When the FBI and its law enforcement collaborators seized BreachForums on May 15, a splash screen announced the seizure. But by the next morning, BreachForums seemed to have regained control of their domain. How that happened has yet to be explained by law enforcement. On May 20, DataBreaches reported that a Swiss prosecutor had provided CloudFlare with a court order to cancel BreachForum’s account. But there remained no explanation for how the domain was recovered.
It has been one week since the site was seized. The Department of Justice still hasn’t issued any press release about the seizure or the presumed arrest of Baphomet, the forum administrator. Baphomet’s arrest had been suggested by his avatar behind bars on the splash screen and was confirmed by the forum’s owner, ShinyHunters. Baphomet has not been heard from since, and his Telegram channel remains under the control of the FBI, but there has been no official confirmation of any arrests as yet — not Baphomet nor a second individual represented by a second avatar behind bars on the seizure notice splash screen.
NiceNIC was initially unhelpful?
Today, DataBreaches was provided with the body of an email that appears to be from an FBI agent to NiceNIC The email states, in relevant part:
Earlier this week, on May 15th, 2024, the FBI had conducted an operation against the illicit forum and marketplace ‘BreachForums’. Some public cybersecurity outlets caught wind of the actions, such as BleepingComputer and Arstechnica, and posted articles on the domain seizure and subsequent splash page. On the morning of the operation, the FBI seized control of a few domains associated with BreachForums, including breachforums.st and others, that were hosted by NiceNic. We were able to lawfully seize them by serving a court-ordered seizure warrant on an account owner located in the United States. All of the websites that we seized from the account were dedicated to the theft, sale, and sharing of data stolen from victims around the world. Ultimately, our efforts to take down BreachForums were done to prevent any further damage done by the website to countless victims globally.
However, a few hours after the seizure of the domains, around May 15th at 9PM PST, we noticed that the breachforums.st domain was released from our custody and given back to the original threat actor. We also noticed that we were unable to log into our official FBI account at NiceNic, which was registered with the email breachforums@fbi[.]gov (username: bf_fbi), leading us to believe that the account was suspended.
As such, I was wanting to provide some additional context around the situation to hopefully overturn the account suspension, in addition to returning the lawfully-seized domains back to the FBI NiceNic account. We believe the ‘breachforums.st’ domain, along with ‘breachforums.ru’, ‘breachforums.su’, ‘breachforums.uz’, and ‘breachforums.af’, were all used or owned by the illicit marketplace BreachForums in the furtherance of cybercrime.
Additionally, within your domain registration terms of service, you reference that the services will not be used to “promote hacking, cracking, or other cyber crimes or activities”, which is a common activity found within and associated with BreachForums. If the domains cannot be returned to the FBI, we would kindly request that the nameservers be changed to FBI-owned nameservers or suspended via a clientHold to prevent further harm in accordance to your terms of service. The NiceNic account which currently holds the domains, ‘vincenzotroia’, has actively disregarded and broken your service agreements by continuing to host these domains.
Domain now locked down
As of this morning, BreachForums.st is now unreachable. A whois lookup for breachforums.st shows:
Domain Name: breachforums.stRegistrar: NETIMName Server: a.dns.domgate.comName Server: b.dns.domgate.comName Server: c.dns.domgate.comStatus: clientTransferProhibitedUpdated Date: 2024-05-22
So it seems that NiceNIC has locked down the domain now.
Earlier today, DataBreaches also sent an inquiry to DOJ asking if they would now issue any statement or press release about the seizure and any arrests. They did not reply.
UPDATE 1, May 23: The FBI splash screen was back, but that was temporary. ShinyHunters tells DataBreaches, “After the FBI finally managed to seize the domain, i was able to get the domain transfer code, ICANN doesn’t know about it, and finally managed to transfer the domain to another registrar, rip agent sean.”
A whois lookup now showed:
Whois Server Version 3.3.2
Domain Name: breachforums.st
Registrar: ST Registry
Name Server: ns1.parking.st
Name Server: ns2.parking.st
Status: serverTransferProhibited, transferPeriod
Updated Date: 2024-05-23
Creation Date: 2023-12-13
Expiration Date: 2025-12-13
Minutes later, a refresh showed:
Domain Name: breachforums.stRegistrar: ST RegistryName Server: ns1.ddos-guard.netName Server: ns2.ddos-guard.netStatus: pendingUpdate, serverTransferProhibited, transferPeriodUpdated Date: 2024-05-23Creation Date: 2023-12-13Expiration Date: 2025-12-13
ShinyHunters tells DataBreaches that parking.st is his registration, as is the change to ddos-guard.net.
And poof, the FBI splash screen was gone again, and replaced by forum’s “Join our Telegram Channel” screen.
The FBI has lost control of the domain again, it seems.
Note: The email content provided to DataBreaches contained the names of two FBI agents. That material has not been reproduced in this post.