ShinyHunters’ BreachForums domain has been seized following collaborative efforts from the FBI, the US Department of Justice, France’s BL2C cybercrime unit, and the Paris Prosecutor’s Office.
The domain was being used by the ShinyHunters extortion group to leak the data of customers affected by a wave of Salesforce breaches carried out by ShinyHunters and Scattered Spider over the summer. In a post on the leak site, ShinyHunters had attempted to extort Salesforce, promising not to leak their customers’ data if the company paid a ransom by today (October 10th).
“Should you comply, we will withdraw from any active or pending negotiation individually from your customers,” the group wrote. “Your customers will not be attacked again nor will they face a ransom from us again, should you pay.”
However, it appears that the deadline set may have triggered the involvement of international law enforcement, as the Clearnet version of the BreachForums domain has been taken down. Visitors are now met with a notice stating that the domain has been seized, with the logos of US and French authorities. While the Clearnet version is no longer accessible, the onion version is reportedly still up.
The seizure has allegedly been confirmed by the ShinyHunters group via a message on Telegram.
“All our BreachForums domains were taken from us by the US Government a few days ago,” the group posted. “The era of forums are over.”
This is not the first time that BreachForums has been seized but, since its re-launch in July 2025, the domain has been shrouded in suspicion for many in the threat actor community, who suspected that it may have been compromised or controlled by law enforcement.
As a result, ShinyHunters has warned other cybercriminal groups not to trust any future iterations of the domain.
“BreachForums is never coming back, if it comes back it should immediately be considered a honeypot,” the group says.
However, the group also promised that the seizure will have “no impact” on its current extortion campaign against Salesforce, and told recipients of the message to “stay tuned” for 11:59pm ET on October 10th.
13-10-25 – Update – The FBI has confirmed their takedown of the BreachForums domain, stating that the operation “demonstrates the reach of coordinated international law enforcement operations to impose cost on those behind cybercrime.”
Read More
