The FBI has formally seized the Breachforums[.]hn domain, one of the most active cybercrime forums used in 2025 for leaking data and extortion, including posts tied to a sprawling campaign leveraging Salesforce-related data. The domain’s DNS was redirected to ns1.fbi.seized.gov and ns2.fbi.seized.gov, displaying a takedown banner that signals control of the infrastructure by U.S. law enforcement.
FBI domain seizure of BreachForums: DNS switch and international cooperation
According to the FBI, the operation was conducted with support from French authorities and began prior to large-scale publication of materials alleged to be tied to the Salesforce ecosystem. In the lead-up to the seizure, the primary domain became inaccessible, and the Tor mirror experienced a brief outage before returning online. The DNS repointing to the FBI’s seized infrastructure served as a visible indicator of the impending confiscation, a pattern consistent with past international takedowns.
Escrow databases and deanonymization risk for forum users
BleepingComputer reports that threat actors claim law enforcement accessed archived BreachForums databases, including backups from 2023 and escrow records collected since the latest relaunch. If accurate, this exposure presents high risk to both operators and transacting parties who relied on the forum’s escrow for “safer” deals. In underground markets, escrow stores transaction details such as buyer/seller identifiers, payment references, and communications—data that can enable retroactive investigations and de‑anonymization.
Threat actor reaction: “The forum era is over” and honeypot warnings
A group calling itself Scattered Lapsus$ Hunters—associating members of Scattered Spider, LAPSUS$, and ShinyHunters—asserted on Telegram that backend servers were seized and that BreachForums will not return. The message was signed with a PGP key that BleepingComputer reports as verified. The group claims similar forums should now be treated as potential honeypots under law enforcement control, a common fear after prior takedowns of marketplaces such as RaidForums (2022) and Genesis Market (2023), which were dismantled through multinational actions documented by the U.S. Department of Justice and Europol.
Salesforce‑linked extortion campaign continues despite the takedown
Despite the domain seizure, the actors say their extortion operation tied to Salesforce data remains active, naming organizations such as FedEx, Disney and Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald’s, Walgreens, Instacart, Cartier, Adidas, Saks Fifth Avenue, Air France and KLM, TransUnion, HBO Max, UPS, Chanel, and IKEA. They claim to hold up to 1 billion personal records and allege they are pressuring Salesforce to pay to prevent a full data release. These claims are unverified, but the tactics align with a broader trend: compromising SaaS platforms and data supply chains to increase leverage against many downstream organizations at once.
Why SaaS‑focused extortion works
Targeting popular SaaS platforms amplifies blast radius and monetization. Even limited metadata—such as email addresses, account identifiers, or integration references—can drive secondary attacks, including phishing, session hijacking, OAuth token abuse, and lateral movement via connected apps. Recent industry reporting underscores this: the 2024 Verizon DBIR attributes the majority of breaches to the human element and misuse of credentials, while advisories from CISA and major cloud providers warn of growing token theft and session replay techniques across SaaS ecosystems.
Immediate and mid‑term security actions for Salesforce and SaaS
Immediate actions: Revoke suspicious OAuth tokens and Connected Apps; rotate credentials and integration secrets; enforce IP allowlists for administrative access; require MFA/SSO for all privileged roles; enable Shield Event Monitoring (or equivalents) for login and API telemetry; audit DLP and data export policies to minimize unnecessary exposure.
Mid‑term measures: Detect anomalies such as bulk SOQL queries, API volume spikes, and atypical geographies; enforce least‑privilege scopes on integrations; run tabletop exercises for PII leaks; pre‑contract incident response and legal counsel; validate regulator and customer notification plans with tested templates and timelines.
Law enforcement pressure on cybercriminal infrastructure is increasing in scope and coordination, but the threat landscape adapts quickly, often shifting to private channels and federated messengers. Organizations should assume compromise is possible, reduce SaaS data exposure, and invest in high‑fidelity monitoring and rehearsed response. Strengthening identity controls, hardening integrations, and pruning excessive access remain the most reliable levers to limit impact—regardless of which forum or channel adversaries use next.
