'%3e%3cg id='Final-Copy-2_2_' transform='translate(1275.000000, 200.000000)'%3e%3cpath class='st0' d='M7.4,12.8h6.8l3.1-11.6H7.4C4.2,1.2,1.6,3.8,1.6,7S4.2,12.8,7.4,12.8z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg id='final---dec.11-2020'%3e%3cg id='_x30_208-our-toggle' transform='translate(-1275.000000, -200.000000)'%3e%3cg id='Final-Copy-2' transform='translate(1275.000000, 200.000000)'%3e%3cpath class='st1' d='M22.6,0H7.4c-3.9,0-7,3.1-7,7s3.1,7,7,7h15.2c3.9,0,7-3.1,7-7S26.4,0,22.6,0z M1.6,7c0-3.2,2.6-5.8,5.8-5.8 h9.9l-3.1,11.6H7.4C4.2,12.8,1.6,10.2,1.6,7z'/%3e%3cpath id='x' class='st2' d='M24.6,4c0.2,0.2,0.2,0.6,0,0.8l0,0L22.5,7l2.2,2.2c0.2,0.2,0.2,0.6,0,0.8c-0.2,0.2-0.6,0.2-0.8,0 l0,0l-2.2-2.2L19.5,10c-0.2,0.2-0.6,0.2-0.8,0c-0.2-0.2-0.2-0.6,0-0.8l0,0L20.8,7l-2.2-2.2c-0.2-0.2-0.2-0.6,0-0.8 c0.2-0.2,0.6-0.2,0.8,0l0,0l2.2,2.2L23.8,4C24,3.8,24.4,3.8,24.6,4z'/%3e%3cpath id='y' class='st3' d='M12.7,4.1c0.2,0.2,0.3,0.6,0.1,0.8l0,0L8.6,9.8C8.5,9.9,8.4,10,8.3,10c-0.2,0.1-0.5,0.1-0.7-0.1l0,0 L5.4,7.7c-0.2-0.2-0.2-0.6,0-0.8c0.2-0.2,0.6-0.2,0.8,0l0,0L8,8.6l3.8-4.5C12,3.9,12.4,3.9,12.7,4.1z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
Right, let’s talk about the past month, because what the actual hell just happened?
Law enforcement either went shopping for a giant, fuzzy roll of wool to pull over the collective eyes of the cyber underground, or the dark web just slammed down a royal flush with a grin and a middle finger. Honestly, it’s hard to tell who’s bluffing anymore, but one thing’s for sure: July was chaos in all the best (and worst) ways.
First off, we saw one of the top-tier Russian-speaking hacking forums, the kind of place where ransomware groups get together and argue about encryption keys like it's poker night, bounce back from what looked like a full-blown takedown attempt by Europol and company.
Like a bad guy in a Bond film, it refused to stay dead. Their homepage gave us the usual “we’re restoring infrastructure” message (which is hacker forum-speak for “We’ve duct-taped the servers back together, please hold off on depositing crypto while we pray it doesn't catch fire again”). Also: “changing onion domains due to current events” - aka the universal sign for "someone got arrested and we don't want to talk about it."
Rumour had it the admin was in handcuffs somewhere in Eastern Europe, but clearly that wasn’t the case, unless he's running this thing from a surprisingly lenient prison cell with broadband. One staff member did get nicked by an international squad of cyber-cops featuring agents from Paris, Ukraine, and probably someone named Franz with a badge and a USB stick. I don't care how hardened you are, opening the door to that kind of surprise LAN party would make anyone soil their hoodie.
Now let’s talk about the real headline act: BreachForums is BACK, baby. Or it’s a honeypot so well executed even the regulars are shrugging and logging in anyway. Either way, welcome to the strangest sequel of the year.
You’ll remember this was the forum whose cast of characters included ShinyHunters, IntelBroker, and a few other cybercrime A-listers, most of whom recently got scooped up and perp-walked off stage. We all thought that was the final curtain. Flowers were laid. Shady tribute threads were posted. Forums fought over the digital ashes.
And then? Like Gandalf with a grudge, it returned. Full infrastructure. Onion domain. Users logging in like nothing happened. The same old leaks. And yes, the same terrible OPSEC from some of the usual suspects.
The new admin, going by the charmingly vague handle “N/A”, released a manifesto/press release/hardcore denial letter that basically boiled down to:
- “Nobody important got arrested, those guys were decoys.”
- “IntelBroker was a smokescreen. Plot twist!”
- “We shut down voluntarily because of a zero-day in MyBB.”
- “And no, it’s not a honeypot, now stop asking.”
Honestly, if I had a pound for every “we’re not a honeypot” claim made by someone who might absolutely be a honeypot, I’d have enough to buy Twitter and turn it into a place people actually enjoy again.
Still, people are back on the site like raccoons who’ve found their favourite trash can. There’s even a thread titled “What the f*ck is going on @N/A” - which, to be fair, might be the most honest piece of writing on the internet this month.
Meanwhile, threat actors are grumbling that the Escrow service is only running on clearnet. Because, you know, nothing screams "trust me, I'm a criminal" like sending your ransom payment through a web browser with Google Analytics installed.
My Final Thoughts (for now).
The forums are alive. The forums are weirdly alive. And honestly, the whole thing feels like either an elaborate sting operation or a really dark episode of Black Mirror. Law enforcement says one thing, admins say another, and the truth is probably somewhere in a Discord server nobody’s admitting to running.
Reputation still matters in the underground, which is why no one wants to be the first to say “nah, I don’t trust this” in case it’s legit. So the party continues, the dumps keep dumping, and we’re all just sitting here, watching this bizarre soap opera unfold.
Stay tuned. If July taught us anything, it’s that in cybercrime, the dead don’t stay dead, they just switch domains.
Smarter Protection Starts with Awareness
Data Breach Scan, Check Any Domain for Free https://breachaware.com/scan
https://breachaware.com/research/crypto-scandals-insider-crimes-and-global-cyber-threats
A total of 28 breach events were found and analysed resulting in 13,014,568 exposed accounts containing a total of 34 different data types of personal datum. The breaches found publicly and freely available included ACC Limited, Los Angeles Unified School District, Rhithm, Tracelo and Quantum Information Port (QIP).
Cyber heists, espionage malware, and eSIM exploits.
https://breachaware.com/research/cyber-heists-espionage-malware-and-esim-exploits
A total of 26 breach events were found and analysed resulting in 16,465,424 exposed accounts containing a total of 30 different data types of personal datum. The breaches found publicly and freely available included ULP Alien TxT File - Episode 18, Fibertel, ULP 0028, KFC China and 3S POS.
Insiders Flip, Ransomware Crews Implode, & Zero‑Days Rain Down.
https://breachaware.com/research/insiders-flip-ransomware-crews-implode-and-zerodays-rain-down
A total of 11 breach events were found and analysed resulting in 1,528,450 exposed accounts containing a total of 22 different data types of personal datum. The breaches found publicly and freely available included BitMart, La Diaria, Office of Alumni & Corporate Relations - IIT Madras, Naver and Misr Pharmacies Online.
Russian forums seized, BreachForums implodes & Microsoft blames China.
https://breachaware.com/research/russian-forums-seized-breachforums-implodes-and-microsoft-blames-china
A total of 23 breach events were found and analysed resulting in 28,161,553 exposed accounts containing a total of 28 different data types of personal datum. The breaches found publicly and freely available included Free, ULP Alien TxT File - Episode 19, Santa Lucia, Stealer Log 0537 and Stealer Log 0536.
Law enforcement either went shopping for a giant, fuzzy roll of wool to pull over the collective eyes of the cyber underground, or the dark web just slammed down a royal flush with a grin and a middle finger. Honestly, it’s hard to tell who’s bluffing anymore, but one thing’s for sure: July was chaos in all the best (and worst) ways.
First off, we saw one of the top-tier Russian-speaking hacking forums, the kind of place where ransomware groups get together and argue about encryption keys like it's poker night, bounce back from what looked like a full-blown takedown attempt by Europol and company.
Like a bad guy in a Bond film, it refused to stay dead. Their homepage gave us the usual “we’re restoring infrastructure” message (which is hacker forum-speak for “We’ve duct-taped the servers back together, please hold off on depositing crypto while we pray it doesn't catch fire again”). Also: “changing onion domains due to current events” - aka the universal sign for "someone got arrested and we don't want to talk about it."
Rumour had it the admin was in handcuffs somewhere in Eastern Europe, but clearly that wasn’t the case, unless he's running this thing from a surprisingly lenient prison cell with broadband. One staff member did get nicked by an international squad of cyber-cops featuring agents from Paris, Ukraine, and probably someone named Franz with a badge and a USB stick. I don't care how hardened you are, opening the door to that kind of surprise LAN party would make anyone soil their hoodie.
Now let’s talk about the real headline act: BreachForums is BACK, baby. Or it’s a honeypot so well executed even the regulars are shrugging and logging in anyway. Either way, welcome to the strangest sequel of the year.
You’ll remember this was the forum whose cast of characters included ShinyHunters, IntelBroker, and a few other cybercrime A-listers, most of whom recently got scooped up and perp-walked off stage. We all thought that was the final curtain. Flowers were laid. Shady tribute threads were posted. Forums fought over the digital ashes.
And then? Like Gandalf with a grudge, it returned. Full infrastructure. Onion domain. Users logging in like nothing happened. The same old leaks. And yes, the same terrible OPSEC from some of the usual suspects.
The new admin, going by the charmingly vague handle “N/A”, released a manifesto/press release/hardcore denial letter that basically boiled down to:
- “Nobody important got arrested, those guys were decoys.”
- “IntelBroker was a smokescreen. Plot twist!”
- “We shut down voluntarily because of a zero-day in MyBB.”
- “And no, it’s not a honeypot, now stop asking.”
Honestly, if I had a pound for every “we’re not a honeypot” claim made by someone who might absolutely be a honeypot, I’d have enough to buy Twitter and turn it into a place people actually enjoy again.
Still, people are back on the site like raccoons who’ve found their favourite trash can. There’s even a thread titled “What the f*ck is going on @N/A” - which, to be fair, might be the most honest piece of writing on the internet this month.
Meanwhile, threat actors are grumbling that the Escrow service is only running on clearnet. Because, you know, nothing screams "trust me, I'm a criminal" like sending your ransom payment through a web browser with Google Analytics installed.
My Final Thoughts (for now).
The forums are alive. The forums are weirdly alive. And honestly, the whole thing feels like either an elaborate sting operation or a really dark episode of Black Mirror. Law enforcement says one thing, admins say another, and the truth is probably somewhere in a Discord server nobody’s admitting to running.
Reputation still matters in the underground, which is why no one wants to be the first to say “nah, I don’t trust this” in case it’s legit. So the party continues, the dumps keep dumping, and we’re all just sitting here, watching this bizarre soap opera unfold.
Stay tuned. If July taught us anything, it’s that in cybercrime, the dead don’t stay dead, they just switch domains.
Smarter Protection Starts with Awareness
Data Breach Scan, Check Any Domain for Free https://breachaware.com/scan
This months cyber spotlight, vulnerability chat & privacy headlines.
Crypto Scandals, Insider Crimes & Global Cyber Threats.https://breachaware.com/research/crypto-scandals-insider-crimes-and-global-cyber-threats
A total of 28 breach events were found and analysed resulting in 13,014,568 exposed accounts containing a total of 34 different data types of personal datum. The breaches found publicly and freely available included ACC Limited, Los Angeles Unified School District, Rhithm, Tracelo and Quantum Information Port (QIP).
Cyber heists, espionage malware, and eSIM exploits.
https://breachaware.com/research/cyber-heists-espionage-malware-and-esim-exploits
A total of 26 breach events were found and analysed resulting in 16,465,424 exposed accounts containing a total of 30 different data types of personal datum. The breaches found publicly and freely available included ULP Alien TxT File - Episode 18, Fibertel, ULP 0028, KFC China and 3S POS.
Insiders Flip, Ransomware Crews Implode, & Zero‑Days Rain Down.
https://breachaware.com/research/insiders-flip-ransomware-crews-implode-and-zerodays-rain-down
A total of 11 breach events were found and analysed resulting in 1,528,450 exposed accounts containing a total of 22 different data types of personal datum. The breaches found publicly and freely available included BitMart, La Diaria, Office of Alumni & Corporate Relations - IIT Madras, Naver and Misr Pharmacies Online.
Russian forums seized, BreachForums implodes & Microsoft blames China.
https://breachaware.com/research/russian-forums-seized-breachforums-implodes-and-microsoft-blames-china
A total of 23 breach events were found and analysed resulting in 28,161,553 exposed accounts containing a total of 28 different data types of personal datum. The breaches found publicly and freely available included Free, ULP Alien TxT File - Episode 19, Santa Lucia, Stealer Log 0537 and Stealer Log 0536.
