Hours after the infamous data breach forum BreachForums went offline after the arrest of its owner/administrator, its apparent current administrator who uses the alias ‘Baphomet’ announced that “I’m alive and things are moving”. BreachForums down has already sent ripples to the dark web market place.
[502 Bad Gateway]: The hacker forum known as “Breached” has been experiencing downtime for the last few hours.#DarkWeb #DeepWeb #cyberrisk #databreach pic.twitter.com/2J6lFLqZc1
— FalconFeedsio (@FalconFeedsio) March 20, 2023
Conor Brian FitzPatrick, who have been running the show under the alias ‘pompompurin,’ was arrested on March 15 afternoon, following which Fitzpatrick confessed to operating BreachForums.
“When I arrested the defendant on March 15, 2023, he stated to me in substance and in part that: a) his name was Conor Brian FitzPatrick; b) he used the alias ‘pompourin,’ and c) he was the owner and administrator of ‘BreachForums,’ the data breach website referenced in the Complaint,” FBI special agent John Longmire testified in a court document.
‘Baphomet’, who announced the intention of taking over right after Fitzpatrick’s arrest, assured that the migration process is ongoing despite some issues.
BreachForums, the website that serves as a marketplace for buying, selling, and trading stolen data such as login credentials, credit card numbers, and personal information, was offline at the time of publishing this report.
BreachForums Down: Pompompurin, and new domain
“I’m alive, and the migration is ongoing. Things broke as I expected, but that’s what happens when you have to move things this quickly, especially things that don’t like to be reconfigured this quickly,” said the note apparently posted by Baphomet.
“Keep in mind that during the migration I have to take extra consideration to not accidenly (sic) reveal any part of our new infrastructure without something or someone scanning the internet 24/7 discovering the true hosts of our infra by chance.”
Baphoment assured that any updates from him will be posted on “my domain, my telegram, and my PGP key”.
BreachForums, the forum-based website where users can discuss and share information related to data breaches, hacking, and cybercrime, was expected to be down after the arrest of Fitzpatrick. Shortly after the arrest was reported, Baphomet came online and claimed the admin post of the forum.
“Although I had already suspected it to be the case, it’s now been confirmed that Pom has been arrested,” Baphomet posted on 18 March. “I think it’s safe to assume he won’t be coming back, so I’ll be taking ownership of the forum. I have most, if not all the access necessary to protect BF infrastructure and users.”
BreachForums Down: Takedowns, and Resurfaces
BreachForums has been subject to numerous law enforcement actions and takedown attempts over the years.
In September 2021, it was widely reported that BreachForums had been hacked, and the entire database of user accounts and posts had been stolen. The hackers then reportedly leaked the stolen data online, which included sensitive information such as usernames, email addresses, IP addresses, and hashed passwords.
The present BreachForums domain breached.vc was created on 17 November, 2022. A company by the name 1337 Services LLC, based in St Kitts and Nevis, is the registered owner of the domain.
The same company is also the documented owner of domains such as piratbaypirate.link, dustydunes.app, and yougotcustomers.in.
Cybersecurity professionals took to social media to point out that the present arrest does not seem to nip the operation of BreachForums.
Alon Gal, Co-Founder and CTO of Israel-based cybersecurity company Hudson Rock, termed the arrest and publication as “ridiculous”. The arrest was rushed and poorly executed, allowing the admins to assure the privacy of their users and prevent the forum from getting seized, he pointed out.
“As of now the management will just be replaced and the site will operate regularly,” he wrote.
Michael Sloic, Information Technology Consultant at Diatasso LLC who claimed that he interviewed pompompurin a few weeks before the arrest, said that the group operated with a contingency plan in place.
“I interviewed him just a few weeks ago and he told me about how the site is mirrored and protocols were in place if he got arrested. Seems he wasn’t lying about that,” he wrote.
BreachForums and high-profile breaches
Organizations and individuals around the world have been targeted by active users of BreachForums in the past. The list features business majors such as Yahoo, LinkedIn, and Dropbox, among others.
In January, LeakBase, a member of BreachForums, disclosed sensitive data from German-managed IT service provider BITMARCK’s database.
In September 2022, the same BreachForums user leaked a massive trove of databases containing personally identifiable information (PII) of 16 million Indians using the Swachh City platform, an initiative of the Ministry of Housing and Urban Affairs of the Indian government.
The BreachForums user responsible for these incidents also released the databases of popular Chinese mobile brands such as OnePlus-Oppo and Realme.
Earlier this month, the same user claimed to have gained access to the control panel of JIRA CRM backup of Motorola, a Chinese-owned, US-based business, through malfunctions and errors.
The leaked data, according to the BreachForums post, consists of various file formats and admin panel data, exported in HTML format with screenshots. The total size of the files is approximately 11GB, as claimed by the user of the leak site.