FBI Seizes BreachForums Portal Used in Salesforce Extortion Campaign

The FBI, in collaboration with French authorities, has taken down the BreachForums domain used by the ShinyHunters group to extort companies affected by the Salesforce data theft campaign. 

The seizure marks a major disruption to one of the most active underground data leak sites tied to multiple high-profile cybercriminal groups, including Scattered Spider and Lapsus$.

BreachForums, originally established as a popular marketplace for stolen data and hacking tools, was relaunched in mid-2025 under the domain breachforums[.]hn after going offline due to arrests.

Law enforcement seizes BreachForums domain

The clearnet and dark web versions of BreachForums were initially taken offline; however the onion site resurfaced.

The FBI redirected the clearnet domain’s name servers to its standard seized infrastructure, ns1.fbi.seized.gov and ns2.fbi.seized.gov, a move signaling complete control of the site. 

The official seizure notice confirmed that law enforcement acted before Scattered Lapsus$ Hunters began releasing Salesforce breach data, preventing an immediate data dump that could have exposed millions of users.

Database and infrastructure seized

In a Telegram message to BleepingComputer, ShinyHunters confirmed that the FBI and French authorities also gained access to archived BreachForums databases dating back to 2023. 

The member stated that “the era of forums is over,” suggesting that traditional dark web platforms are now too compromised for safe criminal use.

According to ShinyHunters, the FBI’s operation compromised all backup and escrow databases, as well as backend servers linked to BreachForums. 

Despite this, the dark web data leak site used in the Salesforce extortion campaign remains active at the time of BleepingComputer’s reporting. 

The threat actors have vowed to continue their leaks, claiming they will release data from companies that refuse to pay.

Ongoing risks to organizations

While the FBI’s seizure represents a major law enforcement victory, the case underscores the difficulty of fully dismantling decentralized cybercrime groups. 

Despite infrastructure takedowns, threat actors often resurface under new names or platforms, continuing their campaigns from the dark web or encrypted channels like Telegram.

ShinyHunters has declared that they will not attempt another BreachForums reboot, warning others that such forums are now likely honeypots—baited environments controlled by law enforcement. 

However, the group insists that the Salesforce leak campaign remains active, emphasizing that the seizure did not disrupt their core operations.

The FBI’s coordinated takedown of BreachForums marks another significant step in combating global cybercrime. 

Yet, the persistence of groups like ShinyHunters and Scattered Lapsus$ Hunters illustrates how resilient and adaptive modern threat actors have become. 

Organizations can protect themselves by strengthening cybersecurity hygiene through layered defense, like building effective patch management programs, monitoring for data exposure, enforcing multi-factor authentication, and training employees.