Full Report
The FBI has seized last night all domains for the BreachForums hacking forum operated by the ShinyHunters group mostly as a portal for leaking corporate data stolen in attacks from ransomware and extortion gangs. [...]
Analysis Summary
# Incident Report: FBI Seizure of BreachForums Extortion Portal
## Executive Summary
The FBI, in collaboration with French authorities, seized the domain `breachforums.hn`, which was being utilized by the 'Scattered Lapsus$' gang (linked to ShinyHunters and Lapsus$) as a data leak and extortion site targeting victims of recent widespread Salesforce data theft attacks. While the clearweb site was taken down and seized, the corresponding Tor site was initially restored by the threat actors, who claimed law enforcement also compromised their archived backups dating back to 2023, though they maintained their planned data leak schedule for Salesforce victims.
## Incident Details
- **Discovery Date:** October 2025 (Indicated by FBI seizure operation)
- **Incident Date:** Ongoing Salesforce extortion activity leading up to the seizure, and prior compromise of forum infrastructure.
- **Affected Organization:** The breach victims targeted by the extortion, including high-profile companies like FedEx, Google, Marriott, and others who had data stolen from Salesforce instances.
- **Sector:** Cybercrime Ecosystem/Illicit Forums (Primary target); Numerous enterprise sectors (Secondary victims of extortion).
- **Geography:** Global operation (FBI and French law enforcement coordination).
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to October 2025 (Relates to the initial compromise that allowed the forum software to be used for extortion).
- **Vector:** Not directly applicable to the FBI action, but the *attack vector* being leveraged was prior data theft from Salesforce instances.
- **Details:** The "Scattered Lapsus$" collective converted the `breachforums.hn` domain into a public leak site for data stolen via Salesforce attacks.
### Lateral Movement
- **Date/Time:** Pre-seizure period.
- **Details:** The primary focus of the FBI action was the control plane (the forum site itself), not internal network breaches of victim companies. However, the forum facilitated the sharing and potential internal trade of stolen data.
### Data Exfiltration/Impact
- **Date/Time:** Data theft from Salesforce instances occurred prior to the forum seizure.
- **Details:** Over one billion customer records were allegedly stolen from numerous major companies via compromises related to Salesforce infrastructure. The threat actors were using the seized site to extort these victims.
### Detection & Response
- **Date/Time:** Tuesday/Overnight leading up to October 10, 2025.
- **Details:** U.S. (FBI) and French law enforcement collaborated to seize the `breachforums.hn` domain infrastructure. They switched the nameservers to `_ns1.fbi.seized.gov` and `_ns2.fbi.seized.gov`. Law enforcement acted immediately before the threat actors could start leaking the newly acquired Salesforce data.
## Attack Methodology
- **Initial Access:** N/A (Focus is on law enforcement action against an established cybercrime platform). The underlying activities involved prior data theft from Salesforce environments.
- **Persistence:** Attackers previously maintained persistence via multiple reboots of the forum (following prior takedowns like RaidForum and previous BreachForums incidents). Threat actors claimed core admin team members were not arrested.
- **Privilege Escalation:** N/A (In the context of the forum infrastructure seizure).
- **Defense Evasion:** The attackers utilized both a clearnet domain (`breachforums.hn`) and a Tor counterpart for operations.
- **Credential Access:** N/A (Related to forum control, though the forum housed stolen credentials from other breaches).
- **Discovery:** N/A (Related to forum control).
- **Lateral Movement:** N/A (Related to forum control, though the forum facilitated access to stolen data).
- **Collection:** Data stolen from Salesforce victims (over one billion records).
- **Exfiltration:** The threat actors intended to exfiltrate this data publicly via the leak site if ransoms were not paid by a deadline (11:59 PM EST).
- **Impact:** Extortion against victims of the Salesforce data breaches; compromise of historical forum data.
## Impact Assessment
- **Financial:** Extortion payments demanded from victims of the Salesforce data theft. (Specific costs unknown).
- **Data Breach:** Over one billion records containing customer information stolen from numerous high-profile companies (FedEx, Disney/Hulu, Marriott, Google, Cisco, etc.) via Salesforce attacks.
- **Operational:** Temporary disruption of the data leak site, though the Tor site remained accessible initially.
- **Reputational:** Significant damage to the entities whose customer data was being publicly held for ransom.
## Indicators of Compromise
*(Note: These indicators relate to the law enforcement action against the forum infrastructure, not ongoing patient zero breaches.)*
- **Network indicators:** Domain nameservers changed to `_ns1.fbi.seized.gov` and `_ns2.fbi.seized.gov`.
- **File indicators:** Seizure banner displayed on the domain.
- **Behavioral indicators:** The domain `breachforums.hn` became inaccessible from the clearnet.
## Response Actions
- **Containment measures:** Seizure of the DNS records for the clearnet domain (`breachforums.hn`) by U.S. authorities.
- **Eradication steps:** The forum site's infrastructure under that specific domain was placed under the control of the FBI.
- **Recovery actions:** Law enforcement gained access to archived database backups dating back to 2023, including escrow databases, impacting the long-term data integrity for forum users.
## Lessons Learned
- Law enforcement coordination (U.S. and France) is effective in dismantling critical cybercrime infrastructure rapidly.
- Forums like BreachForums, even after multiple takedowns, are continually relaunched, often utilizing key figures from previous iterations.
- Threat actors view multiple previous seizures (e.g., RaidForum, prior BF reboots) as inevitable, suggesting they accept the risk vs. reward.
- Threat actors publicly stated that all future iterations of such forums should be viewed as "honeypots" following the seizure of their historical data.
## Recommendations
- **Prevention measures for similar incidents:** Organizations must urgently review their access controls and security posture related to third-party cloud services like Salesforce, assuming any data processed there is potentially compromised until verified.
- **Proactive Threat Intelligence:** Monitor known data leak sites (both clearnet and dark web) for organizational data, especially following high-profile supply chain compromises (like the Salesforce incident).
- **Zero Trust Architecture:** Implement strict segmentation and least-privilege across all critical platforms to limit the scope of data exposure following an initial compromise.