[Please see corrections at end of post.]
Over the past week, DataBreaches has been contacted by a few journalists who have been somewhat understandably confused about the situation with the original BreachForums and a new forum calling itself BreachForums. And from reading news reports this week, I see that some journalists are making errors, so this post is as much for those wishing to report on BreachForums as much as to provide an update as to what has evolved into a bit of a soap opera.
First things first and no disrespect intended: just because a forum calls itself “BreachForums,” it does not mean it is really the resurrection or reappearance or “resurfacing” of any earlier forum called “BreachForums.” Sadly, I think that despite good intentions, the new “BreachForums” forum has created a lot of confusion by calling itself “BreachForums,” and writing “welcome back to Breachforums” in its announcement. Then again, maybe the users understand and it’s just us journalists who get confused. 🙂
But to prevent confusion, I suggest that from now on, we talk about “BreachedVC” (the forum owned by Pompompurin that called itself “BreachForums” but was on the breached.vc domain) and “BreachForumsVC” which is the new forum owned by ShinyHunters that also calls itself “BreachForums” but is on breachforums.vc.
Even though BreachForumsVC looks a lot like BreachedVC looked and even though it may use some of the coding from BreachedVC, it is not really a clone and needs to be assessed and evaluated in its own right and for its own reputation.
A Bumpy Grand Opening
BreachForumsVC has been dealing with somewhat to-be-expected glitches and challenges. To get the new forum up and running, a decision was made to temporarily use MyBB, but ShinyHunters claims they are recoding the whole forum and will have it done by sometime in July at the latest.
In the meantime, some users’ anxiety that BreachForumsVC might be a honeypot or federally controlled was fueled by some messages that have shown up on BreachedVC warning people about any forum calling itself “BreachForums.” The warnings quote from an earlier warning by Baphomet after BreachedVC’s owner was arrested but also include a note that BreachForumsVC has already been hacked.
The messages on BreachedVC with pages created on the server about individuals known to the community left many people with questions about who has access to the BreachedVC server and whether they could trust BreachForumsVC. The breached.vc domain was never seized by law enforcement (or if it was, they never announced it), but law enforcement may have access to it.
Baphomet, the administrator under BreachedVC and now an administrator for BreachForumsVC, attempted to address the warning messages, writing that the control of the page appears to be in government hands or hands associated with the government and the messages are intended to create distrust of the new forum. DataBreaches agrees that the intent of the messages appears to be to create distrust of the new forum, but remains unconvinced as to who is responsible for the messages and new pages.
BreachForumsVC Under DDoS Attack by Impotent
As reported previously, “Impotent” of Exposed.vc quickly went from claiming that he would never close his forum even when ShinyHunters’ forum opened to claiming that his forum was up for sale because he didn’t have enough time to maintain it. In short order, that pronouncement was followed by (1) claims by others that he was scamming potential buyers and then (2) claims by yet others that the sale was a cover-up for the fact that Exposed.vc had been hacked by OnniForums.
And if that wasn’t enough to make some heads spin, we would later learn that Impotent was simultaneously DDoSing and attempting to extort Shiny Hunters to give him 50% ownership in BreachForumsVC. Shiny refused.
[In the interests of accuracy, DataBreaches notes that after this site’s previous reporting on Impotent, he contacted this blogger on Telegram to say there was a lot wrong in the reporting. DataBreaches asked him twice to indicate what he claimed was inaccurate so that we could issue a correction if one was needed or address his complaint, but he never responded. For those keeping track, his @ImpotentDude account became “Hriste Boze,” and then “Deleted Account.” Since then he has used a variety of usernames, including, “Mioko.” The Mioko account has since been banned on BreachForumsVC.]
Eventually, Impotent, who quickly acquired a negative reputation on BreachForumsVC, claimed that Exposed.vc was always intended as just an exit scam to get money from any users who would sign up for the forum and pay to get increased rank. He claimed to have made $56,000 in the scam, although he only pointed to a wallet with $10,000, allegedly for sign-ups.
Leaving scam victims in his wake and now calling himself “Mioko,” Impotent continued to try to extort ShinyHunters via PM on the forum. The following exchange took place in PM this week, where Mioko reminded Shiny that he had given him a chance to be a team but Shiny had chosen “big news” instead. That appeared to be a reference to the DDoS attack. Mioko now asked Shiny again whether he wanted to be a team or if he was ready for more “big news.” Shiny answered, “You already leaked the db. Fuck off.”
In response, Mioko, eventually backed off in his demands, asking only to be made a moderator and not demanding any percentage of revenues. In subsequent PMs shown to DataBreaches, Mioko offered to leak his whole Exposed.vc user db and not require any money if Shiny would just make him a moderator.
Shiny ultimately rejected his request, writing, “After hours of contemplation, I eventually came to the conclusion that, alas, the answer was a resounding ‘No’, though it did keep me up all night.”
ShinyHunters permanently banned Mioko from the forum on June 20.
Meanwhile, Exposed.vc Under Attack by OnniForums. Why? And How?
Always curious, DataBreaches tried to understand why someone from OnniForums had claimed that Impotent had started trouble with them and so they had attacked Exposed.vc. My initial efforts to inquire resulted in a ban on OnniForums by their somewhat exuberant spam filter. But once that was sorted, their administrator, dkota, was willing to answer questions. As to what happened with Exposed.vc/Impotent, dkota wrote (with minor editing):
I was minding my own business in my forum, when the skid owner (Impotent) signed up on the forum, came in and claimed to have “leaked” backend IP, which is obviously not true. What they did is just “ping onniforums.com” and that reveals the domain IP as nature of the internet and how it works.
I did not pay much attention to them until they kept coming and spamming, so I used one out of many 0-days I own and being careful not to burn it, I used it anyway knowing they aren’t smart enough to figure out how it works. lol
I had total control of not just the skid owner account but all the mods as well, as well as access to all of their data, IPs, private messages, etc etc. As soon as the skids realized the hack, they closed site and put it on “sale” to coverup the hack, which made me a little bit pissed off due fact I used a 0-day and didn’t get much coverage by media.
OnniForum’s records showed that Impotent joined their forum on June 11 and was banned shortly thereafter.
Obviously, DataBreaches cannot comment on, or verify, whether a 0-day was used, but at least now DataBreaches has some explanation as to why OnniForums attacked Exposed.vc. But then, in the next installment of this drama:
OnniForums also attacked BreachForumsVC. Why? And How?
On June 19, many of us woke up to find what appeared to be the users database from BreachForumsVC had been leaked online. It didn’t take long to verify that yes, there were real usernames, email addresses, registration dates, password hashes, and binaries of IP addresses.
But who did it and why? For many people, the assumption seemed to be that Impotent had found some misconfiguration and leaked the data. But OnniForums also claimed responsibility.
But why would OnniForums attack BreachForumsVC? Dkota also addressed that question in email to DataBreaches (lightly edited):
This is actually funny. So after the exposed.vc hack, they for some reason attack each other while completely ignoring fact I just hacked exposed.vc. It seems they ignored us, like hack did not happen, everyone keep talking about BreachForums like they are gods, APTs, whatever and exposed.vc just ignore the fact I completely owned them. I felt the media needed a little bit of a wake-up call, reality check so instead of them discussing skid insecure forums, why not discuss actually good forums?
Anyway I hacked them as well (BreachForums) and their security was just as shit as the previous skid forum (Exposed). The hack was to prove one point: these forums are not secure and are run by clueless people, and should not be glorified/talked about 24/7 like they are speaking language of gods. lol So I hacked their ass in under 30 minutes. lol
dkota politely declined to be specific about what they had done with respect to BreachForumsVC. But if their intent was to get some media attention, they certainly got this site’s attention.
Moving Forward? Or the Lull Before the Next Storm?
In the wake of the leak of the users db, ShinyHunters posted an apology and explained the problem as an “automatic MyBB sh backup” that they had now addressed.
“We understand that this has diminished your confidence in us to maintain a secure environment, but we hope that with time and the complete abandonment of MyBB in June/July we’ll be able to regain your trust,” ShinyHunters wrote.
According to dkota and one other individual who asked not to be identified, this wasn’t just an automatic backup issue. But regardless of whether it was a leak or a hack, it was not a good look for a forum where people are already concerned about law enforcement having both the RAIDForums and BreachedVC databases.
So what next? Will Impotent decide to pay a lot of money to get the forum DDoSed again? Will OnniForums and BreachForumsVC ignore each other and go on about their ways?
Time will tell. In the meantime, I’ve been checking out OnniForums, which appears to have first opened in February as Envoy. The forum has some of the same types of sections and data as other forums we’ve seen, but it also has some sections that other forums do not have (such as development, carding, and drugs). They also tend to exclude some data that other forums allow. As one example, when asked about Spanish databases, dkota explained that OnniForums tries to keep everything published in English because it is an English forum.
Corrections: Well, it seems that in my effort to clarify, I got the timeline and some things wrong:
- The hack of Exposed.vc was on the day that BreachFourmsVC launched. But then yes, Impotent then put Exposed up for sale.
- Onniforums claims that Impotent did not launch a DDoS attack against BreachForumsVC and notes that the forum is behind the “ddos-guard” service. His statements are contradicted by Baphomet and ShinyHunter’s statements about fending off DDoS attacks and how Impotent had hired a botnet to attack them — but they, too, noted that the forum was behind ddos-guard and Impotent’s efforts were for naught.
- Unbeknownst to me until now, Impotent allegedly tried to be made a moderator on OnniForums. dkota refused the offer.
In light of the above, dkota indicates that the correct chronology was:
- OnniForums hacked Exposed.vc
- Impotent begged for moderator rank on BreachForumsVC
- Everyone ignores Onniforums despite them having hacked Exposed.vc so…
- OnniForums hacks BreachForumsVC as well, and then…
- Everyone still ignores OnniForums.
maybe people wouldn’t ignore onnifourms if the spam filter let you have an account for more than 5 seconds or it was clear how to contact mods after the spam filter had been enacted. most mainstream journalists are lazy as shit and aren’t going to try and hunt you down over forum drama 99.5% of their readers aren’t going to understand let alone care about. he should consider himself lucky dissent made the effort.