Cybercrime
,
Fraud Management & Cybercrime
Notorious Site Facilitated Buying and Selling of Breached Databases, Hacking Tools
French police reportedly busted five suspected hackers tied to the operation of notorious stolen data marketplace BreachForums.
See Also: Why Cyberattackers Love ‘Living Off the Land’
BreachForums throughout multiple variations, headed by different administrators, provided users with an English-language forum for buying, selling, trading or otherwise sharing stolen data.
French daily newspaper Le Parisien reported Wednesday that France’s Anti-Cybercrime Brigade, the BL2C, has arrested five administrators tied to the operation. Police only released the suspects’ online handles: “IntelBroker,” “ShinyHunters,” “Hollow,” “Noct” and “Depressed.”
“These were some of the most active monikers on BreachForums,” John Fokker, head of threat intelligence at Trellix, told Information Security Media Group. He described the arrests by French authorities as being “a pivotal moment in cybercrime enforcement,” given the volume of stolen data transiting through the site.
“These threat actors, remarkably all French nationals in their early twenties, had transformed BreachForums into the premier destination for stolen data trading, impacting millions of individuals through breaches at major organizations,” Fokker said.
One iteration of the forum ran from June 2023 to May 2024 under the apparent administration of a hacker with the “ShinyHunters” moniker (see: FBI Seizes Criminal Site BreachForums).
A spring 2024 takedown led by the FBI didn’t quite manage to eradicate the site, which reconstituted itself weeks later due to an apparent law enforcement snafu in seizing all the forum’s online domains. Someone with the “IntelBroker” handle stepped in as administrator of the re-formed site, although he or she apparently resigned in January.
French police reportedly arrested “IntelBroker” on Feb. 22, after which BreachForums operators pulled the plug on their operation on April 14. Rumors of IntelBroker’s arrest first surfaced on Telegram in April.
Police arrested the other four suspects in a coordinated operation Monday involving raids in the Southwestern Paris suburbs of Clamart in Hauts-de-Seine and Seine-Maritime, as well as on the Indian Ocean island of Réunion and Mayotte, which is an overseas department of France. The four suspects are aged 20, 21, 22 and 23, reported French weekly news magazine Valeurs Actuelles.
Police said the suspected hackers have been tied to attacks against a number of organizations, including France’s Ministry of Education, telecommunications firm SFR, retailer Boulanger, the French Football Federation, hospitality firm Accor, the French government’s employment France Travail, consultancy Capgemini and luxury brands Tiffany and Dior – owned by French multinational conglomerate LVMH – among others.
New York state resident Conor Brian Fitzpatrick launched the first BreachForums in March 2022 as a replacement for RaidForums, which police shuttered in February 2022.
An international, FBI-led operation in March 2023 disrupted that BreachForums iteration and arrested Fitzpatrick, who used the handle “Pompompurin.” Waiving his right to remain silent, Fitzpatrick, then 20 years old, admitted to federal agents he was the site’s administrator. Prosecutors said the site hosted more than 14 billion leaked records (see: How BreachForums’ ‘Pompompurin’ Led the FBI to His Home).
A federal judge in January 2024 sentenced Fitzpatrick to 20 years of supervised release after the Hudson Valley resident pleaded guilty to a three-count criminal indictment that charged him with conspiracy to commit access device fraud, solicitation for the purpose of offering access devices and possession of child pornography. Under the terms of his plea deal, Fitzpatrick had to register as a sex offender (see: BreachForums Admin Avoids Prison Term).
A U.S. appeals court in January vacated the sentencing, finding that the original sentence “never addressed the seriousness of his crimes or explained how its sentence fulfilled” federal statutes governing factors for imposing a sentence. Fitzpatrick is set to be re-sentenced on July 8.
The second iteration of BreachForums launched in June 2023, under the aegis of “ShinyHunters.” Whether that handle referred to the prolific data-leaking group, or an individual wielding the handle – who might have been a member of the data-leaking group – hasn’t been clear.
Police seized the second BreachForums’ infrastructure in May 2024. The site relaunched just weeks later, advertising customer data stolen from Live Nations’ venue ticket intermediary Ticketmaster, among other data stolen from accounts of companies that used data warehouse-as-a-service provider Snowflake (see: US Judge Okays $177 Million AT&T Data Breach Settlement).
A challenge for law enforcement in the criminal digital underground is the propensity of new players to fill the data-leak marketplace void left when sites such as RaidForums and BreachForums get disrupted, or their operators busted.
“While these arrests have significantly disrupted the underground data marketplace ecosystem, our intelligence suggests new actors are already positioning to fill this void,” Trellix’s Fokker said.