Full Report
BreachForums was arguably the biggest cybercrime forum until it went offline in April amid rumors of the arrest of one of its most prominent members. The forum’s primary domain has remained offline since then even as sites have popped up claiming to be BreachForums’ replacement. In the latest twist to the on-again, off-again saga of BreachForums, the French newspaper Le Parisien reported today that five French hackers have been arrested as the alleged operators of the forum. IntelBroker, ShinyHunters Allegedly Arrested The Parisien report didn’t name the suspects but referred to them by their BreachForums user names. “IntelBroker” – a notorious trafficker of stolen data who once did an exclusive interview with the editors of The Cyber Express – was apparently the first arrested; the Parisien report said the threat actor was arrested in February. The site’s other administrators feared exposure and suspended the site in April, according to the French paper. That report differs significantly from the site’s own claim that it had been compromised via a MyBB zero-day vulnerability and would return (screenshot below; the site is now down entirely). [caption id="attachment_103384" align="aligncenter" width="1853"] BreachForums site message from April 2025[/caption] The site’s other operators – described as four French hackers in their twenties – were arrested on Monday in France by specialist police officers from the Cybercrime Brigade (BL2C) of the Paris police headquarters. Those arrested include "ShinyHunters," "Hollow," "Noct," and "Depressed," the paper said, noting that the four “are accused of harming numerous victims of high-profile data leaks, including Boulanger, SFR, France Travail, and the French Football Federation” (translated). While early in the legal process, the arrests could potentially mark a dramatic end for the once-feared site. BreachForums' History of Seizures, Shutdowns and Leadership Changes The first major legal action against the three-year-old BreachForums occurred in 2023 with the FBI’s arrest of alleged forum administrator Conor Brian Fitzpatrick, aka "Pompompurin." The U.S. would ultimately appeal Fitzpatrick’s sentence, claiming it was too lenient. The site was hacked in 2023 and again in 2024, at which point ShinyHunters took over the forum from Baphomet, who had succeeded Fitzpatrick. After ShinyHunters retired not long after, control of the forum eventually turned over to IntelBroker. It’s not clear what the next step will be in the legal process, but the identities behind some of the dark web’s most notorious pseudonyms may soon be known.
Analysis Summary
This article describes a law enforcement action against the operators of the data leak forum BreachForums, rather than a single victim security incident. Therefore, the timeline focuses on the history and eventual takedown of the forum itself, and the impact is related to the illicit activities enabled by the platform.
# Incident Report: Takedown of BreachForums Operators
## Executive Summary
French specialized police arrested four operators of the notorious data leak forum BreachForums in June 2025. These individuals, known by pseudonyms including "ShinyHunters," "Hollow," "Noct," and "Depressed," are accused of facilitating numerous high-profile data leaks targeting organizations such as Boulanger, SFR, France Travail, and the French Football Federation. This action follows previous international seizures and leadership changes associated with the forum, marking a significant step in disrupting its illicit market for stolen data.
## Incident Details
- **Discovery Date:** June 2025 (Date of Arrests)
- **Incident Date:** Ongoing criminal enterprise, arrests occurred June 2025
- **Affected Organization:** BreachForums (The platform/operators themselves were the target of enforcement)
- **Sector:** Cybercrime/Underground Forums
- **Geography:** France (Location of arrests)
## Timeline of Events
### Initial Access (To the Forum Structure - N/A for this report)
- **Date/Time:** N/A
- **Vector:** N/A (This report details law enforcement action, not a cyber attack against a victim)
- **Details:** N/A
### Lateral Movement (Control of the Platform)
- **2023:** Initial major legal action with the FBI arresting administrator "Pompompurin."
- **2023:** The site was hacked, leading to "ShinyHunters" taking over control from "Baphomet."
- **2024:** The site was hacked again.
- **Post-2024:** Control eventually turned over to "IntelBroker" after ShinyHunters retired.
### Data Exfiltration/Impact (Forum's Criminal Activity)
- **Ongoing:** The platform was used to host and trade data stolen from high-profile victims, including Boulanger, SFR, France Travail, and the French Football Federation.
### Detection & Response (Law Enforcement Action)
- **June 2025 (Monday):** Four operators ("ShinyHunters," "Hollow," "Noct," and "Depressed") were arrested in France by officers from the Cybercrime Brigade (BL2C) of the Paris police headquarters.
- **Outcome:** The arrests could mark a "dramatic end" for the site (which was reported as down entirely shortly after or during this time).
## Attack Methodology (Focusing on the Operators' Alleged Activities)
- **Initial Access:** N/A (Not an attack being tracked, but management of a criminal platform)
- **Persistence:** Maintaining the operation and infrastructure of BreachForums across multiple seizures and leadership changes.
- **Privilege Escalation:** N/A
- **Defense Evasion:** Bypassing previous international law enforcement actions, including the 2023 FBI seizure.
- **Credential Access:** N/A (Implying they were selling credentials/data obtained by others)
- **Discovery:** N/A
- **Lateral Movement:** Sharing control between different administrators/operators over the years.
- **Collection:** Hosting and facilitating the distribution of stolen data from numerous victims.
- **Exfiltration:** The core business model involved monetizing or sharing stolen data.
- **Impact:** Enabling secondary attacks and harm against victims whose data was posted on the forum.
## Impact Assessment (On the Cybercrime Ecosystem)
- **Financial:** Potential disruption to the underground market for data leaks facilitated by the forum.
- **Data Breach:** The forum was linked to breaches affecting French entities (Boulanger, SFR, France Travail, FFF).
- **Operational:** Site operators arrested; the site message indicated it was down entirely.
- **Reputational:** Significant damage to the perceived reliability and security of one of the most feared data leak forums.
## Indicators of Compromise
*Note: Indicators are related to the platform's history, not an actionable threat intelligence snapshot.*
- **Network indicators:** Previous hosters/IPs associated with BreachForums infrastructure (Specific IPs are not provided or relevant given the takedown).
- **File indicators:** *Not Applicable*
- **Behavioral indicators:** Consistent pattern of data leak postings and administrator transitions following law enforcement pressure.
## Response Actions
- **Containment measures:** Arrest of the four primary operators in France by the BL2C.
- **Eradication steps:** Seizure/shutdown of the BreachForums infrastructure following the arrests (site reported "down entirely").
- **Recovery actions:** *Not Applicable (This was an offensive law enforcement action).*
## Lessons Learned
- **Key takeaways:** International coordination (implied by the FBI's prior actions and the French enforcement) remains crucial for successfully dismantling persistent transnational cybercriminal platforms.
- **What could have been done better:** The platform proved highly resilient, continuing operations ("Pompompurin" arrested in 2023, two site hacks, and multiple leadership changes) until this multi-national enforcement effort succeeded in arresting the active French operators.
## Recommendations
- **Prevention measures for similar incidents:** Continued focus on identifying and prosecuting the operators behind major illicit online marketplaces and forums, rather than solely focusing on initial breach actors.
- **Legislation:** Continued support for laws enabling severe penalties for operating platforms that facilitate large-scale data theft and extortion (e.g., related to the Dutch espionage law update mentioned in passing in the source material).