The notorious data leak site BreachForums has resurfaced just two weeks after being shut down by the FBI and the US Department of Justice. This time, the site is allegedly offering personal and payment card data from over 500 million Live Nation/TicketMaster customers for sale.
Researchers at Malwarebytes discovered that an administrator known as “ShinyHunters” was advertising the purported TicketMaster data on one of the original BreachForums domains for a price tag of $500,000. However, there are doubts about the authenticity of this revival, with some speculating that it could be a tactic by law enforcement to lure in cybercriminals seeking to purchase stolen data.
Malwarebytes researcher Pieter Arntz raised questions about who is behind the revival of BreachForums and whether it is a legitimate operation or a trap set by law enforcement. The forum has historically been a marketplace for cybercriminals to trade various forms of stolen data, such as credit card information, bank account details, Social Security numbers, hacking tools, and more.
The resurgence of BreachForums following the FBI’s disruption of RaidForums earlier this year has sparked concerns about the ongoing battle against illicit data trading on the dark web. The recent seizure of BreachForums domains and Telegram channels controlled by key administrators has added to the mystery surrounding the site’s reappearance.
Arntz noted that the sudden return of BreachForums raises suspicions due to the unusual size of the dataset being offered for sale and the registration requirement for users to access the content. Similar tactics have been used in the past by law enforcement to ensnare criminals, as evidenced by sting operations that dismantled dark web drug sites and encrypted communication services.
While the possibility of BreachForums making a genuine comeback cannot be ruled out, Arntz emphasized that criminals often prefer working with familiar administrators and services rather than seeking out new ones. This trend could pave the way for previous users to return to the platform if it is indeed back in operation.
Ian Gray of Flashpoint corroborated the evidence suggesting that BreachForums is operational, citing dark web chatter indicating a transfer of the main domain following the law enforcement seizure. Additional discussions hint at a new leak site being launched by another member under the alias “USDoD,” separate from the current iteration of BreachForums.
Despite law enforcement efforts to dismantle illicit data trading platforms like BreachForums, cybersecurity experts warn that these sites have a tendency to resurface under different names or forms. Patrick Harr, CEO of SlashNext, likened these forums to cancer, lurking in the background and ready to re-emerge despite attempts to eradicate them.
In conclusion, the reappearance of BreachForums underscores the challenges faced by law enforcement in combating cybercrime and highlights the resilience of illicit data trading networks on the dark web. The ongoing cat-and-mouse game between authorities and cybercriminals continues to evolve, posing a persistent threat to individuals and organizations worldwide.