Breachforums, the infamous darkweb hacking and stolen data marketplace recently had another setback when its remaining primary administrators were arrested in France, shutting down yet another iteration of the marketplace. This closes another chapter in a site that has caused immeasurable damage to consumer and enterprise systems alike, facilitating the sale and trade of initial access, credentials, and leaked data.
However, on July 01 2025, another alleged variant of this forum completed its initial setup, leading with a welcome post by the new administrator hasan, promising ongoing progress on feature implementation — claiming that 2 months of work has been completed up until now, customising a PhpBB instance and building hosting infrastructure.
This post goes on to lament the treatment of the breachers who have been arrested in the past, during the previous shutdowns such as ShinyHunters and IntelBroker:
BreachForums for the past 2 months of us working on the site has faced so many copycats it is quite unbelievable all things considered that there is no more respect for any of these breachers left like IntelBroker, ShinyHunters and the rest who have been larped beyond comprehension. They have all been arrested and I was debating whethever to close down the project and wait for them, but I knew about IntelBroker’s arrest weeks earlier compared to the news as many others have gotten a similar message and I faced backlash for it.
Since it is such early days for the new forum, there are very few posts, and it is currently still ramping up its userbase and completing features. Currently, the shoutbox feature is still under development (ie: in-landing-page chat) and the credit system seems to be largely complete. So it should be only a matter of time before the site nears feature completion.
As of 1542 July 06, the site appears to have passed ~ 250 user registrations:
Since taking that screenshot yesterday, at 1542 to today at ~ 1500, the site has gained somewhere around another 60 members — somewhere in the ballpark of 320. This is a growth of 28% in 24 hours, so it’s definitely getting some momentum and getting noticed.
This user count is quite low for these types of marketplaces, but it is worth stressing that the forum is not feature-complete and only launched approximately a week ago.
Where is it hosted?
Pinging the host, one gets an IP address of 185.178.208.150, completing an ASN lookup one finds the IP block owned by ddos-guard.net, a Russian hosting and ddos protection provider similar to Cloudflare. This doesn’t necessarily prove it’s Russian-hosted, but it does mean some of the infrastructure is operated by a Russian provider.
What does this mean?
This new Breachforums variant does pose a potential risk in becoming a new darkweb marketplace for the sharing and selling of initial access, stolen credentials, leaked information, and other various offerings. Currently the administrators are having issues getting onion ingress completed, with it being accessibly only over the open web at this time; however over time this may change as it becomes more feature-complete.
Currently this new forum does not pose a threat to end users or corporations, however those in the threat intel space will need to add it to the sources they monitor for threats and credential leaks. This does not currently necessitate any action from organizations or end users, but the standard recommendation applies to use a breached corpus where possible, strong MFA whenever possible, and do your best to follow NIST 800-63b when configuring password complexity rules.