Full Report
As predicted a few days ago, BreachForums was seized. The splash page is now up. It does not have any cute avatars with characters in handcuffs and no text about all the entities that cooperated. It simply says, “This Domain Has Been Seized,” and shows four shields: Department of Justice, FBI, BL2C, and JUNALCO. The latter... Source
Analysis Summary
# Incident Report: Seizure of BreachForums Platform
## Executive Summary
The cybercrime forum BreachForums was seized by international law enforcement agencies, including the US DOJ, FBI, and French agencies (BL2C and JUNALCO). This seizure occurred amidst an active extortion attempt by the threat group ScatteredLAPSUS$Hunters demanding a ransom from Salesforce to prevent the leak of data belonging to 39 customer organizations. While the clear net and official onion domains were seized, the dedicated leak site hosting the Salesforce data remained operational, though regulatory action against the forum itself was successful.
## Incident Details
- Discovery Date: October 8-9, 2025 (Domain seizure noted on Oct 9)
- Incident Date: Prior to October 9, 2025 (Active extortion attempt ongoing)
- Affected Organization: BreachForums (Platform Seizure); 39 Salesforce Customers (Targeted for data leak)
- Sector: Cybercrime Infrastructure / Data Extortion Ecosystem
- Geography: International Operations (Involving US and French agencies)
## Timeline of Events
### Initial Access
- Date/Time: Undisclosed (Relates to the underlying compromise leading to the extortion attempt)
- Vector: Not specified in the context of the *platform seizure*, but relates to previous data compromises affecting Salesforce customers.
- Details: ScatteredLAPSUS$Hunters was preparing to leak data from 39 Salesforce customers if an undisclosed ransom was not paid by October 10, 2025, 11:59 PM Eastern.
### Lateral Movement
- Not applicable to the forum seizure event itself. (Movement occurred within victim networks prior to this report.)
### Data Exfiltration/Impact
- Data Exfiltration: Threat actors intended to leak data belonging to 39 companies, including Qantas, Air France & KLM, Disney/Hulu, UPS, FedEx, Home Depot, and Toyota Motors, via the leak site.
- Impact: Immediate termination of the BreachForums clear net and official onion domains. Exfiltration via the dedicated leak site was still possible at the time of reporting.
### Detection & Response
- Detection: DataBreaches.Net observed changes in domain registration, specifically name servers shifting to `ns1.fbi.seized.gov` and `ns2.fbi.seized.gov`.
- Response Actions: Coordinated seizure action by the Department of Justice, FBI, and French agencies (BL2C, JUNALCO) against the primary domain and backup domains.
## Attack Methodology
*Note: This section describes the methodology of the *law enforcement response* and the *threat actor's platform*, not a specific network intrusion.*
- Initial Access (Law Enforcement): Domain hijacking/seizure via control over Domain Name System (DNS) infrastructure.
- Persistence (Threat Actor): Threat actors had established backup domains, suggesting preparation for domain seizures.
- Privilege Escalation: Not applicable.
- Defense Evasion (Law Enforcement): Seizure impacted both the clear net and the primary `.onion` domain routes.
- Credential Access: Not applicable.
- Discovery: Law enforcement tracked domain registration changes, noting name server switches to Cloudflare, then 101domains.com, and finally to FBI servers.
- Lateral Movement: Not applicable.
- Collection: Not applicable.
- Exfiltration: Data was staged on a separate, still-operational onion leak site linked to the breach forum activity.
- Impact: Platform shutdown and high uncertainty within the threat actor community (Telegram channel locked).
## Impact Assessment
- Financial: Not quantified, related to potential ransom payments that may now be averted for the 39 customers.
- Data Breach: Data belonging to **39 Salesforce customers**, including major global entities (airlines, retail, logistics, entertainment), was compromised and threatened with public release.
- Operational: Temporary disruption to the criminal forum infrastructure. The associated victim data leak site remained functional.
- Reputational: High negative impact on the reputation of the forum operator(s) ("Shiny" and associates).
## Indicators of Compromise
- **Network Indicators (Defanged):**
- Domain seizure name servers changed to: `ns1.fbi.seized.gov`, `ns2.fbi.seized.gov`.
- **File Indicators:** None specified (Data related solely to platform control).
- **Behavioral Indicators:**
- Rapid changes in domain name servers (Cloudflare -> 101domains.com -> FBI servers).
- Telegram channel locked by administrators following the seizure.
## Response Actions
- **Containment measures:** Seizure of the primary BreachForums domain and its associated backup domains (which had previously been pointed at 101domains.com).
- **Eradication steps:** Removal of the forum’s active control surface.
- **Recovery actions:** Law enforcement teams (DOJ, FBI, JUNALCO) took control of the domain infrastructure. The status of the Salesforce data leak remains pending as the specialized leak site was still active.
## Lessons Learned
- Law enforcement coordination across jurisdictions (US and France) remains effective in dismantling large criminal infrastructure.
- Threat actors frequently use multiple backup domains, necessitating proactive tracking of domain registration changes by monitoring entities.
- Even if a main forum is seized, associated dedicated leak sites may remain online, requiring targeted follow-up action.
## Recommendations
- Salesforce and the 39 affected customers must immediately review their incident handling procedures concerning the data threatened for release.
- Digital infrastructure monitoring services should continue to track the separate leak site that remained active post-forum seizure.
- Enhanced security measures should be implemented across managed service providers (like Salesforce) to limit unauthorized access and reduce the volume of data available for extortion.