When BreachForums[.]st went offline on April 15, the rumor mills sprang into action. Claims that the forum had been seized (again), or that the owner, ShinyHunters, or Anastasia had been arrested were tossed around, with the only evidence to support any of the claims being redirects of Telegram accounts to FBI Telegram accounts.
So of course, it was time to send in the clowns clones.
ZeroFox would try to make sense of some of what happened next, but as one might predict, they wound up with a bunch of conflicting reports, including claims by DarkStorm that they had DDoSed BreachForums[.]st and then Breached[.]fi.
Breached[.fi]
One of the early contenders to replace BreachForums[.]st appeared at breached[.]fi. Their April 23 announcement by “Normal” claimed that BreachForums was officially back online at this new domain. That lie was followed by the rest of their announcement, which stated, in part:
Due to the seizure of the breachforums[.st] infrastructure, we have made a critical decision:
No backups of user data or previous content will be restored.
This is a security-first approach. Given the full compromise risk, we are treating all previous user data as potentially exposed.
Except there was still no seizure notice that BreachForums[.]st had been seized. The forum’s claim seemed to just excuse the fact that “Normal” was not the real owner of BreachForums[.]st and had no user database or previous content to upload.
Breach Forums.ST Seized !
Intel Broker and Shiny was arrested. FBI will post announce soon!
Me , (Anastasia) Resigned and consider BF was down forever and no more want to play with it.
I sell full backup Database from (10 apr.2025) , + Source Code.
Contact Me
Session if you want to buy: 0536106a030cf3733924c309318f8al2eeb3bdf254e7a05a3bfd49858dd55ee736
Price: 2,000S
There was so much obviously wrong with that post that it’s hard to know where to begin. Maybe we can simply point out that they claimed that Shiny was arrested and that they — who they claimed to be Anastasia — had resigned. “Anastasia” was just an alt of ShinyHunter’s, so if Shiny had been arrested…. then … right.
BreachForums[.sx]: Impostors
Another contender is still online, however, so let’s consider BreachForums[.sx]. On April 27, a notice appeared claiming that the bulletin board was closed:
Still now, after more than 1 month, no one has been able to contact ShinyHunters or IntelBroker. Because of this, we believe the infrastructure was either seized or fell into the wrong hands.
We were considering not backing up the forum during these past days, but after seeing what happened with “Anastasia” — who completely failed at reinstating the forum — it was clear action needed to be taken.That’s why today, I, Momondo, have officially taken Ownership of BreachForums.
I am committed to supporting and rebuilding the community stronger than before.We do not cooperate with Anastasia — who has completely failed, or maybe even impersonated, who knows.
However, all old staff members are welcome if they want to return and continue with us.More information will be released very soon! Stay tuned!
⚠️ Please beware of any fake websites that are coming up —
The only real domain for now is: BreachForums.sx
It’s interesting that “Momondo” suggested that “Anastasia” might have been impersonated. When “Momondo” emailed DataBreaches to inform us that they have taken over the forum, DataBreaches let them know that we know they are NOT the real “Momondo” from BreachForums and that they are an impostor.
“Momondo” is not the only impostor on BreachForums[.sx]. There is a moderator called “Armadyl.” That, too, is an impostor, as DataBreaches has also confirmed with the real “Armadyl.”
DataBreaches also suspects other named moderators or admins on BreachForums[.]sx are also impostors, but hasn’t spent time to try to confirm that because there is no doubt that Momondo and Armadyl are impostors.
If the people in charge of BreachForums[.sx] are impostors, is BreachForums[.]sx a honeypot or is it a scam site, or is it just people trying to capitalize on the disappearance of BreachForums[.]st? And why would anyone trust them at all?
BreachForums[.]st Online Again
But then BreachForums[.st] appeared online again, and with a PGP signed message:
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512Hello everyone,
We would like to provide an update on recent events over the past two weeks. In or around April 15, we received confirmation of information that we had been suspecting since day 1 – a MyBB 0day. This confirmation came through trusted contacts that we are in touch with, which revealed that our forum (breachforums.st) is subject to infiltration by various agencies and other global law enforcement bodies.
Upon learning of this, we immediately took action by shutting down our infrastructure and initiating our incident response procedures. Our findings indicate that, fortunately, our infrastructure were NOT compromised, and no data was infiltrated. Subsequently, we began auditing the MyBB source code and we believe we have identified the PHP exploit.
We would like to sincerely apologize to the community and our staff for the lack of communication and transparency during this time. As you can appreciate, given the nature of our work, our priority had to be securing the safety of our infrastructure, staff, and the community above all else. Now that our incident response is complete, we are actively working on a complete rewrite of the forum backend.
Finally, we would like to address the growing number of BreachForums clones and the various rumors circulating about us and our administrators. We want to reassure everyone that no members of our team have been arrested, and as previously mentioned, our infrastructure remains secure. We strongly advise against engaging with these BreachForums clones, as they are likely honeypots and cannot be trusted. Please exercise caution and be discerning in whom you trust and which services you use.
Thank you for your understanding and continued support.
Best regards,
BreachForums Administration—–BEGIN PGP SIGNATURE—–
iQGzBAEBCgAdFiEE6AwTCKCewa3EGMPwJXiYj2m8o/wFAmgPH6MACgkQJXiYj2m8
o/ygUgwAjO/g2t4uIExjgFJ56AZ8d+hXxmuptGasyX5sVI/f5/6y8hq2STPkp4KZ
xX1iOA+vlx+FSjHRx28Pnwyga/6vD/ewS/YxiW+/zNplI+3nWxJF5p2jXo8PbTEy
KInTAqUmLll2fiY1vt/2UTXWn2ym6ZdJVfik8e8ABvFSY+WSYlLXe8GOR1VE2V/9
J0fTvMDk29dCqGJDbJAyxCLzNBRcg7tgSmYfudEeTAhqYnzQgxKl2NpgOwnl3jmE
cXjJUXobfXhJyjl4MS1jAc75tjEEC3whyrw22sN/pT8QBk9tZx9jW7AWVGw9V9Dk
gzTKjsDoQEpBLAHI+MzrajaFS8s9j+qFbmVsnVjELR0OI/4EJl3qNw+SfFHHAnSz
fQ/GrrYukjgZobPUENQR+i/1VgiZrD9O7vTF6G9uxBhrBiUvJJiePBFBTnx9r4Sh
Y/2mG5RadG5U8CILQxAVx+4QveTGIA5He4Qa8Q02SKcnyd5EscWIB0s71i9KwUSd
LUgOhAia
=58qK
—–END PGP SIGNATURE—–
Is that the real ShinyHunters? It seems quite likely, but does that mean that they had identified a 0day that put the myBB forum at risk and took it offline for that reason?
Allegedly getting confirmation of a 0day wouldn’t really explain ShinyHunter’s recent behavior that included shutting down his Telegram account and/or redirecting it. And if there really was a 0day, one would expect a lot of MyBB’s forums to have been hit with it. The whole forum message reads like an excuse for their disappearance and a stall for why they may not (or won’t) reappear soon.
Perhaps the only thing that seems true in it at this time is that no members of the forum team have been arrested. At least — not yet.
Time will tell whether BreachForums[.]st really comes back and if it does, whether it will be under new ownership.
Update: It appears that a poster on DarkForums provided some proof that the same individual was behind breached[.]fi and breachforums[.]sx.