The rise and fall of the BreachForums cybercrime network

In the cybersecurity world, the success of cybercriminal activities can be dependent upon and closely tied to the transfer of tools, resources, and services among different threat actors. Nowadays, cybercrime-as-a-service (CaaS) solutions are facilitating the procurement of such tools for attackers, giving them the ability to easily execute their illegal pursuits.  

One such cybercrime forum is BreachForums (sometimes termed Breached). It is a prominent online platform known for being a marketplace for stolen databases, tools, and access credentials, and serving as a site that allows conversations around hacking techniques, data breaches, and more. Let’s take a look at its origin and some of ways it has impacted the threat landscape.

BreachForums history

BreachForums (a.k.a. Breached 1.0) initially made its debut in March 2022 shortly after its predecessor RaidForums was seized by the FBI for similar illegal activities found to be taking place on the platform. The forum’s founder, 20-year-old Conor Brian Fitzpatrick, operated under the screen name “Pompompurin.” Because RaidForums left a gap in the cybercrime ecosystem after its closure, the need for a site that could allow individuals to share and exchange stolen information was clear, and BreachForums capitalized on the demand.  

BreachForums had a brief period of slow growth in its initial phase, but it quickly gained traction after a few months when an influx of existing members from previous forums began joining the community, marking the start of a diverse user base consisting of different cybercriminals and data traders. Its user-friendly design and straightforward layout also made it easy for members to navigate and interact, which was another contributing factor behind its rapid adoption.

This is an example of what BreachForums’ homepage looks like:

Source: Webz.io

Throughout 2022, Pompompurin consistently published information related to nearly 14 billion people worldwide, including 23 terabytes of Shanghai National Police data and 60,000 records from the D.C. Health Link, to name a few. 

Exactly a year later, Breached 1.0 was confiscated by the FBI, and Fitzpatrick was arrested. However, a second version of the platform was reopened by the threat actor ShinyHunters and one of BreachForums’ previous administrators, "Baphomet." The new domain lasted a little over a year and was once again shut down in May 2024.

Source: Tripwire.com

How did the elimination of BreachForums affect the cybercrime ecosystem? 

The seizure of BreachForums impacted the cybercrime ecosystem in a variety of ways:  

• A shift in threat actors’ tactics: Cybercriminal communication and data transfer wasn’t as centralized anymore, meaning adversaries may have transferred to smaller, discreet platforms that have limited visibility. Diminished visibility into such activities makes it harder for authorities to monitor and dismantle CaaS operations.

• A disruption of information trade networks: Because BreachForums became a prominent hub for data exchange and hacking resources, its eradication interrupted cybercriminals’ malicious endeavors and made it more difficult for them to operate with limited tools.

• Increased collaboration among law enforcement agencies: The seizure of the platform demonstrated the success of global law enforcement collaboration in combating cybercrime. Similar partnerships can help international law enforcement address cybercriminal activity quicker and more effectively in the future.

The size of BreachForums compared to other crime forums

BreachForums became a distinguished cybercrime forum within a short timeframe and had nearly 225,000 members at its peak after users made the shift from RaidForums. Other types of forums such as Dark0de and The Hub that emerged in the early 2010s were also large distribution sites for illegal information, but they had smaller user bases than BreachForums. BreachForums also allowed for a wider variety of active discussions about illicit activity, while Dark0de and The Hub had more niche focuses for the services they offered.

Why does a platform’s size matter to the threat landscape and threat actors?

The considerable scale of platforms like BreachForums heightens the risks presented by cybercriminals and impacts the threat landscape in a few ways:

• The ability to set trends and influence the market: Bigger sites such as BreachForums can promote the use of different types of attacks that may be more lucrative at certain points in time. The wider cybercrime community is ultimately at an advantage because word often spreads rapidly about different trends as they emerge, and threat actors can quickly adopt, familiarize, and use these new tactics when executing attacks.

• Ease of user entry: The sizeable nature of the platform, along with its high degree of user anonymity, provided low- to mid-level cybercrime actors the perfect opportunity to join and get information about whatever types of data they were seeking at any given point in time. BreachForums’ large user base lowered the barrier of entry for new and inexperienced cybercriminals and made the process of locating the tools and resources they needed easier.

• The impact on law enforcement: Major cybercriminal sites make monitoring more challenging for law enforcement due to the large degree of anonymity these sites offer. This can make investigations and searches complicated and allows threat actors an avenue to continue their operations with a lower risk of being caught.  

Cybercrime-as-a-service platforms like BreachForums are changing the threat landscape and making attacks easier to carry out. That’s why it’s crucial for organizations to invest in advanced cybersecurity solutions that will help them protect their networks, applications, and data and stay one step ahead of cybercriminals.