Even before the FBI seized domains related to BreachForums, the notorious online bazaar where cybercriminals bought and sold hacked or stolen data, a replacement marketplace was taking shape.
Now, less than a month after that high-profile takedown on June 23 involving a consortium of U.S. and law enforcement agencies, the new version of BreachForums is active, growing and facilitating illicit trade in the most sensitive information about millions of individuals and hundreds of organizations in the U.S. and around the world.
“It is expected that more cybercriminals, old-timers and new ones, will join the new forum, which is more likely to lead to various high-profile leaks, publications and sales of various databases,” said Oleg Dyorov, head of the cybercrime investigation team within the cybersecurity firm Group-IB’s threat intelligence unit.
The quick return of the new BreachForums is a testament to the resilience of the cybercrime ecosystem, but it also demonstrates the difficulty for law enforcement agencies in preventing this kind of criminal activity. “It appears that arrests and forum takedowns do not deter the majority of the community from continuing their illicit activities,” Dyorov said.
The FBI arrested Conor Fitzpatrick, the alleged administrator of the original BreachForums, in March at his family home in New York, months before seizing the site’s infrastructure. And the efforts to develop a replacement began almost as soon as Fitzpatrick was in custody. A flurry of forums — some new, some old — jostled for position and attention since Fitzpatrick’s arrest and questions about the safety and reliability of BreachForums. The competition led to rival operators hacking into competitors’ forums and leaking user databases.
Fitzpatrick’s heir apparent soon appeared to be a persona known as Baphomet, one of the administrators of the previous incarnation of BreachForums, a site well known as a marketplace for stolen data, promised in the days after Fitzpatrick’s arrest to get the site back up and running. But less than two weeks after the arrest, Baphomet posted a message to Telegram saying that it was clear the FBI had access to the site’s database, and that he was shutting it down for good.
That wasn’t actually the case, though. Baphomet, along with ShinyHunters, another well-known cybercrime group, relaunched BreachForums June 12, and their presence is the main point researchers say it likely maintain top status going forward despite an initial scramble among competing forums.
Alexander Leslie, a threat intelligence analyst with the cybersecurity firm Recorded Future, said the post-BreachForums seizure period was reminiscent of the weeks after the April 2022 U.S. law enforcement takedown of RaidForums, a long-running and popular database and cybercrime forum with as many as 500,000 users at its peak. After that operation, Fitzpatrick, who was active on RaidForums and known by the handle “Pompompurin,” wrote that he was sick of “all the stupid people trying to take the empty spot RaidForums once filled,” and started BreachForums.
“The thing about the new BreachForums that makes it a little more credible than all these other random ones is we don’t really know who the administrators [of the others] are,” Leslie said. “They’re kind of random, likely inexperienced kids who are trying to capitalize on the popularity and try to fill that power vacuum.”
Baphomet, who did not respond to inquires from CyberScoop, also has one thing going for them in cybercrime circles. And that’s a level of trust among people familiar with the original BreachForums, said one researcher who spoke with CyberScoop on the condition of anonymity for safety reasons.
“They have to be one anonymous enough to not get caught by future law enforcement efforts,” the researcher said. “And then be credible enough and well liked enough and socially connected enough for [people to] take this person seriously. And one attribute takes away from the other. So it’ll be interesting to see what shakes out here, if law enforcement can apply more pressure, we might not see a clear winner.”
Fitzpatrick, for example, was able to quickly establish the original BreachForums because people in those spaces knew who he was, the researcher said. Without that, “no one would ever join his forum, because no one knows him and no one trusts him. And if, if you were to go in there with a totally anonymous alias, and start talking to people, they’re gonna start accusing you of being a fed, because you have no history.”
Leslie from Recorded Future said the new BreachForums launched with many of the old stolen databases that had been there previously, and some users were reposting previously shared high-profile breaches, such as the December 2022 leak from the FBI’s InfraGard program, or the more recent DC Health Link breach in early March, which preceded Fitzpatrick’s arrest by only a few days. But more recently, Leslie said, users on the site have posted newer and more unique data, even as they feel out whether the site is reliable.
“Relative to its competitors, the new BreachForums absolutely not only has higher quality of sources, it has more unique sources,” Leslie said. “And overall the volume is much higher than any of its competitors.”
Leslie added that the takedown didn’t seem to have any impact on the non-English speaking forums, that traffic in other aspects of the cybercrime ecosystem, such as ransomware affiliate recruiting, initial access brokering and other kinds of activities.
“It seems like they are just generally unfazed,” Leslie said. “There is little active acknowledgement on Russian language sources of the new BreachForums, which tells me that just they will maintain their popularity, they will maintain their user base. These Russian language forums are well established, they’ve been established for a very long time, they have maintained a constant cadence of sales of leaks, for at some cases over a decade. I don’t see that changing.”
Dyorov from Group-IB told CyberScoop that after the downfall of BreachForums, many members just bided their time. “While some small-scale database sellers started shifting to different forums, including LeakBase, the core of the BreachedForums chose to wait for the new full-scale Breached’s successor to appear,” he said. “The new forum has already amassed over 7,700 registered users, including active threat actors previously operating on [RaidForums] and [the previous BreachForums].”