The Unexpected Return of BreachForums

By Jesse William McGraw

July 28, 2025

The Unexpected Return of BreachForums - featured

On or around July 25, 2025, the darkweb leak site BreachForums returned after a 3-month vanishing act, raising privacy concerns among its users that the platform is being used as an FBI honeypot. However, here are some things to consider.

BreachForums, a major player in the underworld of dark web culture, known for its reputation as a major cybercrime hub, resilience against FBI takedowns, and overall involvement in the illicit sale of stolen data, has become a source of controversy across user communities, social media chatter, and cybersecurity news outlets, many of which thrive on sensational headlines and speculation.

What Actually Happened?

The current story surrounding BreachForums is convoluted because too many players are saying different things about BreachForum’s downtime. However, let’s start on May 26, 2025, where a snapshot was archived of their website on the clearnet, where BreachForums Administration notified their community of the discovery of a MyBB 0day vulnerability, which was confirmed on or around April 15th.

As a response, they immediately shut down both the clearnet site (and their onion site, since it shared the same software backend) and began their remediation process, finding no evidence of their database being compromised by outsiders or infiltrators. The message addresses their lack of public transparency and an apology for not communicating what was happening behind the scenes.

The Unexpected Return of BreachForums - msg — Screenshot is from Archive.org, of their clearnet site.

Lastly, it addresses the “various rumors” in circulation speculating about their unexpected downtime, assuring that none of their members had been arrested, and that the infrastructure remains secure. It also mentions the existence of unsanctioned BreachForum clones, which may be operating as honeypots.

Fast forward to July 25, 2025, with BreachForums resurrected on their Tor site, the Administrator echoed the same clarification, emphasizing the following message: “[L]et us clarify unequivocally: none of our administrators have been arrested.”

Mind you, the individual’s wording is very deliberate. The Administrator states, twice, that no administrators were arrested. This was in response to questions surrounding the arrest of the British national, Kai West, better known by his alias IntelBroker, who was apprehended in France in February of this year. Some believed he was the owner of the forum and assumed that his arrest would have compromised the platform.

“The title was intentionally assigned to him to divert attention from us — a strategy that evidently succeeded. He never had any ‘Owner’ or ‘Administrator’ privileges on this forum,”

said the Administrator, discouraging the conspiracy theories people were spreading.

The Unexpected Return of BreachForums - msg 2 — Screenshot from BreachForum’s darkweb Tor site, clarifying the events.

This means that IntelBroker was deliberately used as a decoy to divert law enforcement’s attention away from the actual Administrator(s) operating behind the scenes, and create plausible deniability for the core team.

The Tangled Yarn of Controversy

On Thursday, April 15, 2025, the pro-Palestinian DDoS-as-a-Service group known as Dark Storm Team claimed responsibility for booting BreachForums’ clearnet site offline, the same day BreachForums’ administration said they took the website offline to address the 0day vulnerability.

The Unexpected Return of BreachForums - msg 3 — Screenshot from DarkStom Team’s Telegram channel.

This was followed by a wave of unverified reports and user-driven rumors, which spread across reputable cybersecurity news platforms, speculating that the domain had been seized by the FBI. Some news sites even used an image from the 2024 FBI domain seizure, further fueling the conspiratorial narratives that were rapidly spreading.

Which came first is not ascertainable at this time.

However, things began to get more convoluted on April 19, 2025, when clone sites began to surface following the unexpected disappearance of the official BreachForums site. One such clone, operating under the domain breached[.]fi, featured a user calling themselves Anastasia, who claimed to be a BreachForums administrator.

On April 20, Anastasia posted that she was working to restore the forum, despite having no known association with the original administration. By April 24, she announced that the FBI had compromised the forum and stated she was stepping down, offering the April 10 backup database and the site's source code for $2,000. These claims were widely disputed, and no credible links were ever established between Anastasia and the legitimate BreachForums[.]st team.

It seems this is the narrative people wanted to hear, but not the narrative that actually happened. It seems the FBI did not seize the domain, and no administrators were compromised in the wake of the arrest of IntelBroker.

While sensational news drives views and earns writers praise, the facts are often far less dramatic than the headlines want readers to believe.