In mid-March 2022, the underground cyber forum BreachForums quietly made its debut. Within a year, the platform became one of the most prolific cyber crime forums in history.

According to the FBI, BreachForums illegally posted hacked data pertaining to nearly 14 billion people globally. It hosted breaches that included data related to 7 million Robinhood customers, 23 terabytes of Shanghai National Police data and, more recently, 56,000 records from the D.C. Health Benefit Exchange Authority. The D.C.-based hack exposed the personal details of Congress members, their families, staff and tens of thousands of other Washington area residents.

The meteoric rise of BreachForums came to an abrupt halt on March 15th with the arrest of Conor Fitzpatrick, 20, of Peekskill, New York. From his parents’ house, Fitzpatrick allegedly operated the forum and went by the username “pompompurin”.

Now that BreachForums is down, what will take its place — and when?

The Rapid Rise of BreachForums

According to a DOJ press release, BreachForums was a marketplace for cyber criminals to buy, sell and trade hacked or stolen data and other contraband. Data commonly sold on the platform included bank account information, social security numbers, other personally identifying information (PII), hacking tools, breached databases, services for gaining unauthorized access to victim systems and account login information for compromised online accounts.

The BreachForums operator, Conor Fitzpatrick has been accused of victimizing millions of U.S. citizens and both domestic and foreign entities, including companies, organizations and government agencies. Among the stolen data sets were ones that contained sensitive information belonging to customers of telecommunication, social media, investment, health care and internet service providers.

In one instance, a user on BreachForums uploaded the personal details and contact information of around 200 million Twitter users. Another leak disclosed information on 87,760 members of InfraGard, which is a partnership between private sector firms and the FBI aimed at protecting critical infrastructure.

BreachForums’ predecessor was RaidForums, which launched in 2015 and was shut down in April 2022 with the arrest of its founder and administrator. According to threat intelligence, RaidForums contained more than 530,000 registered members and was a powerful tool for low to mid-level cyber criminals. RaidForums attackers bought and sold information stolen from UK companies related to credit cards, bank accounts, usernames and passwords.

What the BreachForums Timeline Tells Us

The RaidForums lifespan ran from 2015 to April 2022. Meanwhile, BreachForums started operations in March 2022.

According to CyberScoop, BreachForums started out slow. But after about six months, the forum built a vibrant community, and posters developed known personalities and brands. BreachForums entrenched itself as a “mid-tier” source of stolen data in the global cyber crime ecosystem. The forum initially struggled to gain traction, but within months it became the largest English-speaking hacked data broker forum anywhere.

While the takedown of BreachForums is welcome news, its dramatic rise to success tells us something important. News of RaidForums’ demise was still fresh when BreachForums debuted. Within a year, the new forum exposed 14 billion people’s data.

Did They Let BreachForums Operate On Purpose?

It’s not unusual for law enforcement to be aware of illicit criminal activity but not act upon it right away. If they shut things down too fast, the big fish perpetrators might get away. Imagine if the feds infiltrated BreachForums, and then one day posted that the platform was under surveillance. Everybody would scatter, and the operators might not be apprehended.

There’s no doubt that threat intelligence was monitoring the forum since that’s what they do. However, law enforcement was lurking until it could identify and locate the forum’s operator.

An FBI affidavit cites Fitzpatrick’s alleged involvement in data leaks himself. It also highlights his role as a middleman for transactions in the sale of data involving an undercover FBI employee. The affidavit also details security blunders that tied Fitzpatrick to running the site, including data such as IP addresses associated with Fitzpatrick’s phone and his house, and a personal Gmail address.

How long the feds had this info on Fitzpatrick is anybody’s guess. An expert cited by CyberScoop speculated that the D.C. leak involving Congress members’ personal data may have been the straw that broke the camel’s back.

Why doesn’t someone else just pick up where pompompurin left off? In the wake of Fitzpatrick’s arrest, “Baphomet,” a BreachForums “staff member,” posted a series of statements urging calm, as per CyberScoop. Baphomet claimed the site would continue on. But on March 19, Baphomet said he’d seen signs of someone using Fitzpatrick’s admin accounts to log into a content delivery server after Fitzpatrick’s arrest.  This suggested that “nothing can be assumed safe, whether it’s our configs, source code or information about our users — the list is endless.” Therefore, BreachForums was shut down forever.

Who Will Take BreachForums’ Place?

Some security experts predict that cyber actors will be scrambling to find a new home now that BreachForums has been taken down. But if it evolved so quickly and had such a wide-ranging impact, what’s to prevent another forum from taking BreachForums’ place within months? It would not be a surprise if one is already in the works.

Nevertheless, the dramatic fall of BreachForums will have a major impact on the cyber crime community. Threat actors looking to sell data will have to find a new marketplace. And threat researchers who track illicit activity will have to cast new nets looking for risk patterns. Part of threat intelligence includes curating information from darknet forums to know what threat actors are talking about.

The BreachForums story underlines the need for solid threat intelligence. Underground cyber forums aren’t going away soon. Meanwhile, threat intelligence drills into understanding how threat actors think, strategize and strike. This knowledge then enables prevention, detection, response and recovery strategies.

More from News

Zombie APIs are a Top Security Concern as API Attacks Surge 400%

4 min read - Organizations of all sizes rely on application programming interfaces (APIs). The API explosion has been driven by several factors, including cloud computing, demand for mobile/web applications, microservices architecture and the API economy as a business model. APIs enable developers to access data remotely, integrate with other services, build modular applications and monetize their data/services. For enterprises that participated in a recent research study, the average number of APIs per organization was 15,564. Large enterprises (over 10,000 employees) had an average…

4 min read

Google’s Bug Bounty Hits $12 Million: What About the Risks?

4 min read - Bug bounty numbers have never been better. In 2022, Google rewarded the efforts of over 700 researchers from 68 different countries who helped improve the security of the company’s products and services. The total amount of awards grew from $8.7 million paid in 2021 to $12 million in 2022, a nearly 38% increase. Over the past few years, bug bounty programs have gained significant traction. Companies have been lured in by the potential to identify vulnerabilities quickly, enhance product security…

4 min read

Swiss Army Knife Malware Slices Through Systems In so Many Ways

4 min read - What if one single malware strain could cut through any security that tried to stop it? In a new study of more than 550,000 live malware strains, the Picus Red Report 2023 has unveiled a trove of over 5 million malicious activities. In the report, researchers identified the top tactics utilized by cyber criminals in 2022. Picus' findings also highlighted the growing prevalence of "Swiss Army knife malware". This type of malicious software is capable of executing a range of…

4 min read

Will Threat Actors Face Layoffs in 2023?

2 min read - You can’t look at the news these days without reading about layoffs in the technology sector. Roger Lee, founder of Layoffs.fyi told Investors.com that more than 120,000 tech employees lost their jobs in 2023 as of Feb 27, compared to 161,411 in all of 2022. However, all layoffs aren’t bad news. Most people don’t think of criminals losing their jobs. But if the criminal activity isn’t making money, then it makes no sense to continue. And that is happening in…

2 min read