Yesterday, out of the blue, the infamous and notorious cybercrime marketplace BreachForums went inactive. The site has been a hub for high-profile data leaks, including a recent wave of hacks involving threat actors aligned with Algeria and Morocco, which we reported just last week.
Background
BreachForums operated both on the clear web and as a Tor hidden service. With open registration, it attracted a wide range of cybercriminals, mostly low to high profile level threat actors. In 2024 alone, it was the source of numerous major leaks, including:
- Classified NSA contractor data
- Personal information of Israeli military personnel
- NATO-related data
- Customer data from various private companies
- Oracle breach
Despite being taken down multiple times by law enforcement, the platform had a reputation for re-emerging shortly after each takedown.
DDoS Attack or Law Enforcement Seizure?
There was immediate speculation about what caused the takedown. Some claimed it was a DDoS attack. The DarkStorm group, which carried out a DDoS attack on Twitter last month, took responsibility for this one as well. However, there is no way to verify their claim.
Others suggested the site may have been seized by law enforcement. Normally, in such cases, agencies like the FBI or Europol place an official seizure banner on the site and release public statements. So far, there have been no press releases or confirmations from the DOJ or any European agency, which raises questions.
There’s also a rumour that a notorious threat actor named IntelBroker—also an admin on the marketplace—has been arrested. IntelBroker is linked to high-profile breaches involving Tesla, Apple, AMD, Home Depot, General Electric, PandaBuy, the U.S. Citizenship and Immigration Services (USCIS), and Facebook Marketplace.
Shortly after BreachForums went offline, a few new domains appeared—breachforums.cc and breachforums.im—claiming to be the new version of the site. However, both are confirmed scams, asking users for $250 in Monero (XMR) just to gain access.
Alleged FBI Honeypot
According to a leaked document shared on a closed Russian cybercrime forum, BreachForums may have been under covert FBI control since mid-March 2025.
The document claims:
- Full backend access was obtained via classified NSA/CYBERCOM directives
- Admin-level credentials were used to manage the site secretly
- The site was relaunched under FBI oversight as a honeypot for intelligence gathering
- Though unconfirmed, this leak is gaining traction and seems plausible given the current silence from official sources.
Conclusion
While we still don’t know exactly what happened, one thing is clear: the notorious BreachForums marketplace is no longer active on the clear web or dark web.
Some speculate that law enforcement is being careful this time. BreachForums had previously embarrassed law enforcement agencies like the FBI by mocking them for failed takeover. This time, officials might be working quietly to fully take over or dismantle the platform without tipping off remaining threat actors.
Alternatively, the admins may have seen the heat coming and decided to shut everything down voluntarily.
Either way, it’s good news—for now, one of the internet’s most dangerous marketplaces is gone.
Follow us on X and Linkedin for the latest cybersecurity news
