Floundering, BreachForums goes online again on dark web and clearnet, access restored

Since the data leakage forum BreachForums was seized by the FBI in mid-May, too many stories have happened, and "ODN" has continued to follow up, and on May 24, the third version of BreachForums made a strong comeback under the leadership of administrator ShinyHunters.

However, from June 10th, the forum was once again inaccessible, and the administrator Telegram, as well as BreachForums' Telegram channel and groups, were deleted. After two days of suspicion, BreachForums once again regained access to the darknet and the opennet on June 12th, with no one knowing what happened.

After access was restored again, administrator ShinyHunters posted an announcement on the forums about the recent problems:

Hello BreachForums users!

Some wild stuff has gone down recently. First off, Spamhaus has blacklisted our SMTP host. Then, we ran into more issues with our NGINX config. To top it off, our Telegram account (@shinycorp) and the “Jacuzzi 2.0” group got banned and blacklisted. Because of all this, we’re stepping away from using any Telegram account for ShinyHunters, and honestly, it’s kind of sapped our motivation to keep the forum going, though we’ll keep it alive. If you have any questions about rank, escrow, or anything else, hit up @Hollow (likely the next owner). Also, the canary has been updated.

The announcement literally explains what's behind the downtime, stating that their SMTP host was blacklisted by Spamhaus, that they're experiencing a lot of problems with the server's NGINX configuration, and that their Telegram account (@shinycorp) and the "Jacuzzi 2.0" group were banned and blacklisted.

However, as previously reported, BreachForums' dark and light websites were inaccessible, and their Telegram accounts were deleted at about the same time. Anyone who has a little bit of technical knowledge knows that problems with Telegram accounts will not affect website access; problems with SMTP may cause the website to be unable to send emails, but will not affect the normal operation of the forums; and NGINX configuration errors can be restored in a flash. So ShinyHunters' announcement is hardly convincing, and no one really knows what's going on behind the scenes. According to "ODN", which compiled comments from several media outlets and groups, everyone's trust in BreachForums has been severely diminished.

ShinyHunters said they left Telegram as a result of these setbacks and are less motivated to maintain the forums, though they will continue to operate, and mentioned that Hollow (currently one of the forum's administrators) may be the next owner of BreachForums.

BreachForums' other administrator, Aegis, still has an active Telegram channel and posted about the forum's return on the 13th. In another Telegram group, one user suspected that Shiny Hunters was also an FBI informant, while another said Shiny was state-sponsored and claimed that Gabriel, who had been in contact with Shiny Hunters, had recently been arrested.

The BreachForums that have been tested and accessed by "ODN" have been restored with data as of June 9, 2024, meaning that there was no loss of database during the shutdown. The newly restored forums have also been synchronized with the Canary update, as follows:

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

Next update by 07-12-2024.

Current:
breachforums.st
breached26tezcofqla4adzyn22notfqwcac7gpbrleg4usehljwkgqd.onion

Mirrors:
breached4lhlibrqmzj7h2n4unu7wdzkg7gczcggufbqufwmmdraiyqd.onion
breachedetbw6gnud64wvuld3xkyrrbz5eijhvjbbix72izpegjdvcyd.onion
breachedhr2hxxranvbogkth63cpxwdcelsetui4uqavejvsqes4thid.onion
breachedm6qqmtc2ksrdhhtdr6o4erzudgx4blvkcxhyeruudtibizqd.onion

PGP Key: http://breached26tezcofqla4adzyn22notfqwcac7gpbrleg4usehljwkgqd.onion/pgp.txt

Fingerprint: 1FC4 D0B1 DEE9 14BB 05B5 7FAB F1F1 B98A 51C9 89B3

BTC Block Hash: 000000000000000000017d7da10976e3fcb69c00e39b0cb114dc85f684e71841
—–BEGIN PGP SIGNATURE—–

iQIzBAEBCgAdFiEEH8TQsd7pFLsFtX+r8fG5ilHJibMFAmZp10sACgkQ8fG5ilHJ
ibPbvw/9Er0Rji5VGjTbaNBSUfzT0eILpteEAYex2KiSfLAYzH4by8RkgyxC8v43
n4Ecef/j3PhpDgYfkPkmALMMUx2UJH3lvsd1hu9onM4MR7IWA9O+hlI4UuNAnU06
zz550FyFlXst1GC898DlmDwyXJhZ6zfBnFHxZCvXVY51OyoIsMfSB6Eon40GbUtC
JKdJpxhYqi+hFKd0GruIvkXXXatr36t0+Iqp4otSc4my6a+zzMu/UpDd8wKz9KGy
pRmiZYTfp/SoLkPX2inVYxlilxZ75o4OlbW1uWfCUwWSZ2Ii2sD5waXv3lNP4yly
WLABljvsLNgnwKuM1EPtDslYQlBIteh9r1//gzjzlqJ0RQ7/QlbkaUF/IXJ8sNWp
O0gOoOXD46bITl9Gtsq6z/bxI0FHBcgZru1AuQpRvAFsNK6lNPidbk0FAcjMKvTc
WvsPwFuHy/UWaiNAD+jGZHjdcPtuAGfx+Mx6b1ViuD6KfhKAZQaimKaOne/u2TjF
sZnB2oS1MPUtS4rsnUV6fjDftoQZl6dMSIeQWLVt7QOEVzM5KKr0zHq3heWDbSod
hQmQFw/X4XI1JEeDLSMJTVg0gK4hFdGOOdXt8YdWIGJdyD/ld7l5ukyRxZFl51QG
nrEGXi0Ox1ISZAJlpLd4+5XO4xj6U01ED/m1xdrnYO+8q+mtAMA=
=oe2R
—–END PGP SIGNATURE—–

However, forum user "zarniwoop" verified the updated canary.txt on May 24 with the above canary, and found that the latest canary.txt does not match ShinyHunters' PGP KEY, which means the above new canary is not issued by ShinyHunters.That is, the new canary above is not issued by ShinyHunters. Who is BreachForums in the hands of?There are too many unknowns hidden.

What exactly is the identity of ShinyHunters, whether BreachForums is an FBI honeypot or not, and why BreachForums was suddenly shut down and then revived, are all still confusing, and all are question marks to be answered by time.

"ODN" will continue to follow the status of BreachForums.