I’m thrilled to sit down with Malik Haidar, a renowned cybersecurity expert with a wealth of experience in tackling digital threats and hackers within multinational corporations. With a sharp focus on analytics, intelligence, and security, Malik has a unique ability to blend business perspectives with cutting-edge cybersecurity strategies. Today, we’re diving into the recent high-profile operation by the FBI and French Police to shut down the BreachForums domain, a notorious hub for cybercrime. Our conversation will explore the nature of this criminal marketplace, the impact of the takedown, the ongoing Salesforce data breaches tied to the forum, and what this means for both cybercriminals and the organizations they target.
Can you walk us through what BreachForums is and why it’s seen as such a significant player in the cybercrime world?
BreachForums is essentially a digital black market where cybercriminals gather to buy, sell, and trade stolen data, hacking tools, and other illicit goods. It’s a major hub for threat actors to monetize their breaches, often by leaking sensitive information or extorting victims for ransom. What makes it particularly dangerous is the scale and organization—think of it as an underground eBay for hackers, complete with reputation systems and escrow services to facilitate trust in shady dealings. The forum has been linked to high-profile groups like ShinyHunters and IntelBroker, who use it to offload massive datasets or recruit collaborators for their schemes. It’s a breeding ground for some of the most damaging cybercrimes we see today.
What kinds of illegal activities were typically taking place on BreachForums?
The range of activities on BreachForums is staggering. You’ve got the sale of stolen data—everything from personal information like Social Security numbers to corporate secrets and customer databases. Then there’s the trade in hacking tools, like exploits or ransomware kits, and even services like DDoS attacks for hire. Extortion is a big one; hackers post leaked data to pressure victims into paying up. It’s also a networking spot where criminals connect, share tactics, or plan coordinated attacks. Essentially, it’s a one-stop shop for just about any cybercrime you can imagine.
Can you shed light on the recent operation by the FBI and French investigators to target BreachForums?
This operation was a coordinated effort between the FBI and French cybercrime units like BL2C, alongside the Paris Prosecutor’s Office division JUNALCO. They seized at least one key domain associated with BreachForums, specifically breachforums[.]hn, which was a primary clearweb access point for the forum. The goal was to disrupt a critical platform used by cybercriminals to traffic stolen data and orchestrate extortion campaigns. You can see the impact in the public notices posted online, with law enforcement logos plastered across the seized site, signaling a major win for international collaboration in cracking down on these hubs.
How does seizing a domain like breachforums[.]hn impact the cybercriminals who rely on it?
Taking down a domain like breachforums[.]hn hits cybercriminals where it hurts—it cuts off a major channel for monetizing their hacks. Without this platform, they lose a centralized place to sell stolen data, negotiate ransoms, or build their reputation in the underground community. It disrupts their business model and forces them to scatter to other forums or dark web sites, which can slow them down and make their operations riskier. However, it’s not a complete shutdown. Many of these actors are adaptable and likely already have backup plans or alternative platforms to continue their work.
There’s talk that a related .onion site for BreachForums is still active on the dark web. What does that mean for ongoing criminal activities?
That’s a significant wrinkle. The .onion site, accessible only through Tor, remains a backdoor for cybercriminals to keep their operations alive. Since it’s still online, many of the same activities—data trading, extortion, and collaboration—can persist, just in a more hidden corner of the internet. It means that while the clearweb takedown is a blow, it’s not a knockout. Law enforcement faces a tougher challenge with dark web sites due to their anonymity features, so criminals may still exploit this space to target victims or offload data, especially from campaigns like the recent Salesforce breaches.
Speaking of Salesforce, can you explain how BreachForums is connected to the data breaches affecting major companies?
BreachForums has been a key leak site for data stolen in the Salesforce campaign, where hackers targeted dozens of big-name companies like Google, FedEx, and Home Depot. The forum was used to post snippets of stolen data as proof of the breach, often to pressure victims into paying ransoms or to sell the information to other criminals. Groups like Scattered Lapsus$ Hunters, who claim to have over a billion records, leveraged the platform’s visibility to amplify their extortion efforts. It’s a textbook case of how these forums turn stolen data into a weapon.
How were these organizations targeted in the Salesforce campaign, and what methods did the attackers use?
The attackers employed some crafty tactics. One method was a vishing campaign—voice phishing—where they tricked employees into downloading a malicious version of Salesforce’s Data Loader app, likely through social engineering over the phone. Another approach exploited OAuth tokens tied to a third-party app called Salesloft Drift, allowing unauthorized access to systems. These methods show a blend of technical exploits and human manipulation, which made the campaign so effective. Once inside, they siphoned off massive amounts of data, ranging from customer records to internal business information.
How effective do you think this domain seizure will be in halting the extortion campaigns linked to these Salesforce breaches?
Honestly, it’s a mixed bag. Seizing the domain disrupts the visibility and ease of access for these extortion campaigns, which is a step forward. But it’s not a silver bullet. Many experts point out that threat actors are incredibly resilient—they’ll pivot to other platforms or use the still-active .onion site to continue their work. The Salesforce campaign, in particular, seems unaffected in the short term, with hackers claiming the takedown hasn’t slowed them down. It’s a reminder that while law enforcement can impose costs, cybercriminals often find ways to adapt.
What steps should organizations affected by the Salesforce breach take to protect themselves, even after this takedown?
First and foremost, companies need to assume their data is still at risk, even with the forum partially offline. They should ramp up monitoring for any signs of leaked information on other platforms or the dark web. Strengthening access controls, like enforcing multi-factor authentication and auditing third-party app permissions, is critical to prevent further breaches. Incident response plans should be updated and tested—be ready to act if data exposure happens. Communication is also key; transparency with customers and stakeholders can help manage fallout. Lastly, consider working with cybersecurity experts to assess vulnerabilities specific to their systems.
Authorities also seized database backups from BreachForums dating back to 2023. Why is that significant for ongoing investigations?
That’s a goldmine for law enforcement. Those backups likely contain a wealth of historical data—think user registration details, IP logs, private messages, and transaction records. This gives investigators a window into the inner workings of one of the most active cybercrime communities over the past few years. They can map out relationships, link aliases to real-world identities, and build stronger cases against repeat offenders. It’s not just about shutting down a domain; it’s about gathering evidence to dismantle entire networks of criminals over time.
Looking ahead, what is your forecast for the future of cybercrime marketplaces like BreachForums in light of these enforcement actions?
I think we’re in for a game of whack-a-mole for the foreseeable future. Takedowns like this are impactful, but they’re not the end of the story. Cybercrime marketplaces will continue to pop up, evolve, and migrate to harder-to-reach corners of the internet, especially the dark web. We’ll likely see more fragmented, decentralized platforms emerge as criminals try to avoid centralized points of failure. On the flip side, international law enforcement collaboration is getting stronger, and with access to data like the BreachForums backups, they’re better equipped to track and prosecute offenders. It’s an ongoing cat-and-mouse game, but I believe the pressure on these marketplaces will keep intensifying, forcing criminals to take bigger risks to stay in business.
