been revoked, allowing the authorities to gain privileged access to the forum.
Objection, your Honor: An explanation from Shinyhunters on the forum’s revival
Following all these questions, a statement was issued by the current administrator of the forum:
This post, titled “How We Trolled the FBI,” should be approached with caution. In this publication, the author and current forum administrator explains that following the FBI operation, no details regarding the arrest of “Baphomet” were given, but the forum’s databases were indeed seized.
The rest of the message potentially sheds more light on the forum’s rapid revival. The author explains that shortly after the domain name was seized, they initiated a discussion with the company where the domain names had been registered: NiceNic. According to the post, “Shinyhunters” had no trouble reclaiming the domain name. To support this claim, the administrator posted a screenshot of an email purportedly sent by the FBI to NiceNic, questioning them about the domain name recovery. No verification is provided regarding the authenticity of this email screenshot.
Another issue related to this operation, according to “Shinyhunters“, concerns the seized items. The FBI allegedly did not limit itself to seizing the servers containing Breachforums‘ data but instead seized the entire data center. This operation supposedly forced the shutdown of many legitimate services, having little impact on the forum, which was reopened a few days later.
Gatewatcher Analysis
Despite all the information gathered during this investigation, no consistent body of evidence allows us to reach a definitive conclusion. However, two hypotheses are easily identifiable:
- The FBI is behind the forum: The FBI might be conducting an influence operation to legitimize the forum anew. Although the forum’s activity has been little discussed, Breachforums continues to see traffic and the sale of stolen data persists. If this hypothesis proves true, it would enable U.S. federal services to conduct significant information gathering through sensors positioned close to the cybercrime world. This could lead to future arrests and enhance international cooperation in the fight against cybercrime.
- Shinyhunters‘ recovery effort: Shinyhunters managed to convince NiceNic to recover the domain name, allowing Breachforums to be revived from old backups that were not seized during the law enforcement intervention. The FBI has not communicated about this seizure, which might not be as significant, fearing it could tarnish their image with the public. Indeed, by seizing servers hosting legitimate sites, they may have impacted the operations of certain companies, causing significant disruptions and financial losses. Despite the potential arrest of one of the administrators, this action might have left a bitter taste for the FBI due to its minimal impact on the forum and the greater impact on legitimate services.
In conclusion, no one outside the FBI can confirm or deny the elements provided in “Shinyhunters‘” post. This operation is a textbook case of influence warfare. In recent years, cybercriminals have learned to master the art of communication to mitigate or justify their actions. Until an official statement from a certified authority is released, skepticism towards the information should be maintained. It is necessary to understand that institutions also have an interest in conducting influence warfare, greatly complicating information gathering. Therefore, cross-referencing sources is essential. It is likely that elements about this operation will be revealed in the coming months or even years.
Update from 06/10/2024:
Since this morning, Breachforums is no longer accessible. This is not unusual for such forums, which regularly experience interruptions. However, a consistent body of evidence, including the deletion of the forum’s discussion channel, the banning of Shinyhunter’s Telegram account, and private exchanges, suggests there will be no further version of Breachforums. The site’s closure might be related to pressure from authorities.
To date, no statements have been issued by U.S. institutions or Shinyhunter.
Authors: Gatewatcher Purple Team and 0xSeeker