The US Federal Bureau of Investigation (FBI) and international partners have seized the domain of BreachForums.hn, a data leak site used by the Scattered Lapsus$ Hunters gang to extort companies targeted in the recent Salesforce attacks.
The domain, previously operated by members linked to the ShinyHunters, Scattered Spider, and Lapsus$ groups, has now been taken offline and replaced with a seizure banner by US authorities.
The FBI, in coordination with French law enforcement, took control of the domain's infrastructure before a full-scale leak of Salesforce data could occur. Name servers for the domain were switched to ns1.fbi.seized.gov and ns2.fbi.seized.gov.
BreachForums.hn had briefly resurfaced in July following a forum reboot announced by ShinyHunters, only to go dark again after the arrest of four key operators in France and US charges against Kai West, known online as 'IntelBroker.'
In early October, the domain was repurposed as a data leak site targeting dozens of major companies reportedly affected by the Salesforce breaches. Victims listed by the hackers include FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, and Toyota.
Although the clearnet site and its Tor counterpart went offline on Tuesday, the dark web version has since returned. In a PGP-signed message, ShinyHunters acknowledged the forum's seizure, revealing that all BreachForums database backups since 2023, along with escrow and backend servers, were compromised.
“The era of forums is over,” the group said, noting that law enforcement had gained access to archived data from prior BreachForums versions. The threat actor said no core members had been arrested and warned that any future reboots should be viewed as honeypots.
The hackers also said that the takedown would not impact their ongoing Salesforce campaign.
