Threat Intelligence

BreachForums and Notorious Actors Announce Re-emergence

by ZeroFox Intelligence
BreachForums and Notorious Actors Announce Re-emergence 
6 minute read

Key Findings

  • On June 3, 2025, an actor using the alias “darked321” posted in the deep web forum DarkForums claiming its counterpart, BreachForums (another popular deep web hacking forum), has been relaunched.
  • Darked321’s DarkForums post quoted a longer message from actor “ShinyHunters”, who provides an explanation as to the status of the original BreachForums domain and alleged plans for the new one. ZeroFox also observed activity from “IntelBroker”.
  • Given the presence of ShinyHunters and IntelBroker, there is a likely chance that breach-forums[.]st represents a relaunch effort led by actors in possession of digital infrastructure associated with the original domain.
  • There is a very likely chance that breach-forums[.]st will quickly gain traction and restore functionality, though it is also likely that many users will remain active within peer domain DarkForums, where many actors migrated upon BreachForum’s disruption.

Details

On June 3, 2025, an actor using the alias darked321 posted in the deep web forum DarkForums claiming its counterpart, BreachForums, has been relaunched. According to darked321, BreachForums is once again accessible via two separate domains: one clearnet domain (breach-forums[.]st) and one onion-based (zm57fetqi6c7t4grm3sfehdpujz7acavi4y7ubye3pugenyhktzxjqqd[.]onion/).

  • On April 15, 2025, BreachForums became inaccessible, with the breachforums[.]st domain displaying an error code; at the time of this writing ZeroFox has confirmed that this domain remains inaccessible.
  • Significant speculation surrounding this event took place within deep and dark web (DDW) forums and Telegram channels at that time, with many speculating law enforcement (LE) involvement.
  • Discussion also centered around the possible arrest of IntelBroker—an actor prominent within the forum both for publishing numerous prominent data leaks and having previously carried out a moderator role.
  • The hacktivist collective “Dark Storm” claimed responsibility for the BreachForums outage in its Telegram channel, though without any substantiation.

Darked321’s DarkForums post quoted a longer message from actor ShinyHunters, who provides an explanation as to the status of the original BreachForums domain and alleged plans for the new one. According to the post, the newly launched breach-forums[.]st is the “new, official” domain, and efforts to restore legacy infrastructure and member ranks are ongoing—as is the rectification of security flaws identified during an “audit and rebuilding process.”  ShinyHunters also referred to the disruption of the previous domain, claiming a PHP vulnerability had been exploited. While the actor did not specify the identity of the alleged attacker, they did allude to attempts by “various agencies” to access a BreachForum database—almost certainly alluding to LE entities.

Prior to this post, ZeroFox had not observed activity from ShinyHunters since April 28, 2025, when they posted a PGP-signed message to the front end of breachforums[.]st claiming that the disruption had been caused by a zero-day vulnerability affecting MyBB software. In this post, ShinyHunters also blamed unnamed LE entities, as well as warned BreachForums frequenters to avoid “clone” forums.

  • ShinyHunters is an English-speaking threat collective that has been operational in DDW forums since approximately 2020. The group has since been responsible for numerous data breaches and has also been widely viewed as the owner of BreachForums since the March 2023 arrest of previous moderator “Pompompurin.”
  • In addition to ShinyHunters, ZeroFox also observed posts within breach-forums[.]st’s new Shoutbox feature from IntelBroker—the first activity observed from the actor since April 15, 2025.

ZeroFox’s attempts to register an account on breach-forums[.]st were unsuccessful due to a MyBB SQL error. This likely indicates that the forum is unable to connect to its user SQL database, suggesting configuration efforts remain in progress. Despite this, the forum search feature appears to be functional, with new discussions and topics appearing from users that have successfully registered. Notably, the new domain appears to have undergone a significant overhaul, with many features redesigned.

Since the outage of BreachForums[.]st, numerous other forums have surfaced, with some claiming to offer a like-for-like replacement and others attempting to scam users wishing to register new accounts by masquerading as an “official” replacement. ZeroFox previously reported on the launch of BreachForums[.]fi, announced by actors “Normal” and “Anastasia” (the latter has previously fulfilled a moderator role within the original forum). This domain likely reflected attempts to offer a replacement but was seemingly unable to gain traction and remains inaccessible as of the writing of this report.

Given the presence of ShinyHunters and IntelBroker, there is a likely chance that breach-forums[.]st represents a relaunch effort led by actors in possession of digital infrastructure associated with the original domain. This is further supported by the presence of historic content within the new domain, much of which dates back to as early as 2023. There is a very likely chance that breach-forums[.]st will quickly gain traction and restore functionality, though it is also likely that many users will remain active within peer domain DarkForums—where many actors migrated upon BreachForum’s disruption.


Scope Note

ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 9:00 AM (EDT) on June 5, 2025; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

Appendix: ZeroFox Intelligence Probability Scale 

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.

Tags: Threat Intelligence

See ZeroFox in action