Notorious BreachForums hacking site hit by ‘doomsday’ leak of 324,000 criminal users

Prominent crime forum BreachForums has suffered a new and possibly fatal blow to its reputation after the revelation that a database of thousands of criminals using it was stolen months ago.

News of the breach emerged publicly on January 9 when a zip archive containing a MySQL database of 323,986 BreachForums users appeared on shinyhunte[.]rs, a domain reportedly unconnected to the infamous extortion group of the same name.

According to Have I Been Pwned, the data breach happened last August, two months before the police takedown of the BreachForums data extortion site after threats by Scattered Lapsus$ Hunters to use it to release one billion records stolen from Salesforce customers.

This tallies with the August 11 date on the database leaked last week; that was the day its admins reportedly announced that the site was being shut down for fear that it had been compromised by law enforcement. 

Have I been Pwned said that the stolen data also included hashed passwords, private messages, and forum posts.

However,  according to security intelligence firm Resecurity, the January leak contains two new elements: a password-protected PGP private key file and a grandiloquent, bizarre 4,400 word manifesto entitled ‘Doomsday’ by an author using the name “James,” who claims to be behind the leak.

The PGP key, leaked a day later on January 10, was most likely used to sign messages from BreachForums’ admins, Resecurity said.

One takedown after another

This leak is only the latest in a series of problems, arrests, and takedowns to affect what was once one of the biggest English-speaking crime forums.

The successor to the RaidForums site seized by US authorities in 2022, BreachForums styled itself as a discussion site for topics such as data breaches, illegal sexual content, ransomware, and hacking tools.

In 2023, the site’s alleged founder and admin, Conor Brian Fitzpatrick, was arrested, and its clearnet domains were seized three months later. Fitzpatrick was later sentenced to three years in jail by a US court.

In 2024, a replacement admin, Baphomet, was also reportedly arrested, and in 2025, five more individuals accused of being connected to the site were taken into custody. Finally, last October came the takedown of the BreachForums dark web extortion site.

The immediate question is whether the leaked database will be of any use to police, assuming they don’t already have access to it. It contains email addresses and IP data which will most likely point to proxies or anonymizing services. One analysis found that many of the IP addresses are simply loopbacks. However, the most popular email service used to register with BreachForums is Gmail, which might provide a forensic link to anyone who’s been careless and not covered their tracks.  

A question of data integrity

Experts had mixed responses to the news of the database leak. “The breach significantly undermines trust in the platform itself, which is critical for any cybercrime forum,” said Michael Jepson, penetration testing manager at consultancy CybaVerse.

“The exposure damages confidence in BreachForums as a secure environment. As a result, more sophisticated cyber criminals are likely to migrate away from large and well known forums toward smaller, invite-only communities,” he added.

However, Michael Tigges, a senior security operations analyst at security company Huntress, was less sanguine. “While potentially useful for authorities and security professionals researching adversarial activities, the database is ultimately of limited forensics use. While the leak may be legitimate, the integrity is called in question if it was derived from another cybercrime group,” he pointed out.

The biggest risk was that data leaks could be a cover for the distribution of disinformation. “Data leaks like these may be used to draw lines between nuclei of activity, but the reliability of the information must be highly scrutinized,” said Tigges.