bleepingcomputer.com By Bill Toulas
October 10, 2025
The FBI has seized last night all domains for the BreachForums hacking forum operated by the ShinyHunters group mostly as a portal for leaking corporate data stolen in attacks from ransomware and extortion gangs.
The FBI seized a BreachForums domain used by the ShinyHunters group as a data leak extortion site for the widespread Salesforce attacks, with the threat actor stating that law enforcement also stole database backups for the notorious hacking forum.
The domain, Breachforums.hn, was previously used to relaunch the hacking forum this summer, but the site was soon taken offline again after some of its alleged operators were arresteds.
In October, the domain was converted into a Salesforce data leak site by Scattered Lapsus$ Hunters, a gang claiming to consist of members linked to the Shiny Hunters, Scattered Spider, and Lapsus$ extortion groups, to extort companies impacted by the Salesforce data theft attacks.
On Tuesday, both the clearnet breachforums.hn data leak site and its Tor counterpart went offline. While the Tor site was quickly restored, the breachforums domain remained inaccessible, with its domains switched to Cloudflare nameservers previously used for domains seized by the U.S. government.
Last night, the FBI completed the action, adding a seizure banner to the site and switching the domain's name servers to ns1.fbi.seized.gov and ns2.fbi.seized.gov.
According to the seizure message, law enforcement authorities in the U.S. and France collaborated to take control of the BreachForums web infrastructure before the Scattered Lapsus$ Hunters hacker began leaking data from Salesforce breaches.
However, with the Tor dark web site still accessible, the threat actors claim they will begin leaking Salesforce data tonight at 11:59 PM EST for companies that do not pay a ransom.
Backups since 2023 under FBI control
In addition to taking down the data leak site, ShinyHunters confirmed that law enforcement gained access to archived databases for previous incarnations of the BreachForums hacking forum.
In a Telegram message confirmed by BleepingComputer to be signed with ShinyHunters' PGP key, the threat actor said the seizure was inevitable and added that "the era of forums is over."
From the analysis conducted after law enforcement's action, ShinyHunters concluded that all BreachForums database backups since 2023 have been compromised, along with all escrow databases since the latest reboot.
The gang also said that the backend servers have been seized. However, the gang's data leak site on the dark web is still online.
The ShinyHunters team stated that no one in the core admin team has been arrested, but they will not launch another BreachForums, noting that such sites should be viewed as honeypots from now on.
According to the threat actor's message, after RaidForum's takedown, the same core team planned multiple forum reboots, using admins like pompompurin as fronts.
The cybercriminals emphasized that the seizure does not affect their Salesforce campaign, and the data leak is still scheduled for today at 11:59 PM EST.
The gang's data leak site on the dark web shows a long list of companies affected by the Salesforce campaing, among them FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, Transunion, HBO MAX, UPS, Chanel, and IKEA.
According to the hackers, they stole more than one billion records containing customer information.
The most recent relaunch of the BreachForums in its classic form was announced by ShinyHunters in July 2025, a few days after law enforcement authorities in France arrested four administrators of previous reboots, including the individuals with the usernames ShinyHunters, Hollow, Noct, and Depressed.
At the same time, U.S. authorities announced charges against Kai West, a.k.a. 'IntelBroker,' a high-profile member of the BreachForums cybercrime ecosystem.
In mid-August, BreachForums went offline, and ShinyHunters published a PGP-signed message stating that the forum's infrastructure had been seized by France's BL2C unit and the FBI, warning that there would be no further reboots.
Update 10/10/25: Updated story with more details.
