In mid-March 2022, the underground cyber forum BreachForums quietly made its debut. Within a year, the platform became one of the most prolific cyber crime forums in history.

According to the FBI, BreachForums illegally posted hacked data pertaining to nearly 14 billion people globally. It hosted breaches that included data related to 7 million Robinhood customers, 23 terabytes of Shanghai National Police data and, more recently, 56,000 records from the D.C. Health Benefit Exchange Authority. The D.C.-based hack exposed the personal details of Congress members, their families, staff and tens of thousands of other Washington area residents.

The meteoric rise of BreachForums came to an abrupt halt on March 15th with the arrest of Conor Fitzpatrick, 20, of Peekskill, New York. From his parents’ house, Fitzpatrick allegedly operated the forum and went by the username “pompompurin”.

Now that BreachForums is down, what will take its place — and when?

The rapid rise of BreachForums

According to a DOJ press release, BreachForums was a marketplace for cyber criminals to buy, sell and trade hacked or stolen data and other contraband. Data commonly sold on the platform included bank account information, social security numbers, other personally identifying information (PII), hacking tools, breached databases, services for gaining unauthorized access to victim systems and account login information for compromised online accounts.

The BreachForums operator, Conor Fitzpatrick has been accused of victimizing millions of U.S. citizens and both domestic and foreign entities, including companies, organizations and government agencies. Among the stolen data sets were ones that contained sensitive information belonging to customers of telecommunication, social media, investment, health care and internet service providers.

In one instance, a user on BreachForums uploaded the personal details and contact information of around 200 million Twitter users. Another leak disclosed information on 87,760 members of InfraGard, which is a partnership between private sector firms and the FBI aimed at protecting critical infrastructure.

BreachForums’ predecessor was RaidForums, which launched in 2015 and was shut down in April 2022 with the arrest of its founder and administrator. According to threat intelligence, RaidForums contained more than 530,000 registered members and was a powerful tool for low to mid-level cyber criminals. RaidForums attackers bought and sold information stolen from UK companies related to credit cards, bank accounts, usernames and passwords.

What the BreachForums timeline tells us

The RaidForums lifespan ran from 2015 to April 2022. Meanwhile, BreachForums started operations in March 2022.

According to CyberScoop, BreachForums started out slow. But after about six months, the forum built a vibrant community, and posters developed known personalities and brands. BreachForums entrenched itself as a “mid-tier” source of stolen data in the global cyber crime ecosystem. The forum initially struggled to gain traction, but within months it became the largest English-speaking hacked data broker forum anywhere.

While the takedown of BreachForums is welcome news, its dramatic rise to success tells us something important. News of RaidForums’ demise was still fresh when BreachForums debuted. Within a year, the new forum exposed 14 billion people’s data.

Did they let BreachForums operate on purpose?

It’s not unusual for law enforcement to be aware of illicit criminal activity but not act upon it right away. If they shut things down too fast, the big fish perpetrators might get away. Imagine if the feds infiltrated BreachForums, and then one day posted that the platform was under surveillance. Everybody would scatter, and the operators might not be apprehended.

There’s no doubt that threat intelligence was monitoring the forum since that’s what they do. However, law enforcement was lurking until it could identify and locate the forum’s operator.

An FBI affidavit cites Fitzpatrick’s alleged involvement in data leaks himself. It also highlights his role as a middleman for transactions in the sale of data involving an undercover FBI employee. The affidavit also details security blunders that tied Fitzpatrick to running the site, including data such as IP addresses associated with Fitzpatrick’s phone and his house, and a personal Gmail address.

How long the feds had this info on Fitzpatrick is anybody’s guess. An expert cited by CyberScoop speculated that the D.C. leak involving Congress members’ personal data may have been the straw that broke the camel’s back.

Why doesn’t someone else just pick up where pompompurin left off? In the wake of Fitzpatrick’s arrest, “Baphomet,” a BreachForums “staff member,” posted a series of statements urging calm, as per CyberScoop. Baphomet claimed the site would continue on. But on March 19, Baphomet said he’d seen signs of someone using Fitzpatrick’s admin accounts to log into a content delivery server after Fitzpatrick’s arrest.  This suggested that “nothing can be assumed safe, whether it’s our configs, source code or information about our users — the list is endless.” Therefore, BreachForums was shut down forever.

Who will take BreachForums’ place?

Some security experts predict that cyber actors will be scrambling to find a new home now that BreachForums has been taken down. But if it evolved so quickly and had such a wide-ranging impact, what’s to prevent another forum from taking BreachForums’ place within months? It would not be a surprise if one is already in the works.

Nevertheless, the dramatic fall of BreachForums will have a major impact on the cyber crime community. Threat actors looking to sell data will have to find a new marketplace. And threat researchers who track illicit activity will have to cast new nets looking for risk patterns. Part of threat intelligence includes curating information from darknet forums to know what threat actors are talking about.

The BreachForums story underlines the need for solid threat intelligence. Underground cyber forums aren’t going away soon. Meanwhile, threat intelligence drills into understanding how threat actors think, strategize and strike. This knowledge then enables prevention, detection, response and recovery strategies.