BreachForums Seized by Law Enforcement, Administrator Baphomet Arrested

Global law enforcement agencies, in a coordinated takeover, have seized BreachForums, a notorious hacking forum where threat actors sold stolen data and associated messaging channels on the Telegram app.

The US Federal Bureau of Investigation (FBI) has taken control of various Telegram and other channels owned by BreachForums site administrators Baphomet and ShinyHunters. A confiscation message is now pinned on the Telegram channel BaphometOfficial, which previously belonged to Baphomet.

The message posted from Baphomet’s own account reads: “This Telegram channel is under the control of the FBI. The BreachForums website was removed by the FBI and DOJ with the assistance of international partners. We check the website backend data. If you would like to report information about cybercriminal activity on BreachForums, please contact us,” followed by details on how to do so.

To find out additional details about the forum and its activities, the FBI operates a special subdomain, breakforums.ic3.gov, and receives inquiries and responses via Telegram at t.me/fbi_breachforums or by email at [email protected].

A banner on the seized websites reportedly carried a similar message, although at the time of publishing this article it was revealed that all BreachForums domains no longer existed, some with redirects.

The FBI-led takeover was a joint effort with authorities in the United States, Britain, Australia, New Zealand, Iceland, Switzerland and Ukraine.

The seizure comes two days after IntelBroker, a well-known hacker on BreachForums, put up for sale some secret data stolen from one of Europol’s websites.

The FBI’s claim that it is reviewing the hacking forum’s back-end data raises speculation that the FBI is in possession of forum members’ email addresses, IP addresses and private messages.

“Although details are limited at this time, users of the site are likely to have significant concerns about their own operational security as the FBI is likely in possession of material that could be used to attribute members,” said Michael McPherson, a former FBI Special Agent and now Senior Vice President of Security Operations at ReliaQuest. “Organizations named on BreachForums may also receive additional context on material violated on the forum,” he said.

Confiscated for the second time

This is BreachForums’ second shutdown in a year, the first occurring in June 2023 following the arrest of then-administrator Conor Brian Fitzpatrick (aka Pompompurin) in March 2023.

Following the arrest, the forum became fully owned by the then second administrator, Baphomet, who shut it down shortly thereafter on suspicion that it had been compromised by the authorities. That same month, Baphomet partnered with hacker group ShinyHunters to reopen BreachForums on a different domain.

“While it is possible that the ShinyHunters group – which enabled BreachForums to be restored after the initial shutdown in 2023 – is attempting to restore its services, there will of course be suspicions about law enforcement compromise; This was a sentiment observed on many cybercriminal websites following the LE operations targeting ransomware groups, including Lockbit,” McPherson said.

The law enforcement operation apparently also included the arrest of Baphomet. IntelBroker confirmed his arrest via Telegram and also forwarded a message from Shinyhunters confirming this.

“What exactly comes next is unclear, but the operation should be considered a success and continues the pace of law enforcement activity that has increased sharply in recent months,” McPherson said of the takedown.