Law enforcement agencies from the United States and France have seized the onion leak website operated by the notorious Scattered LAPSUS$ Hunters collective, displaying a prominent seizure notice featuring logos from the FBI, Department of Justice, and international partners.
This coordinated action, executed around October 9, 2025, targeted the BreachForums infrastructure, which the group had repurposed as a data extortion portal following a massive breach of Salesforce customer databases.
The takedown disrupts the group’s ability to threaten and leak stolen data publicly, though experts warn that such actors often pivot to alternative channels like Telegram.
Scattered LAPSUS$ Hunters
Scattered LAPSUS$ Hunters emerged in August 2025 as an alliance of infamous hacking groups, including Scattered Spider, LAPSUS$, and ShinyHunters, often referred to as the “Trinity of Chaos” within the cybercrime underworld known as The Com.
This supergroup quickly escalated its activities by launching social engineering attacks on Salesforce tenants, claiming to have stolen over one billion records from high-profile organizations such as Adidas, Cisco, McDonald’s, and Qantas Airways.
Their campaign blended data theft with extortion demands, using BreachForums, previously a hacking bazaar shut down in 2023, as a clearnet and Tor-based leak site to pressure victims into paying ransoms.
By early October, the group had listed dozens of compromised entities, setting a deadline of October 10, 2025, for payments to avoid data dumps.
The seizure involved the U.S. Department of Justice, FBI, France’s Central Brigade of Cybercrime (BL2C), and the Paris Prosecutor’s Office, who took control of BreachForums’ domains and backend servers, including database backups dating back to 2023.
Visitors to the site, both on the clearnet (breachforums.hn) and onion versions, encountered an animated banner confirming the infrastructure’s transfer to federal hands, mirroring past takedowns like RaidForums in 2022.
Although the Tor site was briefly restored, the operation prevented immediate large-scale leaks, with the group defiantly posting on Telegram that “seizing a domain does not really affect our operations.”
In response, Scattered LAPSUS$ Hunters leaked data from six companies across aviation, energy, and retail sectors on October 10, including personal details like names, emails, and phone numbers, before declaring no further releases.
Despite the disruption, the collective announced a temporary dissolution on October 11, 2025, halting activities until 2026 to evade heightened law enforcement scrutiny while teasing an Extortion-as-a-Service (EaaS) model and potential targets like the FBI and NSA.
Cybersecurity firms note that domain seizures rarely end such groups’ operations entirely, as they maintain Telegram channels and could relaunch mirror sites swiftly.
Organizations are urged to monitor for renewed activity, enhance Salesforce security, and review for indicators of compromise from social engineering tactics.
This event underscores the persistent challenge of combating loosely organized cybercrime syndicates, with experts predicting the group’s return in a more covert form.
As the dust settles, the incident highlights international cooperation’s role in curbing digital extortion, though vigilance remains essential in the evolving threat landscape.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
