FBI Seizes Another BreachForums Domain; Hackers Admit the “Era of Forums Is Over”

The FBI has seized another version of the notorious hacker forum BreachForums, taking control of the domain BreachForums[.]hn a site used to leak data from at least 39 organizations affected by the recent Salesforce-related breaches.

According to threat actors behind the forum, law enforcement not only took the site offline but also obtained backups of BreachForums’ databases, marking another decisive blow to one of the dark web’s most persistent leak markets.

A New Revival — and Another Takedown

The BreachForums[.]hn domain surfaced in the summer of 2025, representing yet another attempt to resurrect the infamous platform. That revival was short-lived; within months, authorities began a new wave of arrests targeting the forum’s alleged operators.

By October 2025, a collective calling itself Scattered Lapsus$ Hunters — believed to include members of Scattered Spider, LAPSUS$, and ShinyHunters — had transformed the site into a dedicated leak hub, publishing data allegedly stolen from dozens of major corporations connected to Salesforce.

FBI and French Authorities Join Forces

Last week, BreachForums[.]hn and its Tor mirror suddenly went offline. Although the .onion version briefly returned, the primary domain remained inaccessible. Its DNS was switched first to Cloudflare nameservers previously linked to FBI operations, then officially updated to ns1.fbi.seized.gov and ns2.fbi.seized.gov.

The FBI has since confirmed the takedown, revealing that the operation was conducted jointly with French law enforcement. According to the agency’s notice, investigators seized the forum’s infrastructure before hackers could begin publishing Salesforce-related data.

Hackers Acknowledge Defeat

Members of Scattered Lapsus$ Hunters later posted a message on Telegram, signed with ShinyHunters’ verified PGP key — a signature confirmed by journalists at BleepingComputer. The message conceded that the seizure was “inevitable” and declared that “the era of forums is over.”

Hackers claimed that law enforcement gained access to archived databases from all previous BreachForums iterations, compromising backups and escrow data dating back to 2023. Although none of the main administrators have reportedly been arrested, the group stated they will not attempt another revival, warning that any future BreachForums-branded sites should be assumed to be law enforcement honeypots.

The Salesforce Extortion Campaign Continues

The group stressed that the takedown does not affect its ongoing extortion campaign tied to the Salesforce data breaches, in which they claim to possess nearly one billion personal records.

Their extortion threats have targeted a long list of major global brands, including FedEx, Disney and Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald’s, Walgreens, Instacart, Cartier, Adidas, Saks Fifth Avenue, Air France–KLM, TransUnion, HBO Max, UPS, Chanel, and IKEA.

In a post addressed directly to Salesforce, the hackers demanded a ransom to prevent the public release of the allegedly stolen datasets.

End of an Era

The BreachForums seizure marks another milestone in the FBI’s years-long campaign to dismantle data-leak marketplaces. With law enforcement now in possession of the forum’s infrastructure and backups, even the hackers themselves acknowledge what many in the security community have long predicted — the dark web forum era is drawing to a close.