BreachForums Database Leaked: Inside the Dark Web’s Most Notorious Hacking Hub
On January 9, 2026, the cybercriminal underground was shaken by a major breach when shinyhunte[.]rs, a site linked to the ShinyHunters extortion gang, published a leaked database containing 323,986 user records from BreachForums, a prominent Dark Web hacking forum. The dump, extracted from a MySQL database, exposed metadata of forum members including administrators, moderators, and threat actors alongside a manifesto from a self-proclaimed hacker known as "James."
The Rise and Fall of BreachForums
BreachForums emerged in March 2022 as the successor to RaidForums, a notorious hacking platform seized by law enforcement in February 2022. Like its predecessor, BreachForums served as a marketplace for stolen data, hacking tools, and illicit services, operating across multiple domains (e.g., breached.vc, breachforums.st, breachforums.bf) and relying on DDoS-Guard for hosting a provider criticized for enabling cybercriminal activity.
Key milestones in BreachForums’ turbulent history:
- March 2023: Original owner Conor Brian Fitzpatrick (aka pompompurin) was arrested, leading to a temporary shutdown.
- June 2023: The forum resurfaced under ShinyHunters’ control, with administrator "Baphomet" at the helm.
- May 2024: Another seizure occurred, but ShinyHunters quickly restored operations using a new domain.
- April 2025: ShinyHunters claimed a zero-day vulnerability in MyBB (the forum’s software) forced another shutdown, though the group later migrated to new infrastructure.
- August 2025: The forum’s .hn domain was shuttered, coinciding with the last registration date in the leaked database.
The Leak: What Was Exposed?
The leaked database, sourced from a MyBB table (hcclmafd2jnkwmfufmybb_users), included:
- Usernames, email addresses, and hashed passwords (using argon2i encryption).
- IP addresses (though some were obfuscated with 127.0.0.9 for operational security).
- PGP keys, avatars, and forum activity logs for high-profile users.
- Administrator and moderator accounts, such as:
- ShinyHunters ([email protected])
- Hollow ([email protected])
- 888 ([email protected], linked to IntelBroker)
- Loki ([email protected])
Geolocation analysis of registration IPs revealed concentrations in the U.S., Germany, Netherlands, France, Turkey, and the Middle East/North Africa (MENA), though VPN/proxy use complicates attribution.
The "James" Manifesto: A Cybercriminal’s Confession
The leak was accompanied by a 23-part manifesto from an individual calling themselves "James", who claimed to be a longtime cybercriminal mastermind with ties to intelligence agencies (NSA, GCHQ, DGSE) and tech giants (Google, Microsoft). Key assertions:
- James framed ShinyHunters and other groups (e.g., Scattered Hunters, LAPSUS$ derivatives) as his "children", alleging they were manipulated into cybercrime.
- Named and shamed specific threat actors, including:
- Dorian Dali ("cheap murderer")
- Nahyl Ojeda (16-year-old hacker)
- Ali Aboussi ("Kernel")
- Rémy Benhacer ("Judas")
- Nassim Benhaddou & Gabriel Bildstein (founders of RaidForums/BreachForums)
- Threatened retribution against France, accusing the named individuals of attacking the nation and vowing to "become its protector."
- Claimed responsibility for high-profile breaches, including the 2025 Salesforce hack (1 billion records) and WikiLeaks/Anonymous operations.
The manifesto’s tone apocalyptic, self-aggrandizing, and theatrical suggests either a genuine insider purge or an elaborate disinformation campaign to mislead investigators.
Law Enforcement Crackdowns and Underground Dynamics
The leak follows a series of global law enforcement actions targeting ShinyHunters and affiliated groups:
- June 2025: French authorities arrested four ShinyHunters members, including associates of "IntelBroker" (Kai West).
- 2023: Sébastien Raoult (Sezyo Kaizen), a French hacker linked to ShinyHunters, was extradited to the U.S. for 60+ corporate breaches (2020–2021).
- 2022–2025: Multiple BreachForums seizures and rebrands, with administrators frequently changing aliases (e.g., Baphomet, N/A, Indra) to evade detection.
The ShinyHunters ecosystem is part of "The Com" (The Community), a loosely organized network of teenage and young adult hackers involved in SIM-swapping, cryptocurrency theft, and sextortion. Groups like Scattered LAPSUS$ Hunters (SLH) and Scattered Lapsus$ Shiny Hunters (SLSH) often rebrand to obscure their identities.
Impact and Implications
- Exposure of Threat Actors: The leak doxes dozens of cybercriminals, increasing their risk of arrest or retaliation.
- Disruption of Dark Web Markets: BreachForums’ compromise may erode trust in underground forums, pushing criminals to more secure platforms.
- Law Enforcement Opportunities: The database provides actionable intelligence for agencies tracking cybercrime, though some data may be deliberately falsified for deception.
- Sextortion and Exploitation Risks: The forum facilitated doxing, sextortion, and child exploitation, with stolen data used to extort minors and corporations.
- Attribution Challenges: The manifesto’s contradictory claims (e.g., James’ ties to intelligence agencies vs. his anti-establishment rhetoric) highlight the difficulty of separating fact from fiction in cybercriminal narratives.
What’s Next?
The breach marks a turning point in the cat-and-mouse game between cybercriminals and law enforcement. While the leak may temporarily disrupt BreachForums, the underground’s resilience suggests a swift rebrand or migration to new platforms. Meanwhile, the James manifesto whether genuine or fabricated adds another layer of chaos to an already opaque ecosystem, where identity, motive, and loyalty are constantly in flux.
Salesforce cybersecurity rating report: https://www.rankiteo.com/company/salesforce
"id": "SAL1768394538",
"linkid": "salesforce",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '323,986 users (including '
'cybercriminals, administrators, '
'and moderators)',
'industry': 'Cybercrime',
'location': 'Global (hosted on TOR and clearnet with '
'various domain registrations)',
'name': 'BreachForums',
'size': '323,986 registered users',
'type': 'Dark Web Hacking Forum'}],
'attack_vector': 'Web application vulnerability or misconfiguration in MyBB '
'forum software',
'customer_advisories': 'Users of BreachForums are advised to assume their '
'data is compromised and take steps to secure their '
'identities and accounts.',
'data_breach': {'data_encryption': 'Partial (passwords hashed with Argon2i)',
'data_exfiltration': 'Yes (leaked on shinyhunte.rs and '
'archived)',
'file_types_exposed': ['MySQL database dump',
'PGP keys',
'Avatar images'],
'number_of_records_exposed': '323,986',
'personally_identifiable_information': 'Yes (usernames, '
'emails, IPs, and '
'aliases linked to '
'real identities)',
'sensitivity_of_data': 'High (includes PII of cybercriminals '
'and sensitive forum communications)',
'type_of_data_compromised': ['Usernames',
'Email addresses',
'IP addresses',
'Password hashes (Argon2i)',
'PGP keys',
'Forum metadata (e.g., '
'registration dates, last login '
'IPs)']},
'date_detected': '2026-01-09',
'date_publicly_disclosed': '2026-01-09',
'description': 'On January 9, 2026, the ShinyHunters extortion gang leaked '
'the full database of BreachForums, a dark web hacking forum, '
'containing metadata of 323,986 users. The leak included '
'personal details of administrators, moderators, and users, '
'many of whom are involved in cybercriminal activities. The '
"incident followed the forum's repeated shutdowns and seizures "
'by law enforcement, as well as internal conflicts among its '
'administrators.',
'impact': {'brand_reputation_impact': 'Severe reputational damage to '
'BreachForums and associated threat '
'actors',
'data_compromised': '323,986 user records including usernames, '
'email addresses, IP addresses, PGP keys, and '
'forum metadata',
'identity_theft_risk': 'High (exposure of PII and cybercriminal '
'identities)',
'legal_liabilities': 'Increased risk of arrests and prosecutions '
'for forum users and administrators',
'operational_impact': 'Disruption of cybercriminal forum '
"operations, exposure of threat actors' "
'identities',
'systems_affected': 'BreachForums (MyBB-based forum)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (database leaked '
'publicly)',
'entry_point': 'Web application vulnerability in '
'MyBB or misconfiguration',
'high_value_targets': 'Forum administrators and '
'moderators'},
'investigation_status': 'Ongoing (law enforcement involvement)',
'lessons_learned': 'Cybercriminal forums are vulnerable to breaches and '
'internal conflicts. Threat actors use rebranding and '
'deception to evade attribution. Law enforcement '
'collaboration is critical to disrupting cybercriminal '
'ecosystems.',
'motivation': 'Extortion, disruption of cybercriminal operations, ideological '
'manifesto',
'post_incident_analysis': {'corrective_actions': ['Forum infrastructure '
'changes',
'Domain seizures',
'Enhanced monitoring of '
'threat actor activities'],
'root_causes': ['Web application vulnerability in '
'MyBB forum software',
'Internal conflicts among forum '
'administrators',
'Lack of robust OPSEC measures']},
'recommendations': ['Enhanced monitoring of dark web forums for leaked data',
'Collaboration between private sector and law enforcement '
'to identify and prosecute threat actors',
'Improved OPSEC for cybercriminals to avoid exposure',
'Public awareness campaigns about the risks of '
'cybercriminal activities'],
'references': [{'date_accessed': '2026-01-09',
'source': 'Resecurity',
'url': 'https://web.archive.org/web/20251012013224/https://shinyhunte.rs/'},
{'source': 'DataBreaches.net',
'url': 'https://databreaches.net/2025/08/03/are-scattered-spider-and-shinyhunters-one-group-or-two-and-who-d...'},
{'source': 'Krebs on Security',
'url': 'https://krebsonsecurity.com/2025/10/shinyhunters-wage-broad-corporate-extortion-spree/'},
{'source': 'FBI PSA'}],
'regulatory_compliance': {'legal_actions': 'Ongoing law enforcement '
'investigations (e.g., FBI, French '
'authorities)'},
'response': {'communication_strategy': "Manifesto published by 'James', "
'apologies from current administrator '
"'N/A'",
'containment_measures': 'Forum domain seizures, infrastructure '
'changes, OPSEC measures (e.g., IP '
'obfuscation)'},
'stakeholder_advisories': 'Law enforcement agencies (e.g., FBI, French '
'authorities) are investigating the leak and '
'associated threat actors.',
'threat_actor': "ShinyHunters (alias 'James')",
'title': 'BreachForums User Database Leak by ShinyHunters',
'type': 'Data Breach',
'vulnerability_exploited': 'Alleged zero-day vulnerability in MyBB or '
'misconfiguration'}