US authorities have seized the latest incarnation of BreachForums, the cybercriminal bazaar recently reborn under the stewardship of the so-called Scattered Lapsus$ Hunters, with help from French cyber cops and the Paris prosecutor’s office.

The site, breachforums[.]hn, had become a public-facing leak shop for the group’s latest extortion campaign, which targeted Salesforce and its corporate clientele. Visitors to both the clearnet and onion versions of the site were greeted today by an animated seizure notice courtesy of the US Department of Justice and the FBI, confirming that the forum’s infrastructure is now in federal hands.

BreachForums has had more comebacks than a 1990s boy band. The original version was shuttered in March 2023 following the arrest of its founder, Conor Brian Fitzpatrick, better known online as “Pompompurin.” Since then, clones and successors have popped up, each claiming to revive the notorious marketplace for stolen data.

The latest iteration was hijacked by Scattered Lapsus$ Hunters, a rebranded alliance of data extortion crews that styles itself as the “Trinity of Chaos.”

The takedown briefly rattled the group, which posted to its Telegram channel overnight: “Seizing a domain does not really affect our operations FBI… try harder ;).” Moments later, the bravado faded. “Hello, this channel is now locked down till we get this mess in control,” read a follow-up message, after one admin appeared to have gone missing online. Members speculated aloud that the feds might already be lurking in the chat.

The group later posted a PGP-signed message from someone claiming to be part of the ShinyHunters administration team, declaring that BreachForums was “officially dead.”

“BreachForums was seized by the FBI and international partners today. This was inevitable and I am not surprised. Neither I and others involved with this group have been arrested. All our BreachForums domains were taken from us by the US Government a few days ago. The era of forums are over.”

The message, seen by The Register, goes on to claim that the forum’s most recent database backup was compromised, along with “every single database backup since 2023 till now,” and that the “backend servers themselves were seized and destroyed.” 

“BreachForums is never coming back, if it comes back, it should immediately be considered a honeypot,” the post warned.

It closes with a defiant note: “There is not much to say about this seizure but one thing to note is, the recent action the US Government has took [sic] against us, has no impact on our Salesforce campaigns.”

Despite the disruption, Scattered Lapsus$ Hunters’ dedicated dark web leak site remains. A pinned post still threatens to publish what the gang claims is a billion-record haul of Salesforce customer data unless its ransom demands are met. The message promises that “on exactly 11:59 PM New York time tomorrow, the data of companies who have not paid will be leaked.”

Among the 39 alleged victims are a who’s who of global brands, including Disney, Qantas, Air France-KLM, UPS, FedEx, Home Depot, Gucci, Toyota, and others. Salesforce, for its part, told The Register earlier this week that it has no intention of paying up.

“Salesforce will not engage, negotiate with, or pay any extortion demand,” spokesperson Allen Tsai said, with reports claiming the company had made the same point clear to its customers. “These attempts to extort ransom payments relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support. At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”

The Register understands that the data at the center of the standoff isn’t the result of a fresh Salesforce breach, and instead originates from historical intrusions. Google’s Threat Intelligence Group stated that the attack stemmed from Salesloft Drift, a Salesforce integration whose OAuth tokens were abused, allowing attackers to access victims’ CRM setups.

In other words, the latest BreachForums campaign looks less like a fresh mega-hack and more like a desperate scramble to monetize old stolen data before law enforcement closes in. Whether that happens before 11:59 PM New York time is unanswered – assuming, of course, that any of the gang’s members are still at large to press “publish.”

Given the speed with which US and French investigators moved to pull the plug on the group’s public platform, the clock may already be ticking louder than the crooks realize. For now, visitors to BreachForums can enjoy a flashy FBI seizure banner in place of stolen databases, a small consolation prize for anyone who ever wondered what justice looks like in animated form. ®