The Federal Bureau of Investigation, in coordination with French authorities and law enforcement agencies across 14 countries, has seized the domains of BreachForums — one of the world’s largest online forums for cybercriminals to buy and sell stolen data. The operation, which took place on October 10 and saw seizure banners posted across the forum’s domains by October 13, 2025, represents one of the most significant law enforcement actions against cybercrime infrastructure in recent years.
The Exploit Mechanics
BreachForums operated as an open-web marketplace where over 142,000 members exchanged more than 215,000 messages facilitating the trade of stolen databases, credit card numbers, banking credentials, and personally identifiable information. The forum maintained an enormous and continuously updated archive of hacked databases, including hundreds of millions of account credentials from high-profile attacks targeting major corporations worldwide.
The platform functioned as a successor to RaidForums, which was seized by the DOJ in April 2022. After BreachForums’ initial disruption in 2023, it reconstituted and continued operations, becoming a central hub for groups like ShinyHunters, Baphomet, and IntelBroker. These threat actors used the forum to monetize stolen data from breaches across industries — including cryptocurrency exchanges, DeFi protocols, and wallet providers.
Affected Systems
The seizure directly impacts the cybercrime supply chain that fuels account takeovers against cryptocurrency users. BreachForums served as a primary distribution channel for stolen credentials that attackers would later use in credential-stuffing attacks against exchange accounts, hot wallets, and DeFi platforms. With Bitcoin trading at approximately $115,271 and Ethereum at $4,245 on the day of the seizure, the potential damage from credential-based attacks remained substantial.
Notably, the hacking collective Scattered LAPSUS$ Hunters had been using BreachForums to threaten the release of one billion records allegedly stolen from Salesforce customers. Listed victims included Adidas, Cartier, Chanel, Cisco, FedEx, IKEA, McDonald’s, Toyota, and Walgreens. Salesforce confirmed it would not pay a ransom demand.
The Mitigation Strategy
Law enforcement agents in the United States, Australia, Belgium, Poland, Portugal, Romania, Spain, and the United Kingdom executed synchronized search warrants, arrests, and interviews. The FBI’s Internet Crime Complaint Center (IC3) posted seizure banners on the forum’s domains, redirecting visitors to a portal where victims and former members could submit information to assist in ongoing investigations.
However, security researchers noted that the forum’s Tor-based dark web presence remained active following the domain seizure. A clone site reportedly appeared as early as October 13 at a new domain, underscoring the persistent challenge of permanently dismantling such platforms.
Lessons Learned
The BreachForums takedown reinforces several critical lessons for the cryptocurrency community. First, law enforcement agencies are increasingly capable of coordinating multinational operations against cybercrime infrastructure. Second, the data seized — including IP logs, private messages, and backup databases — will likely fuel additional investigations and arrests in the months ahead.
For crypto users specifically, the breach data circulating on these forums poses a direct threat. Credentials stolen from non-crypto services are routinely tested against exchange accounts in automated attacks. Using unique passwords, hardware two-factor authentication, and monitoring breach notification services remains essential.
User Action Required
Cryptocurrency users should take immediate steps to secure their accounts in the wake of this seizure. Enable hardware-based 2FA on all exchange accounts, rotate passwords that may have been reused across services, and review recent login activity for suspicious access. Users who held accounts on any platform listed in the Salesforce-related breach disclosures should be especially vigilant. The authorities have established a portal at the IC3 website where individuals can report relevant information about BreachForums activity.
Disclaimer: This article is for informational purposes only and does not constitute financial or legal advice. Always conduct your own research before making security decisions.
142K members and 215K messages facilitating stolen data trades. the forum was basically Amazon for cybercrime. good riddance even if its temporary
Multi-sig wallets should be the default for everyone in crypto
Social engineering attacks are becoming more sophisticated
Scattered Spider using BreachForums to monetize MFA bypass creds is the real story here. the forum wasnt just data trading, it was an operations hub
The industry needs standardized security audit frameworks
142K members and nobody thought to move to a dark web forum sooner? centralized clearnet markets for stolen data always end the same way
they seized RaidForums in 2022 and BreachForums replaced it within weeks. seizing domains doesnt fix the demand side
pwn_diary_ exactly. RaidForums got seized and BreachForums replaced it. now BreachForums is seized and something else will pop up. whack-a-mole doesnt work