The rise of Breach Forums
Breach Forums was an English-speaking illicit forum that was on-track to become the replacement for Raid Forums. Established on March 16, 2022 by the threat actor “Pompompurin”, it became the go-to hacking forum for threat actors attempting to buy and sell compromised datasets. From March 2022 to November 2022, our analysts observed that the site’s membership expanded from 1,500 members to over 192,000.
Connection to Raid Forums
On February 25, 2022, the US Department of Justice (DOJ) seized Raid Forums as part of a US federal interagency and international cooperative law enforcement effort to take down the site. The DOJ released a public statement detailing the seizure on April 12, 2022. The DOJ also replaced the Raid Forums landing page with a seizure notice and unsealed an indictment against the former owner, founder, and head admin of the site.
Following the Raid Forums seizure, threat actors actively sought alternatives to Raid Forums on the site’s official Telegram channel, “RaidForums.” They recommended other cybercrime venues including Russian-language venues. Following the invasion of Ukraine on February 24, a Raid Forums administrator announced that the site would ban all users found to be connecting from Russia.
Due to the large amount of anti-Russian sentiment from the Raid Forums user base, Breach Forums became a more appealing alternative to Raid’s displaced users. Breach Forums was nearly identical to Raid Forums in appearance and layout. Breach Forums offered incentives for former Raid Forums users to migrate to the platform, including the ability to retain the paid ranking users previously held on Raid Forums on Breach Forums.
Arrest of Pompompurin
Breach Forums continued its vast popularity, until the unexpected arrest of Pompompurin, the forum’s creator. Revealed to be Conor Brian Fitzpatrick, pompomurin was arrested on March 15, 2023.
Pompompurin pleads guilty
According to the plea agreement filed July 13, Pompompurin has pleaded guilty to hacking and child pornography possession charges.
He faces up to a 40-year prison sentence, a fine of $750,000, and a supervised release term ranging from 5 years to life attached to the child pornography possession charges, reported Bleeping Computer.
Court documents released July 13 details the three charges:
- Conspiracy to Commit Access Device Fraud
- Access Device Fraud – Unauthorized Solicitation
- Possession of Child Pornography
Following their arrest, Breach administrators have determined to close the forum.
Breach Forums announces shutdown
On March 21, 2023, in a Telegram message within the “Breach Forums” channel, the administrator “baphomet” announced that they would be closing the forum. Following pompompurin’s arrest, the admin initially claimed they had access to the infrastructure and would keep the forum online. However, their most recent message indicates that it may not be worthwhile to keep the forum online:
Hello everyone. Please consider this the final update for Breached. I will be taking down the forum, as I believe we can assume that nothing is safe anymore. I know that everyone wants the forum up, but there is no value in short term gain for what will likely be a long term loss by propping up Breached as it is. I want to make it clear, that while this initial announcement is not positive, it's not the end. I'm going to setup another Telegram group for those who want to see what follows. You are allowed to hate me, and disagree with my decision but I promise what is to come will be better for us all. As stated in the attached message please give me 24 hours to get som rest and give thought to how we move on from here. I will be back online after that, and we will talk. I am going nowhere.
The cybercrime underground has continually demonstrated resilience. Short-term disruptions result in an alternative quickly replacing it.
However, given the takedown of Raid Forums and arrest of their administrator, and seeing history almost repeat itself with pompompurin’s arrest, it is unclear what threat actor would be willing to take on that risk.
baphomet’s message indicates the the forum will likely relaunch in another format. This has not yet occurred. Threat actors will continue to have an appetite for breached databases. However, this could require an alternative venue or a new forum entirely.
What is next for Breach Forums?
The Telegram channels tied to Breach Forums closed and locked one month after its closure. Baphomet created a new Telegram channel discussing alternative forums and plans. That channel closed just after a few days. Even though several new forums aim to fill the vacuum created by Breach Forum’s shutdown, there is no official replacement.
“None of the new forums are related to us, and I do not provide any information on our users for them to confirm your previous identity within our community. Feel free to join these forums, just please be cautious as always.”baphomet
Overall, there has been no clear alternative or replacement that has been developed or agreed upon by relevant threat actors and former administrators. The following illicit forums, markets, and threat actor groups have attempted to replace Breach Forums:
PwnedForum was recently launched on March 29, 2023 and is an identically formatted clone of Breach Forums. It quickly started to gain users and share compromised data. However, it was quickly shut down on April 4, 2023, following a disagreement between the site’s creator and forum administrators. Since its closing, one of the former administrators has claimed to be working on a new forum separate from PwnedForum.
KKKSecForum was created as a new alternative to Breach Forums by a user claiming to be linked with the global hacktivist collective “Anonymous.” While the name “kkk” is Brazilian slang for “lol” (“laugh out loud”), the name may lead to challenges in recruiting English-speaking users for the forum due to its potential name association with the Ku Klux Klan, a US far-right extremist hate group.
“Ares” is a threat group with links to other known groups, such as “Adrastea” and “RansomHouse,” that is attempting to fill the data leak void left by Breach Forums. The threat actor group offers various hacking services such as malware development and penetration testing. In addition, it appears that they have begun promoting Telegram subscriptions to its leaked data in early February.
The group has advertised affiliations with other recognizable threat actors and hacking groups to build a reputation and a larger community. Ares appears to be growing in popularity, but its subscription and premium model may hinder new users seeking leaked data.
Exploit and XSS
In addition to the new forums being created, threat actors have also been urged to join existing popular Russian-language forums Exploit and XSS, which served as competitors to Breach Forums. However, the language and culture provide a significant barrier to many users. Flashpoint has not observed any significant increases in activity or users on XSS or Exploit since Breach Forums’ closure.
These two platforms already harbor well-known communities with interests and threat actors that differ from those of Breach Forums. Exploit and XSS have historically featured discussions and sales of malware and ransomware, while Breach Forums attracted users with free or low-cost leaked data and hacking services.
Cracked, Null, and Sinister
Other existing and popular English-language hacking forums Cracked, Nulled, and Sinister also have not experienced a significant migration of users, despite the fact that pompompurin maintained accounts and was active on both Cracked and Nulled. This lack of adoption is likely because those forums do not offer many leaked databases.