FBI takes down BreachForums portal used for Salesforce extortion

The FBI has seized last night all domains for the BreachForums hacking forum operated by the ShinyHunters group mostly as a portal for leaking corporate data stolen in attacks from ransomware and extortion gangs.

Law enforcement authorities in the U.S. and France worked together to take control of BreachForums web infrastructure before the Scattered Lapsus$ Hunters hacker got to fulfill their threat of leaking data from Salesforce breaches at companies that did not pay a ransom.

Backups since 2023 under FBI control

The cybercriminals confirmed the takeover of BreachForums via message on Telegram signed with ShinyHunters PGP key. They said the seizure was inevitable and added that “the era of forums is over.”

BleepingCompuer can confirm that BreachForums is now controlled by law enforcement authorities as the latest domain update occurred on October 9 and the nameservers have been changed to those the FBI uses for seizures.

From the analysis conducted after law enforcement’s action, ShinyHunters concluded that all BreachForums database backups since 2023 have been compromised along with all escrow databases since the latest reboot.

The gang also said that the backend servers have been seized. However, the gang’s data leak site on the dark web is still online.

The ShinyHunters team said that no one in the core admin team has been arrested but they will not launch another BreachForums, noting that such sites should be seen as honeypots from now on.

According to the threat actor’s message, after RaidForum’s takedown, the same core team planned multiple forum reboots, using admins like pompompurin as fronts.

Also, the cybercriminals underlined that the seizure does not impact their Salesforce campaign, and the data leak, still scheduled for today at 11:59 PM EST.

The gang’s data leak site on the dark web shows a long list of companies affected by the Salesforce campaing, among them FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald’s, Walgreens, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, Transunion, HBO MAX, UPS, Chanel, and IKEA.

According to the hackers, they stole more than one billion records with information about customers.

It should be clarified that the BreachForum variant that authorities seized yesterday was different from the previous version of the platform with the same name, in that it was not a cybercrime forum but functioned as a data extortion site for high-profile campaigns like the Salesforce breaches.

The most recent relaunch of the BreachForums in its classic form was announced by ShinyHunters in July 2025, a few days after law enforcement authorities in France arrested four administrators of previous reboots, including the individuals with the usernames ShinyHunters, Hollow, Noct, and Depressed.

At the same time, U.S. authorities announced charges against Kai West, a.k.a. ‘IntelBroker,’ a high-profile member of the BreachForums cybercrime ecosystem.

In mid-August, BreachForums went offline, and ShinyHunters published a PGP-signed message informing that the forum’s infrastructure had been seized by France’s BL2C unit and the FBI, warning that there will be no other reboot.

Join the Breach and Attack Simulation Summit and experience the future of security validation. Hear from top experts and see how AI-powered BAS is transforming breach and attack simulation.

Don’t miss the event that will shape the future of your security strategy

Register Now