U.S. and French authorities have taken down a major data leak portal linked to the Salesforce breach, but threat actors say the extortion continues.
According to BleepingComputer, the FBI has seized the domain Breachforums.hn, which was being used by the Scattered Lapsus$ Hunters group to extort companies affected by recent Salesforce data thefts. The seizure was confirmed on October 8, with the domain now displaying an FBI banner and its name servers redirected to official government-controlled addresses.
The site had been repurposed in October from its original function as a hacking forum into a data leak platform specifically targeting Salesforce victims. While the clear web domain is now offline, the affiliated Tor site remains active, and threat actors have threatened to start releasing data from the Salesforce breach at 11:59 PM EST if ransom demands are not met.
The Scattered Lapsus$ Hunters group claims ties to several known extortion gangs, including ShinyHunters, Scattered Spider, and Lapsus$. According to the FBI, this takedown was a joint operation with French law enforcement to disrupt the group’s extortion infrastructure before stolen Salesforce data could be leaked.
Despite the domain seizure, the hackers assert that the Tor version of their leak site is still operational and have published a list of companies allegedly affected. These include major brands such as FedEx, Disney, Google, Cisco, Marriott, McDonald’s, UPS, and Chanel. The group claims to have stolen over a billion customer records.
The threat actors also confirmed that U.S. authorities accessed backups of previous BreachForums iterations, dating back to 2023. These backups reportedly include database archives and escrow records. Although the site’s backend servers have also been seized, the group insists that no core administrators have been arrested.
In a message shared via Telegram and verified through a PGP key associated with ShinyHunters, the group stated, “The era of forums is over,” suggesting they will not attempt to relaunch BreachForums. They also warned that future forums could be law enforcement honeypots.
The group stated that the FBI’s action does not affect their current extortion campaign involving Salesforce data. A leak deadline was reaffirmed for the same day as the seizure.
According to the U.S. Department of Justice, BreachForums’ founder, Conor Brian Fitzpatrick, was recently resentenced to three years in prison for running one of the world’s largest hacking marketplaces. Acting Assistant Attorney General Matthew R. Galeotti said the platform served as “an online bazaar where criminals could purchase sensitive data,” reaffirming the Justice Department’s commitment to pursuing those who profit from stolen information.
The timing of the FBI’s latest BreachForums domain seizure linked to the Salesforce extortion campaign indicates how law enforcement continues to dismantle the infrastructure of cybercriminal groups even after arrests. Yet, as the DOJ noted, forums like BreachForums have hosted billions of stolen records, showing that while takedowns disrupt operations, they rarely stop the larger ecosystem of data theft and extortion that persists across the dark web.
BreachForums was an underground platform where hackers and data brokers traded stolen data, shared hacking tools, and coordinated cybercrime. It has been relaunched multiple times following earlier law enforcement takedowns.
This is a self-described extortion group claiming members from previous hacking collectives like ShinyHunters, Scattered Spider, and Lapsus$. They have been linked to recent attacks involving Salesforce data theft.
Salesforce is a central customer data platform for many global companies. By compromising its systems, attackers could access data across numerous organizations from a single breach.
Seizing a domain involves transferring control of the website’s address (DNS) to law enforcement, typically displaying a seizure notice and preventing the site from operating on the open internet.
Domain seizure does not automatically destroy or recover stolen data. If hackers retain copies, they can still distribute them via other channels, such as dark websites, torrents, or new domains.