“i know it hurts your little dick seeing a true hacker like me in a crowd full of skids and sheep,” said a man with no knowledge of anatomy

After the arrest of  Breached.vc’s owner “Pompompurin” in March, Breached.vc was taken offline by an administrator because it seemed likely the server had been compromised by law enforcement. Months later, the domain was seized by law enforcement.

The arrest of Pompompurin and shuttering of the popular hacking forum left a void for those looking to buy and sell databases or leaked data. As DataBreaches reported, a number of new forums quickly popped up — and some cyberdrama ensued.

A search this week found lots of detritus but only a few forums with fresh content for those looking to buy or sell databases with personal information or corporate information. Are forums on their way out after the arrests of RaidForums and Breached.vc’s owners and seizure of their user databases and domains, or are things just rebounding slowly?

• Two popular Russian-language forums, XSS.is and Exploit.in, continue to have active members and topics, but neither forum seems to have much new content in their Bases sections when it comes to databases and leaks.
• LeakBase.org is trying to grow itself, but much of its content appears to be just copies of data leaked by ransomware groups on their dark web leak sites or Telegram channels.
• Other forums are still attempting to expand, like Nefarium (onion only), DemonForums.net, DarkForums.me, BlackForums.net, and OnniForums.com.  BlackForums.net has recently aligned with SiegedSec, GhostSec, ThreatSec, and Stormous, which should produce more databases on their sites, and more in the way of hacktivism.
• BreachForums.is is growing, but very slowly compared to the growth of RaidForums and then Breached.vc before it. The arrests of the forum owners and seizures of those domains may have scared some people away, but there are also genuine concerns about the fact that the forum logs activity and PMs. BreachForums.is has implemented purging and pruning policies, but there is still concern. There is also concern that the forum owner and moderators have not really engaged much with the members. ShinyHunters has a reputation as an experienced hacker but is like an absentee landlord. As one moderator pointed out to me, Pom didn’t sit on shoutbox all day, but would drop in, ask for opinions on things, respond to questions, and gift ranks. His participation was key in encouraging members to be more involved.

How Not to Grow a Forum

But not all owner involvement pays off. While BreachForums.is is slowly growing, OnniForums’ owner, dkota, is providing a master class in how not to grow a forum. There is little original content in terms of databases or leaks, and at times, dkota seems to be using alts or posing as others to embarrass them. In recent months, someone believed to be dkota created an account as ShinyHunters and then sent private messages to users offering to sell their account or their database. In other immature behavior, someone who is also believed to be dkota, keeps posting as “NSA” to humiliate “NSA.” “NSA” was the username for the owner of the KickAss Forum who had been known as “DataBroker” on OnniForums. At the beginning, he appeared to be helping dkota, but then, well, something likely happened, because dkota wrote a long story about DataBroker, outing him as NSA of KickAssForums and casting other negative aspersions about him.

So is this what members of OnniForums should expect? That if they stop helping dkota or lauding him, he will turn on them publicly or out them?

DataBreaches got a taste of that recently after getting an email from DataBroker claiming that dkota was lying when he took credit for various hacks and leaks such as BreachForums,is, Rebreached, and DarkForums, After reading DataBroker’s correspondence, there were definitely questions about dkota’s claims. Was he just taking credit for others’ work? Or was DataBroker lying?

DataBreaches logged in to OnniForums to send dkota a private message to ask him some questions. But it appeared that dkota had already contacted me through the forum PM system to tell me that he was giving me VIP status and he hoped I would do an article on the forum based on a challenge he had posted months ago. He also stated that DataBreaches was dealing with too much in forum drama and should do real pieces. [Note: DataBreaches.net has published more than 34,000 posts since it opened in 2009. A handful have dealt with forum drama. DataBreaches includes such posts to show the public what really goes on in some forums where the general public may imagine high-level blackhats hanging out, when in reality, many are just immature kids spouting bigoted language because they think it makes them look cool.]

When DataBreaches pointed out in a reply PM that dkota appeared to be the source of a lot of the drama he claimed to abhor, he removed the VIP status, and responded  in PM:

i know it hurts your little dick seeing a true hacker like me in a crowd full of skids and sheep (sheep here being people like you)

either way, it’d be real shame if your site got hacked and i falsely took credit for it, eh

Obviously, his education system failed him on so many levels.

Not content to make a fool of himself in PM, dkota then called me on the phone, using a prank call number. The conversation was probably less than 30 seconds with him claiming I had called his number three times, me repeating that I hadn’t called him at all, and then hanging up on him when I realized it wasn’t just an innocent wrong number.

Dkota uploaded that phone call and tried to portray it as “funny.” Funny? It was boring and stupid. He followed up by trying to guess my age. Others jumped in to help him  — or tried to — by suggesting I might be some woman in Florida and maybe I really do have a PhD because my username on infosec.exchange also says PhD. Then they all did a circle negative rep dance.

Never have so many got so much wrong so quickly.  But then these are people who probably believed dkota when he suggested that LolekHosted got taken down because he had recommended it the week before.

The idea that the FBI is reading his forum and taking action based on his recommendation of lolekhosted.net may be the funniest thing he’s ever posted — well, that and his claim that the FBI “will pay for this.”

Eventually, his few active forum members may realize they’re wasting their time there. For now, BreachForums.is seems to be the most active forum for databases and leaked data sets.

Update: Nefarium was added to this post after publication.