Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Baphonet. Show all posts

FBI Seized BreachForums Three Months After Administrator Arrest

 


It's been more than three months since the alleged administrator of the English-language cybercrime marketplace BreachForums was arrested in the United States for striking against the site's domain name. 

On March 20, the FBI arrested Conor Brian Fitzpatrick, 21, at his house in Peekskill, New York, for aggravated assault. As a result of the accusations against him, he has been charged with conspiracy to commit access device fraud while running BreachForums under the handle "pompompurin". 

The newly appointed administrator of the site promised not to restore the forum, which had been running for nearly a month. The forum was soon shut down by him after the newly appointed administrator promised not to restore it. 

A notice stating that the domain had been seized by the authorities was posted to the old website on Thursday. 

The notice includes 10 logos of different law enforcement agencies from around the world that appear on the notice. In addition to the BreachForums logo, it also displays an epic troll and the BreachForums website logo. 

It is estimated that BreachForums had over 340,000 members before closing down. During this time, cybercrime organizations acquired several hacking tools and stolen information which allowed them to trade information, especially financial information, with one another.

To prevent a further breach of privacy, the site is now hosted at Breached[.]vc, which displays a seizure banner that says the FBI, the Office of Inspector General, and the Department of Justice have unilaterally taken down the website. The warrant was issued by the U.S. Court of Appeals for the Eastern District of Virginia after the investigation had been completed. 

Additionally, this action was also accompanied by other law enforcement authorities throughout the world, including the U.S. Homeland Security Investigations, the U.S. Secret Service, the New York State Police Department, the United States, as well as the United States Postal Inspection Service, the Australian Federal Police, the Dutch National Police, the UK National Crime Agency, and Police Scotland. 

A trademark seizure message often contains law enforcement displays of the site logo, which is common in domain seizure messages. As an alternative, law enforcement took an unconventional approach to displaying the seizure banner. Pompompurin's avatar was also fitted with handcuffs, unconventionally. 

Although BreachForums' clear net domain has been seized, it appears its dark web counterpart has neither been seized nor displayed the seizure banner. Rather, it shows a "404 Not Found" Nginx error in place of the seizure banner. 

During the seizure of these domains, those domains' DNS servers have been changed from ns1.seizedservers.com to ns2.seizedservers.com, two of the name servers used by law enforcement when seizing domains. 

It is evident that Baphomet, who was the last remaining administrator of the original domains after Fitzpatrick was arrested, has taken steps to ensure their continued functionality. On March 20th, however, according to Baphomet, the site was shut down by the admin based on their belief that federal agents had gained access to the servers. 

After a short while, if you visited the domain, you would be presented with an error "502 - Bad Gateway" which indicated that the website had been temporarily suspended.

Several weeks ago, after rumors were circulating that Baphomet was partnering with Shiny Hunters, a threat actor notorious for the execution of numerous attacks against unsecured networks, that BreachForums was going to be relaunched on a new domain, the old Breached domain began displaying the default message, 'Welcome to NGINX! 

There was clear evidence that someone else had gained control over the domains and modified their configurations and content to gain control over them. Baphomet claims that these changes were made independently. 

The fact that messages began to appear on BreachedForums' old domains warning users that BreachedForums would not return is even stranger. It was also indicated that any forums that claim to be an updated version of BreachedForum should be approached with caution as there are reports of them.

"BreachedForums will never be resurrected against the evil forces behind it," reads an announcement posted on the Breached[.]vc website in response to a question posted on the forum. 

A later update to this alert was added with a cautionary message from Baphomet claiming to be a representative of the recently formed BreachForums, warning of the danger of forums claiming to be them. In response to the updates made to the old domains, Baphomet denied responsibility. 

The recently launched BreachForums hosted by Baphomet and Shiny Hunter had their data breached due to an escalating conflict between different hacking forums. There have been threats from threat actors who have released stolen data from the site. 

Later on, there was an update posted on the old Breached[.]VC domain warning that BreachForums had already been hacked by the BruteForums clone so we should not trust it. The message also contained a link to the SQL file for the updated BreachedForums site. This file leaked a stolen database from the previous site.