BreachForums seized by law enforcement, admin Baphomet arrested

Global law enforcement authorities have seized BreachForums, a notorious hacker forum threat actors used to sell stolen data, and related messaging channels in the Telegram app in a coordinated takeover.

The US Federal Bureau of Investigation (FBI) has seized control of various Telegram and other channels belonging to BreachForums site administrators Baphomet and ShinyHunters. The Telegram channel previously owned by Baphomet, BaphometOfficial, now has a seizure message pinned on it.

The message, posted by Baphomet’s own account, reads: “This Telegram channel is under the control of the FBI. The BreachForums website has been taken down by the FBI and DOJ with assistance from international partners. We are reviewing the site’s backend data. If you have information to report about cyber-criminal activity on BreachForums, please contact us,” followed by details of how to do so.

To root out additional details about the forum and its activities, the FBI is operating a dedicated subdomain, breachforums.ic3.gov, and is receiving queries and responses via Telegram at t.me/fbi_breachforums or email via breachforums@fbi.gov.

A banner on the seized websites reportedly carried a similar message, although at the time of publishing this article all BreachForums domains were found to be defunct, some with redirects.

The takeover, led by the FBI, was a collaborative effort with authorities of the US, the UK, Australia, New Zealand, Iceland, Switzerland, and Ukraine.

The seizure comes two days after IntelBroker, a prominent hacker on BreachForums, put up for sale some classified data stolen from one of Europol’s websites.

The FBI’s claim that it is reviewing the hacking forum’s backend data is raising speculation regarding its possession of forum members’ email addresses, IP addresses, and private messages.

“While details are sparse at this time, users of the site will likely have significant concerns over their own operational safety, with the FBI likely in possession of material that could be used to provide attribution of members,” said Michael McPherson, a former FBI special agent and now senior vice president of security operations at ReliaQuest. “Organizations named on BreachForums also may be provided with additional context over material breached on the forum,” he said.

Seized for the second time

This is BreachForums’ second takedown within a year, the first being in June 2023 following the arrest of then admin Conor Brian Fitzpatrick (aka Pompompurin) in March 2023.

After the arrest, the forum went into full ownership of the second admin at the time, Baphomet, who shut it down shortly after on suspicions that it had been compromised by authorities. That same month  Baphomet partnered with the hacking group ShinyHunters, to reopen BreachForums on a different domain.

“While it is possible that the ShinyHunters group — who have facilitated the restoration of BreachForums after its initial takedown in 2023 — may attempt to restore their services, there will naturally be suspicions over law enforcement compromise; this was a sentiment observed on many cybercriminal sites in the aftermath of LE ops targeting ransomware groups, including Lockbit,” McPherson said.

The law enforcement operation has apparently involved the arrest of Baphomet too. IntelBroker, through a telegram post, confirmed his arrest also forwarding a message from Shinyhunters, confirming the same.

“Exactly what comes next is unclear, however the operation should be seen as a success, continuing the tempo of law enforcement operations that have surged in recent months,” McPherson said of the takedown.