BreachForums has been seized, defaced, shut down, reborn, seized again, and shut down again so many times that the cybersecurity community developed a kind of weary humor about it. Every takedown prompted predictions of its permanent demise. Every time, it came back. But in mid-March 2026, something different happened — and the entity that pulled the trigger was not the FBI, not Europol, and not a coalition of national cyber agencies. It was a small non-profit organization armed with open-source intelligence tools and a well-documented email to a cloud provider's abuse team.
The result: BreachForums went offline. Its admin posted a resignation notice. And the broader criminal ecosystem, already badly shaken by a cascade of arrests, leaks, and defections stretching back through 2025, fractured a little further.
What CCITIC Did — and How It Worked
The Cyber Counter-Intelligence Threat Investigation Consortium, known as CCITIC, is a non-profit organization that investigates cybersecurity threats and assists law enforcement in takedown efforts. Over the weekend of March 15–16, 2026, CCITIC published findings on LinkedIn stating that both the clearnet and Tor versions of BreachForums were displaying a 502 Bad Gateway error — the kind of error that does not appear by accident on a site with operational administrators watching it.
According to CCITIC, the organization had conducted rigorous open-source intelligence work and identified the upstream infrastructure behind BreachForums. All three servers supporting the forum were hosted on DigitalOcean's Frankfurt am Main datacenter under ASN 14061. Armed with that information, CCITIC filed multiple structured abuse reports directly with DigitalOcean. The cloud provider acted on those reports and took the servers offline.
You don't need to be the FBI to take action. Rigorous OSINT work, backend server identification, a well-documented abuse report sent to the right hosting provider — and a cybercriminal forum goes down. — CCITIC, via LinkedIn (March 2026)
CCITIC also noted that this was not an isolated operation. In the nine days prior to the BreachForums takedown, the organization had already secured three separate takedowns of the Lapsus$ website using the same methodology — OSINT-driven identification of upstream hosting infrastructure followed by documented abuse reporting. The BreachForums shutdown was the fourth in that sprint.
DigitalOcean maintains a public abuse reporting portal at digitalocean.com/company/contact/abuse. Anyone who identifies malicious infrastructure hosted on DigitalOcean's network can submit a documented report. When reports are well-evidenced, providers have both the legal standing and the commercial incentive to act quickly. This is the mechanism CCITIC exploited — legally and effectively.
Following the shutdown, BreachForums' sitting administrator posted a message on what remained of the forum's homepage. The statement was not defiant. It was a resignation notice and a recruitment ad rolled into one. The admin wrote that they were stepping back from leadership and were actively seeking a "responsible individual or group" willing to take over the forum's operations. Whether that handoff ever materialized is, as of this writing, unclear.
A Forum That Refused to Die: The Full Timeline
To understand why this March 2026 shutdown carries more weight than its predecessors, it helps to trace exactly how BreachForums arrived at this point. The forum's history is a case study in criminal infrastructure resilience — and its eventual limits.
March 2022 — Birth. BreachForums was founded by Conor Brian Fitzpatrick, then 19 years old, operating under the alias "pompompurin." The forum was conceived as a direct replacement for RaidForums, which U.S. authorities had seized earlier that year. Fitzpatrick had previously claimed responsibility for a 2021 hack of FBI email infrastructure. BreachForums quickly established itself as the leading English-language clearinghouse for stolen data, hacking tools, and access brokering.
March 2023 — Founder arrested. Fitzpatrick was arrested in Peekskill, New York. Control of the forum transferred to a hacker operating under the alias ShinyHunters. The FBI seized BreachForums' clearnet domains three months later, in June 2023. ShinyHunters announced retirement from the forum's administration in 2024.
May 2024 — Second major seizure. The FBI, coordinating with international partners, seized the forum again. The seizure notice appeared on both the clearnet site and its onion counterpart. The seizure was timed in the wake of a significant data leak involving Europol's own portal. The site's administrator at the time — known as Baphomet — was reportedly arrested. The forum was back online by May 29, 2024, under new management.
2024 — IntelBroker takes the helm. A high-profile forum member operating as "IntelBroker" became the new owner, injecting energy into what had stagnated under Baphomet's brief tenure. IntelBroker later transferred ownership to an administrator using the alias "Anastasia."
April 2025 — Zero-day shutdown. BreachForums administrators published a PGP-signed statement disclosing that they had taken the site offline after trusted sources confirmed law enforcement had exploited an undisclosed zero-day vulnerability in the MyBB forum software used to run the site. This was a self-initiated shutdown — the operators pulled the plug before authorities could act further.
June 2025 — French arrests. French police announced the arrest of four individuals alleged to be BreachForums administrators: those operating under the names Hollow, Noct, Depressed, and ShinyHunters. All four were in their twenties. The U.S. Department of Justice simultaneously announced charges against Kai West, known online as "IntelBroker," a prominent figure in the BreachForums ecosystem.
July 2025 — Relaunch under breachforums.hn. ShinyHunters announced yet another relaunch just days after the French arrests, using the .hn domain. The relaunch was short-lived.
August 2025 — Infrastructure seized by France and the FBI. ShinyHunters published a PGP-signed statement via Telegram confirming that the forum's infrastructure was now in the hands of France's BL2C cybercrime unit, operating in cooperation with the U.S. Department of Justice and FBI. The message declared: "The era of forums is over." Investigators subsequently determined that all BreachForums database backups since 2023 had been compromised, along with all escrow databases dating back to the forum's most recent relaunch.
October 2025 — FBI seizure of the extortion site. The breachforums.hn domain had been repurposed by a group calling itself Scattered Lapsus$ Hunters — a coalition claiming members affiliated with Scattered Spider, LAPSUS$, and ShinyHunters — as a data leak extortion site tied to a massive campaign targeting Salesforce customers. The FBI, coordinating with French authorities, seized the domain before the group could begin publishing leaked data from the more than 39 organizations it had listed as targets. Companies named in the extortion campaign included FedEx, Toyota, Cisco, McDonald's, IKEA, Chanel, Adidas, and Walgreens, among others.
January 9, 2026 — The insider leak. A zip archive containing a MySQL database of 323,986 BreachForums user accounts appeared online, published by an anonymous actor using the alias "James." The data included usernames, email addresses, hashed passwords, IP addresses, private messages, and forum posts. According to Have I Been Pwned, the breach had occurred the previous August, two months before the October 2025 FBI seizure. The dump also included a password-protected PGP private key file and a lengthy manifesto. Security intelligence firm Resecurity confirmed that the PGP key was likely used to sign messages from BreachForums administrators.
The breach significantly undermines trust in the platform itself, which is critical for any cybercrime forum. The exposure damages confidence in BreachForums as a secure environment. — Michael Jepson, Penetration Testing Manager, CybaVerse (via CSO Online, January 2026)
March 2026 — CCITIC takes it down. Whatever remnant of BreachForums had persisted into early 2026 was eliminated when CCITIC identified its hosting infrastructure and filed abuse reports with DigitalOcean. The servers went offline. The admin resigned.
The Scale of What BreachForums Enabled
The forum's legal legacy — documented by the U.S. Department of Justice across multiple prosecutions — provides a clearer picture of what was actually being traded on the platform over its four-year lifespan.
According to DOJ filings, BreachForums hosted more than 888 datasets of stolen information comprising over 14 billion individual records of personally identifiable information. Those records included bank account details, Social Security numbers, usernames and passwords for online accounts, and sensitive health and telecommunications data. One database listed the names and contact information for approximately 200 million users of a major U.S.-based social network. Another contained the details of approximately 87,760 members of InfraGard, the FBI's public-private partnership focused on critical infrastructure protection.
The January 2026 leak of 323,986 BreachForums user accounts is not merely a symbolic embarrassment to cybercriminals. It represents a potential law enforcement intelligence windfall. The most common email provider used for registration was Gmail. While many IP addresses in the dataset resolve to loopback addresses or anonymizing proxies, users who were careless — registering with identifiable emails, logging in without VPN coverage, or using recognizable usernames across platforms — may have created forensic trails investigators can follow.
Fitzpatrick, the forum's founder, was resentenced to three years in federal prison in September 2025, after the U.S. Court of Appeals for the Fourth Circuit vacated his initial sentence — time served plus twenty years of supervised release — as substantively unreasonable given the scale of the offenses. As part of his plea agreement, Fitzpatrick forfeited more than 100 domain names, over a dozen electronic devices, and cryptocurrency proceeds derived from forum operations.
FBI Assistant Director Brett Leatherman stated at sentencing: "The FBI is working tirelessly to dismantle criminal marketplaces like BreachForums, and we are pursuing the full range of actors who run these platforms. Today's sentencing demonstrates that anyone who helps others profit from theft, fraud, and other cybercrimes is not out of reach." (Source: U.S. Department of Justice, September 2025)
Why This Matters Beyond the Headlines
The March 2026 takedown carries an analytical significance that goes beyond the immediate operational disruption. Three separate dynamics converge here, each worth examining on its own terms.
First, the OSINT-to-abuse-report pipeline is now a proven takedown vector. CCITIC's approach — identify upstream hosting through open-source investigation, document the evidence, submit a structured abuse report to the provider — required no law enforcement authority, no international legal assistance treaties, and no court orders. It required research, documentation, and a contact form. If CCITIC can execute four takedowns in nine days using this methodology, other organizations, including competitors, journalists, and independent researchers, can replicate it. This is a meaningful expansion of who can meaningfully disrupt cybercrime infrastructure.
Second, the January 2026 internal leak has changed the threat calculus for criminal forum operators everywhere. When a forum's own member database — including administrator accounts going back to the founding — ends up published online alongside a manifesto, it signals something more troubling than a data breach. It signals insider betrayal or catastrophic operational security failure. CCITIC noted in its March 2026 analysis that the January leak had caused the ecosystem to fracture, with trust among threat actors collapsing. That collapse is structural, not temporary. Forum-based cybercrime depends on reputation, trust, and the reasonable expectation that sensitive communications remain private. The January leak shattered all three.
Third, ShinyHunters' own statement from August 2025 — that any successor forum should be treated as a law enforcement honeypot — has become the dominant operational assumption in the criminal underground. When the most prominent former operators of a platform publicly advise other criminals to avoid it, the platform's utility as an aggregation point is finished regardless of whether it is technically online. The March 2026 shutdown may represent the final punctuation on a story that effectively ended last summer.
Law enforcement agencies have publicly confirmed that seized BreachForums backend data is being analyzed. All BreachForums database backups since 2023 are reported to have been compromised. Any individual who used the forum — as a buyer, seller, moderator, or passive member — faces the possibility that their activity, email address, IP logs, and private messages are now in investigators' hands. The forum's repeated assurances of operational security have proven false at every turn.
What Comes Next
The pattern of cybercrime forum disruption in 2025 and early 2026 has produced a measurable shift in how stolen data moves through the underground. As threat intelligence firm White Blue Ocean documented in a February 2026 analysis, the public forum model — large, indexed, accessible platforms where criminals could browse and transact with relative ease — has been under sustained assault. The response from criminal operators has been a migration toward private, invite-only communities and subscription-based cloud storage models that are harder to identify, harder to attribute, and harder to take down through abuse reports or law enforcement action.
That migration does not make the problem go away. It makes it less visible and potentially more dangerous, concentrating access among more serious and operationally disciplined actors while filtering out the casual participants who occasionally generate the kinds of operational security mistakes that lead to arrests.
The Scattered Lapsus$ Hunters campaign against Salesforce — which claimed over one billion records from more than 39 organizations and demanded ransoms from each — illustrated what this more concentrated criminal ecosystem looks like in practice. The extortion attempt continued to operate from the dark web even after the clearnet domain was seized by the FBI in October 2025. Infrastructure resilience, not forum dependency, is the new baseline.
For defenders, the lesson is not that the threat has diminished. It is that the threat has reorganized. The forums that served as the public face of the data breach economy for years are gone or going. What replaces them will be harder to monitor and harder to disrupt through the mechanisms that worked against BreachForums.
Key Takeaways
- Abuse reports work: CCITIC's March 2026 takedown proves that structured, evidence-backed abuse reports to hosting providers can take down criminal infrastructure without law enforcement involvement. Organizations, researchers, and security professionals should treat this as an actionable tool, not a last resort.
- Forum-based cybercrime is structurally broken: The combination of repeated law enforcement seizures, the January 2026 internal database leak, and ShinyHunters' public warning that successor forums should be assumed to be honeypots has made BreachForums-style platforms functionally untenable. Trust, the essential currency of criminal marketplaces, is gone.
- The criminal ecosystem has not collapsed — it has migrated: Stolen data continues to move through private, encrypted, and subscription-gated channels that are less visible and more operationally disciplined than public forums. Defenders should not interpret BreachForums' collapse as a reduction in overall threat volume.
- Seized data creates long-tail legal exposure: Law enforcement agencies have confirmed access to BreachForums backend data going back to 2023. The investigation is ongoing. Former participants face ongoing exposure to identification and prosecution regardless of whether the forum itself remains online.
- The Conor Fitzpatrick resentencing signals judicial recalibration: The U.S. Court of Appeals' decision to vacate a sentence of time served for operating a 14-billion-record stolen data marketplace establishes that courts will treat the scale of cybercrime infrastructure as a material sentencing factor. Future operators of similar platforms face substantially longer sentences.
BreachForums began as a replacement for a forum the FBI had seized. It was seized twice itself, rebuilt multiple times under different administrators, survived arrests, zero-day exploits used against it by law enforcement, a massive internal data leak, and an admin who quit on the job. In the end, it was taken offline not by a multi-agency task force but by a non-profit with an internet connection and a documented abuse report. That, more than anything else in this story, reflects how far the investigative and disruptive toolkit has expanded beyond the walls of traditional law enforcement — and how exposed cybercriminal infrastructure remains, even when its operators believe they are hidden.