French law enforcement has successfully dismantled one of the largest stolen data marketplaces on the darknet, marking a significant victory in the global fight against cybercrime. The Paris Police Department’s cybercrime unit arrested four key BreachForums administrators known by their aliases ShinyHunters, Hollow, Noct, and Depressed, effectively shutting down a platform that facilitated millions of dollars in cybercriminal activities.
Coordinated International Law Enforcement Operation
The sophisticated operation involved simultaneous raids across multiple French territories, including Paris, Normandy, and Réunion Island, demonstrating the extensive geographical reach of the cybercriminal network. According to French publication Le Parisien, the coordinated strikes were part of a broader international effort to combat darknet marketplaces specializing in stolen personal data.
In a related development, authorities revealed that notorious hacker IntelBroker was secretly arrested in February 2025, with details only emerging following the recent operation. This strategic information withholding likely prevented other forum members from taking protective measures.
Evolution of BreachForums: From RaidForums to Final Shutdown
BreachForums emerged as a successor to RaidForums, which the FBI shuttered in 2022. The platform quickly established itself as a premier destination for trading compromised databases and personal information, attracting cybercriminals worldwide with high-profile data breaches including Congressional healthcare provider DC Health Link and millions of Twitter user records.
Following the March 2023 arrest of founder Connor Brian Fitzpatrick, who received a 20-year supervised sentence, the forum evolved into BreachForums v2. This iteration operated under the leadership of ShinyHunters, Baphomet, and IntelBroker until its final closure in April 2025, when attackers exploited a zero-day vulnerability in the MyBB management system.
Scale of Criminal Activities and Victim Impact
The arrested administrators face charges related to breaching major French organizations, including electronics retailer Boulanger, telecommunications giant SFR, employment service France Travail, and the French Football Federation. The most devastating attack compromised approximately 43 million personal records from France Travail, highlighting the massive scale of data exposure facilitated by the platform.
ShinyHunters: Profile of a Prolific Cybercriminal Group
Security researchers believe ShinyHunters operates as a collective of cybercriminals rather than a single individual, responsible for high-profile attacks against Salesforce and SnowFlake infrastructure. These breaches subsequently impacted major corporations including Santander, Ticketmaster, AT&T, Advance Auto Parts, and Neiman Marcus, demonstrating the cascading effects of supply chain cyberattacks.
The group’s sophisticated attack methodologies and consistent operational security made them particularly challenging for law enforcement to track, requiring extensive international cooperation and advanced digital forensics techniques.
IntelBroker Identity Revealed: Kai West Charged by US Authorities
Parallel to the French arrests, US prosecutors in the Southern District of New York unveiled charges against 25-year-old British national Kai West, also known as Kyle Northern, identifying him as the person behind the IntelBroker persona. The indictment alleges West’s activities caused approximately $25 million in damages across more than 40 organizations.
West’s alleged victims span critical infrastructure and government agencies, including Europol, AMD, Nokia, HPE, and General Electric, showcasing the broad scope of his cybercriminal operations targeting both public and private sector entities.
Advanced Digital Forensics Lead to Identification
The FBI’s breakthrough in identifying IntelBroker demonstrates sophisticated investigative techniques combining traditional surveillance with blockchain analysis. An undercover agent’s $250 Bitcoin purchase of a stolen API key in January 2023 provided the initial thread that investigators followed through cryptocurrency exchanges to the Ramp banking platform, where West had registered using his real identity.
Additional evidence included IP address correlation between personal accounts and IntelBroker profiles, plus digital artifacts in West’s email accounts containing university correspondence and driver’s license photographs, creating an irrefutable identity linkage.
The successful dismantling of BreachForums represents a significant milestone in international cybercrime enforcement, demonstrating how coordinated efforts between law enforcement agencies can effectively target sophisticated criminal networks. While history suggests similar platforms may attempt to fill this void, the arrests of key administrators and the exposure of operational security weaknesses send a strong deterrent message to the cybercriminal community. Organizations should leverage this disruption period to strengthen their cybersecurity postures, implement robust monitoring systems, and conduct comprehensive security assessments to protect against the evolving threat landscape.