Washington/Paris — U.S. and French law enforcement agencies have seized the notorious BreachForums platform just hours before the cybercriminal organization Scattered Spider and affiliated groups planned to leak stolen Salesforce data.
The forum had been revived by the criminals as part of a campaign targeting 39 high-profile Salesforce customers, aiming to extort and threaten the release of sensitive data. Late Thursday, the breachforums.hn domain was replaced with a banner reading, “This domain has been seized”, accompanied by the insignias of the FBI, the U.S. Department of Justice, and France’s Brigade Centrale de Lutte Contre la Cybercriminalité and Juridiction Nationale de lutte contre la Criminalité Organisée.
On their Telegram channel, the group confirmed that the domain had been taken over but stated that no members had been arrested. The cybercriminals suggested that the FBI and international partners had likely seized or destroyed all backend servers. “In simple terms, we were very likely hacked by the U.S. government. Their splash page on the BreachForums onion site is a clear sign that anything we controlled that they could not access is now gone,” they said, warning that enforcement agencies may target individuals over the coming weeks and months.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
Despite the takedown, the Tor-based version of the forum remains active, and the group claimed the seizure would not impact their Salesforce operations. Scattered Spider has alleged that it has stolen roughly one billion records from multiple large companies’ Salesforce databases and plans to post the data on Friday at 11:59 p.m. ET. The group has recently rebranded itself as Scattered Lapsus$ Hunters, combining several English-speaking cybercrime factions.
Salesforce Refuses to Negotiate
Salesforce has made clear that it will not engage with or pay ransom to the hackers. In communications to customers, the company emphasized that the extortion attempts relate to “past or unsubstantiated incidents.” Salesforce linked the recent demands to a security breach at third-party platform Salesloft, where hackers accessed systems and stole data related to customer service interactions last month.
Among the 39 affected organizations, only Google has confirmed a data breach. Other companies are reportedly investigating the claims. The FBI issued a flash notice three weeks ago warning that the campaign began in October 2024, when group members accessed organizations through social engineering attacks, posing as IT personnel via call centers. Recent operations involved multiple cybercriminal factions, including Scattered Spider, Shiny Hunters, and Lapsus$.
Fourth FBI Takedown of BreachForums
Scattered Spider noted that this marks the fourth time the FBI has shut down a BreachForums site. In 2023, the FBI arrested the platform’s alleged administrator, Conor Fitzpatrick, at his parents’ home in New York. Earlier this year, a three-judge panel vacated a controversial district court decision that had released Fitzpatrick after just 17 days in prison. Last month, he was sentenced to a new three-year term.
According to the U.S. Department of Justice, BreachForums had more than 340,000 members before it was taken offline and facilitated access to sensitive personal information of millions of U.S. citizens. Since 2023, multiple attempts have been made to revive the platform, only for the FBI to repeatedly seize it. In June, French authorities arrested several individuals suspected of operating a new version, while another suspect, known as IntelBroker, had been arrested in a prior operation.
The seizure underscores the global law enforcement effort to combat cybercrime, data breaches, and digital extortion, highlighting the ongoing challenges of securing sensitive personal and corporate information against sophisticated criminal networks.
