In a somewhat unusual approach to marketing, a new hacking-related forum intentionally leaked a database with the usernames and email addresses of many of the very people it hopes will register for its new forum — and then advertised the leak. How’s that working out for them so far?
When RAIDForums was seized by law enforcement in 2022, one of the forum users, Pompompurin, stepped up and opened BreachForums based on the RAIDForums design and policies. And when BreachForums was taken down by an administrator after Pompompurin was arrested and databases were seized, forum users waited for the administrator, “Baphomet,” to create a new and secure forum for them. But more than two months later, there has been no replacement forum for BreachForums, although there have been some attempts, like the short-lived Vice Forums that went up quickly in March but was taken down after one hour due to security issues. It never came back as a real forum.
This week, talk within the BreachForums community was that the threat actor known as “ShinyHunters” on Telegram (@sh_corp on Twitter) would be opening a forum to replace BreachForums with the assistance of BreachForum staff. Because ShinyHunters had been active on RAIDForums and BreachForums, they already have a known history and reputation that may make people feel more confident that the new forum will not be a federally controlled honeypot.
But there is also another new contender seeking to attract users, and Exposed[.]vc (“Exposed“) made a bold move to get attention — they leaked a users’ database from RAIDForums. The database contained 478,000 entries with usernames, email addresses, date registered, last date the user visited the forum, and other fields, including some IP addresses. The earliest entries appeared to be from March 2015 and the most recent were from September 2020 [RAIDForums continued until early 2022 when it was seized by law enforcement].
If you had been a registered user of RAIDForums and a new forum by someone unknown to you just leaked the RAIDForums user database, would you be inclined to trust that forum or forum owner? Or would you figure that since law enforcement already seized the databases from RAIDForums, there was no additional risk to you by the leak?
Exposed had already been making some progress in gaining users. The BlackByte ransomware gang used the forum in May to leak 10 GB of data from its Augusta, Georgia attack, and the hacker known as “Bjorka,” who has been a thorn in the Indonesian government’s side for more than a year, also started leaking data on the forum. But it was the leak of the RAIDForum’s user database that really got attention.
DataBreaches asked “Impotent,” the owner of Exposed, if they would answer a few questions and they agreed. DataBreaches notes that there is almost nothing in what Impotent claims that could really be confirmed or disconfirmed by this site. The following was conducted by email and Telegram over the past two days and has been lightly edited for clarity and length:
Interview with “Impotent”
Dissent Doe (DD): Because users are generally suspicious that any forum or site is a honeypot or federally controlled, let’s start with who “Impotent” is. Are you willing to say what username(s) you used on RAIDforums and BreachForums? If you’re not, why not, and why should people trust you?
Impotent (I): Impotent was the regular dude that started by searching how to make money online. Not long after I got my hands to operate a few DN services and some other stuff that helped me live through. It is not possible to fully trust me, same as I don’t trust anyone even my close people. I think it is a good time for everyone to think about their own opsec and decide who to trust.
DD: You didn’t answer that as directly as one would hope, so to follow up: A number of people have said/claimed that you are Kmeta. Are you willing to confirm or deny that you were Kmeta on BreachForums?
I: Officially I deny the existence of any old alias. What people say is really just a very small part of the whole story. But no; I am not.
DD: Why did you create Exposed? And have you ever created and secured a forum before?
I: Due to a “fatal” ending of a service I was administrator on for a very long time.
DD: But have you ever created and had sole responsibility for securing a forum before? If this is going to be all on you, how good are your forum-securing skills?
I: I was holding a website but not a forum. I had the responsibility for securing a service before. I believe in myself so I have to say my skills are excellent.
DD: Who will have authorized access to the databases of Exposed?
I: Only Impotent
DD: For how long will Exposed retain logs?
I: Logs such as IP addresses get purged every 24h.
DD: Are there any circumstances under which you will comply with law enforcement requests for user info or post removal? If so, what are those circumstances?
I: Never. The only posts that can be removed within a report are posts containing CP.
DD: When I had interviewed Pom around the time he opened BreachForums, he wasn’t particularly concerned about being caught or arrested. Are you concerned at all about being identified and arrested, indicted, and/or extradited to the U.S. (if you are not currently in the U.S.)?
I: I mean, I was never worried about myself. Of course I have it in mind that at any time I can get busted. For that purpose we make sure that the infrastructure is really untouchable. It’s not my first fight with US feds, so I think they should be given a rematch.
DD: Can you clarify that or say more about that? Do you feel you were in a fight in the past with the U.S. somehow?
I: In the past I was being a target of the US government. Sadly for them and good for me, they gave up. So I think it’s fair play to have a rematch.
DD: Can you say why you were a target?
I: Nope. Everything not connected with my current alias is not to be shared.
DD: OK. I had to ask, though. 🙂
I: Of course haha
DD: Yesterday it was announced that ShinyHunters will re-open BreachForums with support from BreachForums staff. What are your thoughts on that?” [Note: the new forum will likely not be called BreachForums because that domain is still owned by its former owner.]
I: I like to play with my enemies (aka future victims) before the act :^)
DD: Do you consider all competitor sites “enemies?” If you consider ShinyHunters and BreachForums your enemies, how far would you go to make victims of them?
I: I would go as far as I would go to anyone else. It’s nothing special that shiny hunters are affiliated in the project. Just one more name added to the black list.
I do take everyone that may steal my business as competitor.
DD: How did you get the RAIDForum user db that Exposed leaked and when did you first get it?
I: Data is the gold of the internet. the source of data will remain unknown because it was promised to the people affiliated with the breach.
DD: Why did you leak it?
I: After I got an offer for the data for an X amount I decided if it’s really worth so much, I can leak it and actually earn more in the long time perspective.
DD: Are you saying you got an offer to buy the db and you decided to leak it instead to bring in more users?
I: It was leaked mostly for the forum to pop up. I wanted to use it as free advertisement.
DD: Did you buy the user db from anyone to begin with or was it just given to you?
I: The user db was bought.
DD: Do you have other dbs from RAIDForums?
I: I have the dehashed version [of the users db] from four days before it was seized. It won’t ever be public due to most of the people use master passwords
DD: Did you obtain any other RAIDForums dbs other than users?
I: Nope.
DD: Is there anything else you think potential users should know that would make them want to register with Exposed?
I: If any of you feel insecure, please, PLEASE don’t register! There is no way for me to prove my words. I hope in time we can get trusted enough for everyone or at least a big % of the potential users!
You should never really give up any information that can lead to your real identify on forums anyways so I don’t think you should have trust issues from someone that can’t take anything from you.
DD: Thank you for your time.
So What Next?
Exposed and Impotent have certainly attracted some attention, but it has not all been positive. Some criticisms have been raised on various Telegram channels and Impotent’s Twitter account.
ShinyHunters recently indicated it would likely take them less than a month to do some rewriting of BreachForums to get it up and running with some new features. When DataBreaches asked Impotent if Exposed would fold if Shiny’s forum opens and takes off in registrations, Impotent replied, “It’s most likely for them to close but not us. The forum would not close since I am looking for a very long time project.”
Time will tell.
As of now, Exposed has 4,918 registered members. This morning, the forum has a maintenance notice: “Today we will be doing a server-wide re-encryption. Estimated Downtime/Maintenance: 5h.” They followed that with an explanation:
I want to inform you about the inspections we conducted today and the additional protections we have taken.
Since for us, as well as for you, we think that the security of the forum is the most important, and to ensure its existence in the future, we have taken several actions and checks, of which:
Regarding the infrastructure:In order to ensure the long life and security of the forum, we have taken actions with which we are no longer on the hosting infrastructure and have completely switched to (FastuFlux) solutions to ensure that there will be no problems with DDOS as well as with the server’s IP. – SUCCESS!
About file protection:In order to secure the entire infrastructure from the file side, we have taken steps to double-encrypt the (MyBB) files as well as the database, which is re-encrypted every 1 hour! – SUCCESS!
About Log Retention Check:Since we had configured the entire server to not contain any logs for user IPs from the (MyBB) database, and all other server logs to go to (/dev/null) we ran additional checks to make sure that this is the case and there are no logs stored, which means that no logs are stored regarding the IP addresses of registered forum users. – SUCCESS!
it won’t last. web.archive.org/web/20230601001951/https://exposed.vc/Thread-What-is-the-relationship-between-Exposed-and-PwnedForums?pid=4421