The Latest
Breach Forums Return to Clearnet and Dark Web Despite FBI Seizure

Breach Forums Return to Clearnet and Dark Web Despite FBI Seizure

A tale of emerging cybercrime and embarrassment for the world’s premier law enforcement agency.
byWaqas
May 28, 2024
4 minute read
Total
0
Shares
0
0
0

Breach Forums returns to the clearnet and dark web just two weeks after the FBI seized its infrastructure and arrested two administrators. One of the admins, ShinyHunters, regained domains despite the FBI’s efforts, highlighting significant operational setbacks and security lapses.

The notorious cybercrime and hacking forum, Breach Forums, has returned to the clearnet and dark web just two weeks after the FBI seized its entire infrastructure. The FBI arrested two administrators in the process.

The operation began on May 15, 2024, when the FBI seized all domains belonging to Breach Forums in a coordinated international effort. The next day, Hackread.com published an exclusive report revealing how ShinyHunters, the hacker and main administrator of Breach Forums, managed to regain the seized domain from right under the nose of the FBI by contacting the Hong Kong-based domain registrar, NiceNIC.

The notorious cybercrime and hacking forum, Breach Forums, has returned to the clearnet and dark web just two weeks after the FBI seized its entire infrastructure. The FBI allegedly arrested two administrators in the process. The operation began on May 15, 2024, when the FBI seized all domains belonging to Breach Forums in a coordinated international effort. The next day, Hackread.com published an exclusive report revealing how ShinyHunters, the hacker and main administrator of Breach Forums, managed to regain the seized domain from right under the nose of the FBI by contacting the Hong Kong-based domain registrar, NiceNIC. But how did ShinyHunters regain the clearnet domains? While the forum has adopted a new domain for the dark web, as the original could not be regained from the FBI, it is back online with the original clearnet domain (breachforums.st). Other associated clearnet domains, including escrow.breachforums.st, breached.in, and two other parked domains, have also been regained from the FBI's seizure. ShinyHunters shared an email claiming it was an official conversation between an FBI computer scientist from the agency's Cyber Division and NiceNIC, the domain registrar. The email, seen by Hackread.com, provides an in-depth background into the incident and how the hacker admin regained access to the seized domains. The FBI's Email According to the letter, the FBI's Cyber Division conducted an operation on May 15, 2024, against Breach Forums, seizing several domains, including breachforums.st, hosted by NiceNIC. The domains were seized legally via a court-ordered warrant. However, a few hours after the seizure, the breachforums.st domain was returned to the original owner, ShinyHunters, and the FBI's NiceNIC account, registered as "bf_fbi," was suspended. The FBI then requested NiceNIC to reactivate their account and return the seized domains, citing NiceNIC's terms of service, which prohibit the promotion of cybercrime. The agency urged that if the domains could not be returned, the nameservers should be changed to FBI-owned servers or the domains should be suspended to prevent further harm. NiceNIC's response to the FBI remains unknown. However, the fact that the domain has returned in its original form suggests that the company did not comply with the FBI's request. Email Conversation Here is the email conversation as seen by Hackread.com: (Note: The name of the FBI agent has been removed from the email due to security and privacy reasons). FBI Mail to Registrar: I'm a Computer Scientist within the FBI's Cyber Division, and I'm one of the primary point-of-contacts for any domain operations for the FBI. Earlier this week, on May 15th, 2024, the FBI had conducted an operation against the illicit forum and marketplace 'BreachForums'. Some public cybersecurity outlets caught wind of the actions, and posted articles on the domain seizure and subsequent splash page. On the morning of the operation, the FBI seized control of a few domains associated with BreachForums, including breachforums.st and others, that were hosted by NiceNic. We were able to lawfully seize them by serving a court-ordered seizure warrant on an account owner located in the United States. All of the websites that we seized from the account were dedicated to the theft, sale, and sharing of data stolen from victims around the world. Ultimately, our efforts to take down BreachForums were done to prevent any further damage done by the website to countless victims globally. However, a few hours after the seizure of the domains, around May 15th at 9PM PST, we noticed that the breachforums.st domain was released from our custody and given back to the original threat actor. We also noticed that we were unable to log into our official FBI account at NiceNic, which was registered with the email breachforums@fbi.gov (username: bf_fbi), leading us to believe that the account was suspended. As such, I was wanting to provide some additional context around the situation to hopefully overturn the account suspension, in addition to returning the lawfully-seized domains back to the FBI NiceNic account. Additionally, within your domain registration terms of service, you reference that the services will not be used to "promote hacking, cracking, or other cyber crimes or activities", which is a common activity found within and associated with BreachForums. If the domains cannot be returned to the FBI, we would kindly request that the nameservers be changed to FBI-owned nameservers or suspended via a clientHold to prevent further harm in accordance to your terms of service. The NiceNic account which currently holds the domains, 'vincenzotroia', has actively disregarded and broken your service agreements by continuing to host these domains. I look forward to hearing back from you - we would all really appreciate any help or guidance that you might be able to provide on the situation. Respectfully, S*** Embarrassing Situation for The FBI The situation is quite embarrassing for the FBI. Despite their efforts to seize the domains of Breach Forums and take down its infrastructure, the fact that the forum was able to quickly regain its original clearnet domains highlights several issues including operational setbacks, security lapses, public perception, and legal and procedural concerns. This also explains why, despite two weeks having passed, the FBI or the DoJ has not published press releases detailing the seizure. Nevertheless, this situation is a win-win for cybercriminals, but the next move from the FBI and other law enforcement agencies involved in the operation will be crucial to watch.
Breach Forums domain urging users to register to view its content (Screenshot: Hackread.com)

But how did ShinyHunters regain the clearnet domains?

While the forum has adopted a new domain for the dark web, as the original could not be regained from the FBI, it is back online with the original clearnet domain (breachforums.st). Other associated clearnet domains, including escrow.breachforums.st, breached.in, and two other parked domains, have also been regained from the FBI’s seizure.

ShinyHunters shared an email claiming it was an official conversation between an FBI computer scientist from the agency’s Cyber Division and NiceNIC, the domain registrar. The email, seen by Hackread.com, provides an in-depth background into the incident and how the hacker admin regained access to the seized domains.

The FBI’s Email

According to the letter, the FBI’s Cyber Division conducted an operation on May 15, 2024, against Breach Forums, seizing several domains, including breachforums.st, hosted by NiceNIC. The domains were seized legally via a court-ordered warrant.

However, a few hours after the seizure, the breachforums.st domain was returned to the original owner, ShinyHunters, and the FBI’s NiceNIC account, registered as “bf_fbi,” was suspended.

The FBI then requested NiceNIC to reactivate their account and return the seized domains, citing NiceNIC’s terms of service, which prohibit the promotion of cybercrime. The agency urged that if the domains could not be returned, the nameservers should be changed to FBI-owned servers or the domains should be suspended to prevent further harm.

NiceNIC’s response to the FBI remains unknown. However, the fact that the domain has returned in its original form suggests that the company did not comply with the FBI’s request.

Email Conversation

Here is the email conversation as seen by Hackread.com: (Note: The name of the FBI agent has been removed from the email due to security and privacy reasons).

FBI Mail to Registrar: 

I'm a Computer Scientist within the FBI's Cyber Division, and I'm one of the primary point-of-contacts for any domain operations for the FBI. Earlier this week, on May 15th, 2024, the FBI had conducted an operation against the illicit forum and marketplace 'BreachForums'. 

Some public cybersecurity outlets caught wind of the actions, and posted articles on the domain seizure and subsequent splash page. On the morning of the operation, the FBI seized control of a few domains associated with BreachForums, including breachforums.st and others, that were hosted by NiceNic. We were able to lawfully seize them by serving a court-ordered seizure warrant on an account owner located in the United States. 

All of the websites that we seized from the account were dedicated to the theft, sale, and sharing of data stolen from victims around the world. Ultimately, our efforts to take down BreachForums were done to prevent any further damage done by the website to countless victims globally.

However, a few hours after the seizure of the domains, around May 15th at 9PM PST, we noticed that the breachforums.st domain was released from our custody and given back to the original threat actor. We also noticed that we were unable to log into our official FBI account at NiceNic, which was registered with the email [email protected] (username: bf_fbi), leading us to believe that the account was suspended.

As such, I was wanting to provide some additional context around the situation to hopefully overturn the account suspension, in addition to returning the lawfully-seized domains back to the FBI NiceNic account.

Additionally, within your domain registration terms of service, you reference that the services will not be used to "promote hacking, cracking, or other cyber crimes or activities", which is a common activity found within and associated with BreachForums. 

If the domains cannot be returned to the FBI, we would kindly request that the nameservers be changed to FBI-owned nameservers or suspended via a clientHold to prevent further harm in accordance to your terms of service. The NiceNic account which currently holds the domains, 'vincenzotroia', has actively disregarded and broken your service agreements by continuing to host these domains.

I look forward to hearing back from you - we would all really appreciate any help or guidance that you might be able to provide on the situation.

Respectfully,

S***

Embarrassing Situation for The FBI

The situation is quite embarrassing for the FBI. Despite their efforts to seize the domains of Breach Forums and take down its infrastructure, the fact that the forum was able to quickly regain its original clearnet domains highlights several issues including operational setbacks, security lapses, public perception, and legal and procedural concerns.

This also explains why, despite two weeks having passed, the FBI or the DoJ has not published press releases detailing the seizure. Nevertheless, this situation is a win-win for cybercriminals, but the next move from the FBI and other law enforcement agencies involved in the operation will be crucial to watch.

  1. New Soap2day Domains Emerge Despite Legal Challenges
  2. Data Breach at New BreachForums: 4,000 members’ data leaked
  3. AT&T breach? ShinyHunters selling AT&T database with 70M SSN
  4. FBI Seizes RaidForums, Arrests Alleged Founder Diogo Santos Coelho
  5. BreachForums Owner Pompompurin Gets 20-Year Supervised Sentence
Total
0
Shares
Share 0
Tweet 0
Pin it 0
Related Posts