Did DarkForums Get Hit With an Exit Scam by an Administrator?

By Jesse William McGraw

July 30, 2025

Since BreachForums vanished in the spring of this year, DarkForums emerged to fill the vacuum within ransomware culture, positioning itself as one of the most popular marketplaces and infostealer log dump sites. Now that BreachForums is back, can DarkForums survive its own internal struggles?

Today, accusations of an exit scam and speculation of an arrest have been circulating on the DarkForums Telegram channel following the unannounced disappearance of one of its administrators, @anonsecdf (also known as ‘AnonOne’), who, at the time of this writing, was last seen on Friday, July 25, 2025, at 6:53 PM.

Did DarkForums Get Hit With an Exit Scam by an Administrator? — Screenshot taken from DarkForums Telegram channel.

This public announcement explains the suspicious circumstances, stating that the user disappeared in the middle of a MM deal (Middle-man deal), which refers to a transaction facilitated by a trusted third party who holds the funds or assets until both sides of the deal fulfill their obligations. In some contexts, this can also refer to someone acting as a money mover between parties.

Although these circumstances have not yet been officially confirmed, they have caused a wave of controversy, with some users either exploiting the disappearance to claim they were scammed or reporting that they were legitimately scammed.

Despite these assertions, DarkForums claims that the MM deal was disrupted and the funds are unaccounted for, leading to one logical conclusion.

The Rise of DarkForums

DarkForums first appeared in 2022 under its original name, DARK4RMY. The platform is notable for operating as a major community where users share or sell InfoStealer logs, hacking tools, exploits, and malware kits. According to researchers, activity on the platform surged by 600% after BreachForums unexpectedly vanished, prompting many users to migrate to DarkForums.

Security Incident, Exit scam, What’s Next?

This incident follows DarkForums’ public acknowledgment of a security breach the day before, further fueling speculation about whether users are secure on the platform.

Knox, the owner of DarkForums, revealed that a user had attempted to exploit a cross-site scripting (XSS) vulnerability, claiming to have compromised the platform and accessed user data.

Knox posted the following public announcement today, at 4:12 AM

DarkForums massage — Screenshot taken from the DarkForums website on the clearnet.

Dear DF Members,
We want to openly address a recent incident that occurred on our forums. A user attempted to exploit a cross-site scripting (XSS) vulnerability and claimed to have compromised our platform and accessed user data.
Here are the facts:
No data breach: After thorough investigation, we have confirmed that no user accounts or personal data were accessed or leaked.
Immediate response: The issue was quickly identified and patched within a very short timeframe, preventing any potential misuse.
Security improvements: We’ve strengthened our systems to prevent similar attempts in the future and conducted additional security checks.
Community safety: Your account information remains safe, and no action is required from users at this time.
As all of you know we don't store any user IPs and We take security seriously and want to assure you that protecting your data is our top priority. While this was a low-level attack with no real damage, we understand the importance of keeping you informed and maintaining transparency.
If you notice anything unusual or have security concerns, please report it immediately through our [contact/support channel].
Thank you for your trust and continued support as we work to make DF a safe and secure place for everyone.
– DarkForums Team

Trust Among Thieves

Although there's truth to the saying that there's no honor among thieves, in the world of cybercrime, collaboration and services offered still depend heavily on trust and reputation.

While the owner asserts that DarkForums does not store user IP addresses, an attempt was allegedly made to access the database. Furthermore, whether or not one of DarkForums’ own administrators stole money from associates, rumors have a way of triggering unintentional social engineering, fueling uncertainty and speculation, and often resulting in reputational damage.

With BreachForums now back, users have an alternative and may quickly migrate if they feel unsafe or suspect that DarkForums is compromised or on the verge of being compromised.