FBI Seized ShinyHunters’ BreachForums Salesforce Leak Portal

The US Department of Justice, in collaboration with the FBI, France’s BL2C cybercrime unit, and the Paris Prosecutor’s Office, has seized the latest BreachForums domain operated by the cybercriminal group ShinyHunters.

Unlike its previous iterations, the domain functioned as an extortion portal for the group’s ongoing campaign targeting Salesforce customers, marking a strategic shift from marketplace operations to direct pressure tactics against corporate victims.

Visitors to breachforums.hn are now met with a seizure notice bearing the logos of US and French authorities, confirming that the infrastructure has been taken offline as part of a coordinated international operation. The takedown impacted the clearnet version of the portal, though the onion is still up, indicating that law enforcement likely gained partial access to the backend infrastructure.

Shortly after the seizure, ShinyHunters published a PGP-signed message on Telegram acknowledging the loss of all BreachForums domains, conceding that the group had been outmaneuvered by US authorities. The actor claimed the servers were not only seized but “destroyed,” and that database backups dating back to 2023, along with all escrow databases, had been compromised. According to their own analysis, the seizure of the onion domain further suggests backend access, leading them to conclude that the FBI had “very likely hacked” the infrastructure.

The now-defunct domain was not structured as a typical cybercrime forum but instead served as a dedicated extortion platform for leaking stolen corporate data as part of ShinyHunters’ campaign targeting Salesforce clients. The portal was reportedly set to begin publishing data on non-compliant victims at the conclusion of a ransom deadline, an event the actor suggests may have triggered the law enforcement action.

This latest seizure follows the turbulent history of BreachForums, which originated in 2022 as a successor to RaidForums. Under its first administrator, “Pompompurin” (Conor Brian Fitzpatrick), the forum became a major hub for trafficking stolen credentials and breached datasets. Fitzpatrick was arrested in March 2023 and recently resentenced to three years in federal prison after a federal appeals court overturned his initial time-served ruling.

The July 2025 relaunch of BreachForums, announced just days after a French law enforcement sweep on June 24 that resulted in the arrests of ShinyHunters and three other admins (Hollow, Noct, and Depressed), was marred by controversy. Many in the threat actor community speculated the site had been compromised from the outset. That suspicion was seemingly confirmed when ShinyHunters warned in August that the site had become a honeypot, with its PGP key and admin accounts allegedly under control of the BL2C and FBI.

With this week’s domain takedown, the group now claims that all historical infrastructure has been lost and warns users to treat any future iterations of BreachForums as compromised or law enforcement-controlled.

Despite this action, ShinyHunters stated that the seizure “has no impact” on their Salesforce campaign and teased an update or leak scheduled for 11:59 PM ET on October 10, 2025.