FBI Dismantles BreachForums as Dark Web Extortionists Threaten Salesforce Data Dump

The FBI has seized the notorious BreachForums.hn domain—an underground marketplace turned extortion hub used by the ShinyHunters and Scattered Lapsus$ Hunters groups to publish stolen data from this year’s widespread Salesforce breaches.

The coordinated takedown, carried out with assistance from French authorities, marks one of the most significant blows yet to the cybercriminal ecosystem that once fueled data trading and ransomware operations across industries from tech to finance.

According to the FBI’s seizure notice, U.S. and French agencies moved to control BreachForums’ web infrastructure just before the Scattered Lapsus$ Hunters gang began releasing exfiltrated Salesforce data. The seizure banner now displayed on the former site confirms that its DNS records were rerouted to FBI-controlled nameservers—standard procedure for a completed domain takeover.

But the fight is far from over.

Dark Web Resilience and Threats of Retaliation

Even as the public-facing domain was seized, the gang’s Tor site—an encrypted dark web portal—remains active. In messages signed with ShinyHunters’ verified PGP key, the group claimed that law enforcement obtained complete database archives from every BreachForums iteration since 2023, including escrow and backend systems.

“The era of forums is over,” ShinyHunters wrote, conceding that the operation’s infrastructure had been compromised but insisting the Salesforce campaign remains “unaffected.” The gang claims it will still release stolen data at 11:59 PM EST, threatening to publish information allegedly tied to more than a billion customer records across companies such as Disney, Home Depot, FedEx, Google, and Marriott.

Security experts say this resilience illustrates a broader evolution in how cybercriminal groups operate under pressure.

Law Enforcement Tightens the Net

For the FBI, the operation represents a rare instance of striking both a live extortion platform and its historical infrastructure in one coordinated move. Authorities not only disrupted an active ransom campaign but also gained access to years of operational data that could reveal the identities and relationships among major actors in the cybercrime economy.

The forum’s seizure follows a summer of escalating law enforcement action. In July, French police arrested several administrators of BreachForums’ previous reboots, including aliases Hollow and Noct, while the U.S. Department of Justice unsealed charges against Kai West, a.k.a. “IntelBroker,” for his role in selling stolen data on earlier incarnations of the site.

Each takedown has been met with quick rebounds—new domains, new branding, and new alliances. This latest version, operated under ShinyHunters’ direction, had pivoted from traditional credential trading to large-scale extortion, leveraging the Salesforce campaign to pressure global corporations into payment.

Expert Insight: A Turning Point in the Forum Era

“The FBI's recent takedown of BreachForums, the extortion platform ShinyHunters leveraged to target 39 Salesforce breach victims, represents a major blow to the cybercriminal world,” said Noelle Murata, Senior Security Engineer at Xcape, Inc. “By working with French authorities to seize the site's infrastructure, law enforcement not only halted an active extortion scheme but also secured historical data… which could provide crucial intelligence on threat actors and their associates.”

Murata cautioned that organizations affected by the Salesforce breach must remain vigilant despite the takedown: “The group acknowledged the seizure, warned that their dark web leak site remains active, and the Salesforce data exposure is still planned. This includes strengthening monitoring efforts and having response plans in place.”

She added that while law enforcement’s success is significant, the tug-of-war continues: “The increased effectiveness of law enforcement in this situation is matched by the threat actors’ ability to adapt and find new platforms, highlighting the ever-changing interplay between attack, defense, and the role of law enforcement.”

The Future of BreachForums and the Cyber Underground

Since the demise of RaidForums in 2022, BreachForums had filled the power vacuum as the go-to marketplace for stolen data and access credentials. But with ShinyHunters declaring the forum model “dead” and warning that such platforms will now be “honeypots,” analysts believe cybercriminals may move toward encrypted one-to-one channels or decentralized marketplaces to evade infiltration.

If accurate, this could signal the end of the centralized “forum era” that dominated cybercrime for nearly two decades—replaced by fluid, invitation-only networks that are far harder for law enforcement to monitor.

For now, the FBI’s takedown stands as both a tactical victory and a symbolic warning: even in the opaque corners of the dark web, the walls are closing in.