As predicted a few days ago, BreachForums was seized. The splash page is now up. It does not have any cute avatars with characters in handcuffs and no text about all the entities that cooperated. It simply says, “This Domain Has Been Seized,” and shows four shields: Department of Justice, FBI, BL2C, and JUNALCO. The latter two are the French agencies that have been heavily involved in trying to catch and thwart ShinyHunters.
At the time the domain was seized, ScatteredLAPSUS$Hunters was getting ready to leak data from 39 Salesforce customers if Salesforce did not pay them an undisclosed ransom amount. The deadline for payment is October 10 at 11:59 PM Eastern.
Only the clear net version of the forum/leak site is impacted as of now; the onion version of the leak site still appears to be working normally and could still be used to dump 39 companies’ data, including Qantas, Air France & KLM, Disney/Hulu, UPS, FedEx, Home Depot, Gucci, Toyota Motors, and many more.
The onion version of the official BreachForums domain was also seized.
Over the past week, DataBreaches was checking the domain registration to see if it had been changed, which is often a sign of a seizure in progress. This week, we noted that the name servers were changed to Cloudflare servers, but then days later to 101domains.com name servers. Today, the name servers are ns1.fbi.seized.gov ns2.fbi.seized.gov.
Of note DataBreaches had noted that backup domains for breachforums[.]hn were changed sometime last month to 101domains.com and 101domains.com name servers. DataBreaches suspects that this was to make sure that the threat actors did not have backup domains available to use for the leak site once the main domain was seized. As of today, the name servers for the backup domains have also been changed to ns1.fbi.seized.gov and ns2.fbi.seized.gov.
There is a mix of emotions in the Telegram channel, with some suggesting this is the end and others calling upon Shiny to show up:
The Telegram channel has been temporarily locked by its admins.
DataBreaches has left a message for Shiny on his individual account asking whether he has any statement or comment. This post will be updated if a reply is received. He has not said goodbye on the Telegram channel and was acting normally when DataBreaches last heard from him about 24 hours ago.
This post was edited to indicate that the clear net and onion versions of the forum were seized, but the onion version of the leak site with the Salesforce victims was not seized.