Source: ozrimoz via Shutterstock
Barely two weeks after the FBI and the US Department of Justice shut down BreachForums, the notorious data leak site appears to be back online, hawking personal and payment card data purportedly belonging to more than 500 million Live Nation/Ticketmaster customers.
Truth or Law Enforcement Bluff?
Researchers at Malwarebytes this week spotted "ShinyHunters," an administrator of the BreachForums site, posting the alleged Ticketmaster data for sale for $500,000 on one of its original domains. But they are unsure if the apparent revival of the operation is legit, or simply a lure by law enforcement to trap bad actors looking to once again buy stolen data from the forum.
"We dare conclude that this dataset's goal is to generate some attention and act as a lure to let old forum users know that BreachForums is alive and kicking," Malwarebytes researcher Pieter Arntz wrote in a blog post this week. "But who is running the show, is the question that we hope to answer soon."
BreachForums is a hacking forum and marketplace for cybercriminals to buy and sell all kinds of stolen data, including credit card data, bank account information, Social Security numbers, bank account information, hacking tools, account credentials, and personally identifying information. The forum, which boasted of having some 340,000 members earlier this year, became the go-to market for illicit data in mid-2022 following the FBI's disruption of RaidForums, another data leak site, which at the time was the biggest of its kind.
Earlier this month, the FBI and the DOJ seized control of BreachForums domains and Telegram channels belonging to two of its main admins, "Baphomet" and "ShinyHunters." The move followed the arrest in March 2023 of Conor Fitzpatrick, aka "pompompurin," the alleged creator of BreachForums. Though neither the FBI nor the DoJ have provided many details around the BreachForum domain takedown, ShinyHunters has claimed that the FBI has arrested Baphomet as well, Flashpoint said in a report this week.
"An Avatar and a Handle are Easily Copied"
According to Malwarebytes, the reappearance of BreachForums just two weeks after law enforcement seized its domains is suspicious for several reasons. For one thing, the same data that ShinyHunters has posted for sale on BreachForums is also for sale from an individual using the handle SpidermanData on another Dark Web site. The dataset itself — allegedly containing data belonging to 560 million customers — seems suspiciously large and therefore likely not what it purports to be. The revived BreachForums site also requires users to register if they want to see the content that is available for sale on it.
"An avatar and a handle are easily copied, and there are a few things that raised our spidey-senses that something is up," Arntz wrote in the Malwarebytes blog post.
In separate comments to Dark Reading, Arntz says this wouldn't be the first time that law enforcement has used similar lures to try and trap cybercriminals. He points to a 2018 sting operation that resulted in the takedown of Dark Web drug site Hansa Market and the takedown of an encrypted device company called ANOM as two examples.
Consistent With Previous Takedowns
However, if the BreachForums revival is indeed genuine, that too would be consistent with previous trends, Arntz notes. "Criminals like to keep doing what they know works," he says. "So dealing with the same administrators and especially the trusted escrow service beats having to find a new one that they don't know yet. So existing users will be likely to return."
Ian Gray, VP of intelligence at Flashpoint, says evidence suggests BreachForums is operational. Dark Web chatter points to the main BreachForums domain being transferred elsewhere after the law enforcement seizure. "Shortly after the seizure, the site included a link to 'Jacuzzi 2.0,' a Telegram chat for BreachForums," Gray says. "Today, the landing page for the site includes a link to N.W.A.'s "F*** Tha Police," he says, referring to American hiphop group N.W.A.s protest song.
ShinyHunters, the administrator of the shuttered BreachForums, claims to have regained control of the domain seized from the FBI, he notes.
More chatter suggests that another BreachForums member "USDoD" will launch a similar leak site on July 4 that is not associated with the current iteration of BreachForums, Gray notes. The new forum's domain is planned to be either breachnation.io or databreached.io, he says.
Unfortunately, the BreachForums of the world are poised to metastasize, says Patrick Harr, CEO of SlashNext, an email security vendor. "They are never fully eradicated despite treatment or in this case a takedown," he says. "The group, like cancer, still lurks in the background, waiting to re-emerge, sometimes in different name or form but with the same purpose."
