BreachForums 3.0 reboot rumors already brewing on socials

With the apparent FBI takedown of the infamous hacker marketplace BreachForums, and the alleged arrest of its current administrator ‘Baphomet,’ rumors of a replacement site are already making their way across social media.

The rebranded version of the hacker marketplace will be coined “Breach Nation,” according to username USDoD, a cyber outlaw well-known on the formally-thriving Breached platform.

USDoD made the announcement on his X account barely 24 hours after the FBI splashed a seizure notice across the home page of the BreachForums website address on May 15th.

"Breach Nation - A new born community on Horizon," he kicks off, followed by a short poem:

"Ladies & gentlemen, prepare for landing, Fasten your seat belts, thank you for flying USDoD Airlines, Oh and me, call me the captain, DoD, So, together we stand, divided we fall, United we formBreach Nation and take on all. [sic]," he wrote.

Since the FBI capture, the self-proclaimed “perpetual threat actor” claims they have been “working tirelessly for the past 24 hours” on the new “community project” involving the management of two independently operated servers.

“The new domains will be and, with a planned launch date of July 4th, 2024, coinciding with Independence Day,” USDoD said in a lengthy post explaining the why behind the new site.

“It’s been hours since the seizure of BreachForums and there are already new marketplaces on the horizon,” said Kevin Robertson, COO and co-founder of Glasgow-based cybersecurity firm Acumen.

The FBI has since launched a website for victims whose data ended up on the hacker forum. According to the FBI, the current iteration of BreachForums that was seized operated from June 2023 until May 2024.

Calling it a game of cat and mouse, Robertson explained that “law enforcement is making good progress with takedowns, but while there is the ability to rebrand under new identities and infrastructure, there is no permanent disruption of the actors.”

“When sites are as successful as BreachForums, attackers won’t go down without a fight,” he said.

FBI seizure notice
Image by Cybernews.

The transparent USDoD

USDoD says its not about the profits but about reviving the community and keeping the system running.

“I am not concerned with who is in charge at the Department of Justice or who the FBI director is,” USDoD writes.

The bad actor stating he “genuinely cares, loves the work, has proven their value, and has worked their way to the top without the luxury of an unlimited budget.”

“I have a plan,” the threat actor continued.

Posted on USDoD-TA's X profile is another lengthy writing, this time a personal biography, listing not only hacker conquests, but personal trivia factoids and a motivational confessional.

“His motivations intertwine personal vendettas with a love for challenging,” it says.

USDoD X profile and biography
Image by Cybernews | X.

The dating profile, ehhem, I mean bio, also identifies USDoD as a 30-year old man of South American heritage, currently living in Madrid, Spain.

The bio further reveals USDoD’s hacking methodology tends to favor social engineering, often gaining assess to high-profile victims by impersonating key figures.

USDoD’s claim to fame hack is listed as the “FBI’s InfraGard US Critical Infrastructure Intelligence Portal.”

Baphomet arrested?

Meantime, the word is still out whether Baphomet – who took over as current administrator of the marketplace after the March 2023 arrest of BreachForums founder Pompompurin – is truly in the custody of the feds.

“While Baphomet, the latest operator of BreachForums, has reportedly been arrested, there are numerous others wanting to take the reigns and develop their own marketplace so they can continue to serve users,” Robeston said.

But not everyone is convinced the so-called arrest of Baphomet is legitimate as there has been no official statements made by law enforcement, which is usually the case in a big bust.

"baph is still an uncertain rumor, so stay tuned," one user commented on X in a thread questioning the arrest.

Another pointed out, "there’s only two reasons for lack of report; either baph is a minor or actively working with the feds."

Additionally, in January, BreachForums’ Pompompurin, aka 21-year-old Conor Brian Fitzpatrick from New York, was sentenced to 20 years under supervised release meaning zero prison time considered by many in the hacker community as a slap on the wrist.

The light sentence also spurred rumors that Fitzpatrick had made a deal to help the FBI with the inside workings of the hacker marketplace – surely leaving many insiders wondering if the latest takedown could be attributed to the former BreachForums commander.

Fitzpatrick had been running the now-defunct BreachForums site for nearly a year (as a replacement for Raidforums) before Baphomet, PomPompurin’s second-in-command, shut it down in the wake of the arrest over fears the FBI had access to the site.

Eventually ‘Baph,’ along with notorious hacker gang Shiny Hunters, relaunched the BreachForums site in June last year.

Shiny Hunters here to stay?

“The threat actor USDoD has already announced Breach Nation, which is set to launch on 4th July, while there are also indications that ShinyHunters have something in the works,” Robertson noted.

Announcing Baphomet’s arrest on Telegram, after regaining control over the domain on May 16th, Shiney Hunters posted a PGP-signed message stating the arrest led “to the seizure of pretty much all of our infrastructure by the FBI.”

“At this point, the future of our forum remains uncertain, the group stated. “We will keep you updated.”

USDoD acknowledged the group in his Breach Nation announcement on Thursday, “There are others, such as Shinyhunters and his team, who plan to create their own forum. However, I urge you to consider Shinyhunters past performance on BF V2 before making a decision.”

Shiny Hunters Baphomet arrest
Image by Cybernews.

Shiny Hunters is known for carrying out multiple high-profile data breaches costing their victims tens of millions of dollars, including Microsoft, Mashable, and Pluto TV.

In spring 2022, the mysterious threat actors successfully breached AT&T and T-Mobile within days of each other, exfiltrating the personal data of a combined 110 million users.

The AT&T hack is still causing troubles for the wireless carrier to this day, with a confirmed customer database of sensitive information still being floated around the darkweb as recently as March.

Still, when it comes to the new “Breach Nation” site, cybersecurity expert Robertson believes the venture will most likely have a “limited shelf life.”

“But, we can also be sure that the operators and actors using the site will continue to resurface under new guises, causing just as much chaos in the online world,” Robertson said.