FBI Seizes BreachForums Domain Hours Before Scattered Spider Data Leak Deadline

BreachForums, a website long associated with the publication of stolen data, has once again gone offline. This time, its domain displays an official seizure banner featuring the logos of the U.S. Federal Bureau of Investigation (FBI), the Department of Justice, and France’s cyber police and prosecutor’s office. The shutdown occurred just hours after the hacker collective Scattered Spider announced its intention to release data allegedly stolen from Salesforce. The group later confirmed that the domain’s seizure signified the loss of its server infrastructure — though, notably, no arrests have yet been made.

Despite the takedown, the forum’s administrators stated via Telegram that the Tor version of the site remains operational, and the scheduled Friday data dump proceeded as planned. Meanwhile, members of Scattered Spider continue to extort Salesforce’s clients — claiming there are 39 affected organizations, including Google, which has confirmed a breach. The remaining companies on the list are still verifying the hackers’ claims. According to the group, the stolen dataset contains nearly one billion records.

Salesforce has notified its partners that it will not engage in ransom negotiations. In a letter to clients, the company attributed the breach to a vulnerability in Salesloft, a third-party service used by many of its customers. Indeed, in September, Salesloft admitted to a security incident that compromised user data tied to customer management operations. Salesforce representatives maintain that the extortion is either linked to that breach or to other unverified past events.

Earlier, the FBI had warned of a cyber campaign targeting Salesforce clients that began in October of last year, in which attackers infiltrated corporate networks by impersonating IT support staff and placing social-engineering calls to help desks. The current wave of activity appears to unite several English-speaking hacker groups, including Scattered Spider, ShinyHunters, and Lapsus$, now operating collectively under the moniker Scattered Lapsus$ Hunters.

This latest intervention marks the fourth time U.S. authorities have dismantled BreachForums. The first takedown occurred in 2023, when alleged administrator Conor Brian Fitzpatrick was arrested. Initially sentenced to just 17 days in custody, his term was later extended to three years following an appeal. At the time, the platform had more than 340,000 registered users and served as a hub for distributing the personal data of millions of U.S. citizens.

Subsequent attempts to revive the forum were repeatedly thwarted by the FBI. In June of this year, French authorities arrested several individuals suspected of maintaining the new version of BreachForums, while one of the community’s prominent figures — known by the alias IntelBroker — had already been detained earlier.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy