The infamous criminal marketplace BreachForums has been back online just two weeks after a coordinated law enforcement action led by the United States dismantled and seized control of its infrastructure.
Multiple cybersecurity researchers reported that BreachForums has resurfaced at breachforums[.]st. The site reopened for registration on Tuesday, using a new dark web domain while reclaiming its original clearnet domain, breachforums[.]st.
In addition to breachforums[.]st, other associated clearnet domains such as escrow[.]breachforums[.]st, breached[.]in, and two other parked domains, have also been reacquired from the FBI's control.
A tech news site Hackread reported that ShinyHunters, an alleged administrator of BreachForums, shared an email allegedly showing a conversation between an FBI computer scientist from the agency’s Cyber Division and NiceNIC, the domain registrar. The email indicated that the FBI's Cyber Division executed an operation on May 15, 2024, targeting BreachForums and seizing several domains through a court-ordered warrant.
However, only hours after the seizure, the domain breachforums[.]st was returned to ShinyHunters, and the FBI's NiceNIC account, registered under the name “bf_fbi,” was suspended. The FBI subsequently requested NiceNIC to reactivate their account and return the seized domains. Citing NiceNIC's terms of service, which prohibit the promotion of cybercrime, the FBI urged that if the domains could not be returned, the nameservers should be directed to FBI-owned servers or the domains should be suspended to prevent further illicit activities.
Seeing as the breachforums[.]st domain is back online in its original form, it’s safe to assume that NiceNIC didn’t heed the FBI’s request. This may also explain, why the agency has yet to release an official statement regarding the takedown.