FBI Seizes BreachForums Domain as ShinyHunters Warn “The Era of Forums Is Over”
- Cyber Jill
- 1 hour ago
- 4 min read
The FBI has seized the BreachForums domain once again, marking the third federal takedown of one of the internet’s most infamous criminal marketplaces. The move dismantles a major public hub used by the ShinyHunters collective—along with affiliates from Scattered Spider and Lapsus$—to extort companies hit by the ongoing Salesforce data breach campaign.
A Familiar Target in a New Form
Until this week, the domain Breachforums.hn functioned as a data leak and extortion portal operated by a group calling itself “Scattered Lapsus$ Hunters.” The gang claimed responsibility for a wave of intrusions targeting Salesforce environments across dozens of high-profile companies—from FedEx, Disney, and Marriott to Google, Cisco, and Cartier—boasting of over one billion stolen customer records.
On Tuesday, both the clearnet site and its Tor-based counterpart suddenly went offline. While the dark web version briefly resurfaced, the clearnet domain never returned. Its DNS entries were soon redirected to Cloudflare nameservers historically linked to U.S. government seizures, and by nightfall, an FBI seizure banner appeared, confirming coordinated action between American and French law enforcement agencies.
Law Enforcement’s Deep Cut: Database Backups Seized
According to statements posted to the hackers’ Telegram channel—verified via ShinyHunters’ PGP key—the FBI not only seized the front-end domain but also gained access to archived database backups of BreachForums’ previous incarnations, dating back to 2023. That includes escrow and user data from earlier reboots, potentially revealing IP logs, private messages, and transaction records from one of the most active cybercriminal forums of the past half-decade.
ShinyHunters admitted defeat, declaring that “the era of forums is over,” and confirming no core admin had been arrested. The group added that future public-facing criminal forums should be “considered honeypots,” a striking acknowledgment that centralized cybercrime infrastructure is now too risky to sustain.
Salesforce Data Leaks Still Loom
Despite the seizure, Scattered Lapsus$ Hunters say their campaign is far from over. The dark web leak site remains online, and the group claims it will begin dumping Salesforce data at 11:59 p.m. EST if ransoms are not paid.
AppOmni, a SaaS security firm analyzing the Salesforce breaches since midyear, says the attacks highlight a troubling shift in how threat actors exploit legitimate SaaS ecosystems for maximum leverage.
“It’s a positive step that the FBI, along with international partners, has taken down BreachForums for the third time,” said Cory Michal, Chief Security Officer at AppOmni. “These coordinated actions are important for disrupting criminal infrastructure and sending a message that law enforcement collaboration works. “But the real value here isn’t just the seizure—it’s the data. Access to historical user records gives investigators a goldmine for mapping relationships, correlating aliases, and building stronger cases against repeat offenders. That visibility could change the trajectory of cybercrime investigations for years.”
The Cybercrime Ecosystem Keeps Evolving
Yet, experts caution that disruption is not elimination. Gunter Ollmann, CTO of Cobalt, notes that takedowns create short-term chaos but rarely dismantle the broader cybercrime economy.
“Groups like Scattered Lapsus$ Hunters rarely disappear—they regroup, rebrand, and reemerge,” Ollmann said. “Cybercrime is now a global ecosystem with crime-as-a-service models. You can buy anything—phishing kits, malware design, stolen credentials—like a supply chain. Taking down one provider causes turbulence, but replacements appear within days. “True progress requires large-scale intelligence sharing between governments, enterprises, and vendors. Attackers already collaborate across ecosystems. Defenders still don’t.”
Ollmann warns that while law enforcement has improved its global coordination, the private sector still struggles with a culture of secrecy around threat intelligence, creating blind spots that adversaries continue to exploit.
From Forums to Fragmented Cells
ShinyHunters’ declaration that “forums are over” underscores a structural shift: the decline of centralized platforms in favor of distributed, encrypted, and mobile-first operations. Instead of maintaining a visible forum, these groups now operate primarily through Telegram, dark web mirrors, and temporary leak portals designed to vanish and reappear with little trace.
“It’s a telling moment when even the criminals admit the model no longer works,” said AppOmni’s Michal. “Every seizure makes these communities more fragile. Maintaining a massive, public-facing infrastructure under constant surveillance is unsustainable.”
Extortion by Spectacle
While the FBI’s action dealt a visible blow, experts say the Salesforce campaign illustrates a more sophisticated evolution in data extortion—one that blends spectacle, psychology, and executive targeting.
“These attacks thrive on public pressure,” said Dr. Chris Pierson, CEO of BlackCloak. “Executives and board members become leverage points for ransom demands. Once corporate systems are compromised, attackers pivot to personal accounts, home networks, even family members to amplify coercion. Protecting leadership beyond the enterprise perimeter is now essential.”
The Next Phase: Fragmentation and Fear
As law enforcement takes aim at the infrastructure of organized cybercrime, attackers are shifting to smaller, faster, and more fluid models of operation—pop-up leak sites, encrypted chat channels, and decentralized extortion syndicates that thrive on volatility.
The FBI’s seizure of BreachForums may mark the end of an era for centralized hacker bazaars—but as ShinyHunters warned, the game is far from over. Instead of vanishing, cybercriminals are learning to disappear in plain sight.