FBI Shuts Down BreachForums in Salesforce Extortion Case
▼ Summary
– The FBI seized the BreachForums domain used by ShinyHunters as a data leak extortion site for Salesforce attacks, with U.S. and French law enforcement collaborating on the takedown.
– ShinyHunters confirmed that law enforcement gained control of all BreachForums database backups since 2023 and the backend servers during the seizure.
– The threat actors stated their dark web site remains accessible and will proceed with leaking Salesforce data for companies that don’t pay ransom by 11:59 PM EST.
– Affected companies in the Salesforce campaign include major brands like FedEx, Disney, Google, and Marriott, with over one billion customer records reportedly stolen.
– ShinyHunters announced no core team members were arrested but declared they won’t relaunch BreachForums, warning such forums should now be viewed as honeypots.
Federal authorities have successfully dismantled a significant cybercrime operation by seizing the BreachForums domain, a platform exploited by the ShinyHunters collective to extort businesses affected by widespread Salesforce data theft. This enforcement action, a joint effort between U.S. and French agencies, targeted the clearnet site breachforums.hn, which had been repurposed as a data leak portal for the Scattered Lapsus$ Hunters group. The site now displays an official seizure notice, and its domain name servers have been redirected to infrastructure controlled by the FBI.
Earlier this year, the domain was utilized to resurrect the notorious hacking forum before being taken offline following the arrest of several alleged administrators. In October, the site transformed into a dedicated platform for the Salesforce extortion campaign. While the standard web version of the site was taken down this week, its counterpart on the Tor network initially went offline but was quickly restored. The threat actors maintain that their dark web site remains operational and that they will proceed with leaking stolen data from companies that refuse to pay a ransom, with a deadline set for tonight at 11:59 PM EST.
In a significant development, the ShinyHunters group confirmed that law enforcement did not just shut down the site but also gained control over archived databases. These backups, dating back to 2023 and encompassing all data from the forum’s various reboots, are now in the possession of the FBI. In a verified Telegram message, the cybercriminals declared that “the era of forums is over,” suggesting that such platforms should now be considered law enforcement traps. They stated that while no core team members were arrested, they have no plans to launch another iteration of BreachForums.
The group emphasized that the seizure does not impact their ongoing Salesforce extortion campaign. Their dark web leak site displays an extensive list of major corporations allegedly impacted by the data theft, including FedEx, Disney, Home Depot, Marriott, Google, and Cisco. The hackers claim to have exfiltrated over one billion records containing sensitive customer information. This campaign is being conducted by the Scattered Lapsus$ Hunters, an alliance that claims ties to the ShinyHunters, Scattered Spider, and Lapsus$ extortion groups.
This takedown follows a pattern of law enforcement action against the forum. After the original RaidForums was dismantled, the same core team was behind multiple reboots of BreachForums, often using other individuals as public-facing administrators. The most recent classic version of the forum was announced in July 2025, just days after French authorities arrested four administrators from previous versions. Concurrently, U.S. officials unsealed charges against a high-profile member of the BreachForums ecosystem. By mid-August, the forum went offline again, with ShinyHunters issuing a warning that the infrastructure had been seized and that no further revivals would occur.
(Source: Bleeping Computer)