Washington, D.C.— The Federal Bureau of Investigation (FBI) and French cybercrime authorities have taken down the notorious BreachForums leak site just hours before the Scattered Spider hacking group was set to leak what it claims to be data stolen from Salesforce and 39 of its corporate clients.
The domain breachforums.hn, long used by hackers to publish stolen data and coordinate extortion schemes, was replaced late Thursday with a seizure banner carrying the insignias of the FBI, the U.S. Department of Justice, France’s Brigade Centrale de Lutte Contre la Cybercriminalité (BCLCC), and the Juridiction Nationale de Lutte Contre la Criminalité Organisée (JUNALCO).
The banner read, “This domain has been seized,” signaling an internationally coordinated takedown effort that struck mere hours before Scattered Spider’s deadline to publish the stolen Salesforce data on Friday night.
Scattered Spider Acknowledges FBI Takedown, Vows to Proceed With Leak
Shortly after the seizure, the Scattered Spider group confirmed on Telegram that law enforcement had seized its primary domain and likely destroyed backend servers. “We very likely got hacked by the U.S. government,” the group posted. “Their splash page is up on the BreachForums onion it’s a clear sign everything in our control is gone.”
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
Despite the takedown, the group insisted its members had not been arrested and warned other hackers to strengthen their operational security (opsec). “The FBI and international partners will be cracking down on many individuals in the next few weeks to months,” they wrote.
The cybercriminals also calling themselves Scattered Lapsus$ Hunters claimed that the seizure “has no impact on our Salesforce campaigns,” and reiterated their intent to publish the stolen data at 11:59 p.m. (ET) on Friday.
According to the group’s earlier statements, the campaign targets 39 large Salesforce clients across sectors such as technology, finance, and healthcare. The hackers have boasted of stealing up to one billion records, though cybersecurity analysts have expressed skepticism about the claim’s accuracy.
Salesforce Refuses Ransom Demands, Cites Third-Party Breach
Salesforce, one of the world’s leading cloud software providers, confirmed it would not pay any ransom to the hackers. “Salesforce will not engage, negotiate with, or pay any extortion demand,” a company spokesperson told, emphasizing that the extortion attempts relate to “past or unsubstantiated incidents.”
In letters sent to clients this week, Salesforce linked the extortion to a breach at Salesloft, a third-party customer engagement platform used by many Salesforce customers. Salesloft confirmed last month that its systems had been compromised, exposing customer service interaction data.
Only Google has publicly confirmed data theft connected to the incident, while other companies named by Scattered Spider are still investigating potential exposure.
Earlier, the FBI issued a flash notice warning Salesforce users of a social engineering campaign that began in late 2024, in which members of Scattered Spider and affiliated groups posed as IT staff in calls to corporate help desks to gain unauthorized access.
BreachForums’ Long History of Takedowns and Reemergence
This marks the fourth time the FBI has dismantled BreachForums since 2023. The original forum — once the internet’s largest bazaar for stolen credentials and leaked databases — was run by Conor Fitzpatrick, arrested that year in New York. The site had more than 340,000 registered members before being taken offline.
Fitzpatrick, who initially served only 17 days in custody after a district court decision, had his sentence overturned by a higher court earlier this year and is now serving a three-year federal prison term.
After the initial takedown, several successors attempted to relaunch BreachForums on different domains, often backed by splinter groups like Shiny Hunters and IntelBroker. French authorities arrested several suspected administrators in June 2025, and IntelBroker himself was detained in a prior Europol-supported operation.
Each revival has been short-lived, with law enforcement systematically tracking and dismantling successive iterations of the forum highlighting a cat-and-mouse struggle between cybercriminals and global security agencies.
A Symbolic Win in the Ongoing War Against Cyber Extortion
While Thursday’s coordinated takedown demonstrates deep international cooperation between U.S. and French law enforcement, cybersecurity analysts caution that groups like Scattered Spider continue to operate from decentralized channels such as encrypted messaging platforms and darknet mirrors.
Experts note that such groups represent a hybrid evolution of cybercrime, merging data theft, social engineering, and extortion into sophisticated campaigns targeting corporate trust and reputation.
“This takedown sends a clear message,” said one security researcher monitoring the case. “But as long as platforms like Telegram and anonymous onion services exist, these groups can regroup quickly. The key is sustained disruption.”
For now, the FBI’s seizure of BreachForums marks another temporary victory in the ongoing fight against global cyber extortion even as the Scattered Spider network vows to continue its campaign against Salesforce and its clients.
