BreachForums Shuts Down in Wake of Leader's Arrest

The BreachForums underground hacker site — which emerged to replace RaidForums nearly a year ago — now also has gone offline less than a week after its leader was arrested in New York.

The forum's administrator, who goes by the online moniker "Baphomet," said in a post on the group's Telegram channel March 19 that he was closing down the forum due to concerns that the FBI had access to the site, researchers from Dark Owl, a provider of Dark Web data and intelligence, said in a blog post.

Baphomet apologized to members of the forum for closing it down but said he would set up another Telegram group for further information and news, teasing that the launch of another site or other support for their activities was in the works, according to the post.

"I know that everyone wants the forum up, but there is no value in short term gain for what will likely be a long term loss by propping up Breached as it is," he wrote in the message, according to a screenshot shared in the Dark Owl blog post. "You are allowed to hate me, and disagree with my decision, but I promise what is to come will be better for us all."

BreachForums Leader Apprehended

The shutdown came just five days after US federal agents arrested man called Conor Brian Fitzpatrick, who they allege is behind the forum's administrator handle "pompompurin," and its chief operator. Fitzpatrick was arrested in Peekskill, NY, on March 15, according to an affidavit made in a New York district court.

Fitzpatrick was charged with one count of conspiracy to commit access device fraud, and bail was set at $300,000, which was paid for by his parents, Dark Owl researchers said. When arrested, he admitted to his role as admin on BreachForums and the use of the alias, which the researchers said was surprising.

BreachForums emerged in April 2022 in the wake of the takedown of RaidForums, allowing users to buy and sell data obtained from cybercriminal activity, with site administrators running an escrow service ensuring that sellers received the funds that they had requested, the researchers said.

Cybercriminals widely used BreachForums to purchase stolen data and host data from controversial leaks, such as data stolen from the Washington, DC, healthcare exchange, they said. Pompompurin also conducted cyberattacks of his own, revealing in an interview for the KrebsOnSecurity site in November 2021 that he was responsible for sending fake emails using the fbi.gov domain, the researchers said.

This behavior is likely what put him in the crosshairs of federal authorities, according to Dark Owl. "He claimed at the time this was done to point out vulnerabilities in the FBI systems, but it undoubtedly put him higher on the FBI's radar, leading to his recent arrest," the researchers wrote.

What Comes Next?

Since BreachForums itself came about after the Department of Justice seized what at the time was one of the world's largest hacker forums — RaidForums — and arrested its founder and chief administrator, Portuguese national Diogo Santos Coelho, it's likely that a new forum will emerge from its ashes.

RaidForums was founded in 2015 and, prior to its seizure, was used by its members to offer for sale hundreds of databases of stolen data containing more than 10 billion unique records for individuals residing in the United States and internationally.

BreachForums' Baphomet practically acknowledged that a new underground hacker site is in the works in his post on Telegram, the researchers noted. He said he is working to create new infrastructure that would replace BreachForums and even may collaborate with competitor marketplaces to keep support for members going.

However, for now, the BreachForums onion site is no longer reachable, and cybercriminals who used the site will have to take a wait-and-see approach until its current administrators regroup and create a new forum on which they can conduct their nefarious activity, the researchers said.

For its part, Dark Owl researchers said they "will continue to monitor the Dark Web and adjacent sources, such as Telegram, to identify any news of emerging groups and sites which may take the place of BreachForums."