The FBI has seized yet another BreachForums domain (Breachforums[.]hn) that hackers used for data dumps, listing 39 organizations affected by Salesforce-related data breaches. The threat actors now claim that law enforcement not only took the site offline but also obtained the hack forum’s database backups.
The domain Breachforums[.]hn appeared in the summer of 2025 and was used for yet another relaunch of the well-known hacker forum; however, the relaunch was followed by a new series of arrests of the site’s alleged operators.
In October 2025, the Scattered Lapsus$ Hunters group (a coalition of members of the hacker groups Scattered Spider, LAPSUS$, and Shiny Hunters) turned the site into a dumping ground for leaked data, listing 39 organizations that suffered from Salesforce-related data breaches.
As we mentioned earlier, last week BreachForums[.]hn went offline, as did its Tor version. Although the onion site soon came back online, the main domain remained unavailable and switched to surina.ns.cloudflare.com and hans.ns.cloudflare.com, which had previously been used by the FBI.
The FBI has now officially announced its operation, posting a banner with a seizure notice on the site and switching the domain’s DNS to ns1.fbi.seized.gov and ns2.fbi.seized.gov.
According to this report, U.S. and French law enforcement joined forces and seized BreachForums’ infrastructure before hackers from Scattered Lapsus$ Hunters began posting on the site data from companies affected by the Salesforce attacks.
As reported by Bleeping Computer, according to members of the group, law enforcement did indeed gain access to the database archives of previous BreachForums versions. The hackers concluded that all BreachForums database backups since 2023 have been compromised, as well as all escrow databases since the forum’s latest relaunch.
Threat actors posted a message on Telegram, signed with ShinyHunters’ PGP key (BleepingComputer journalists confirm its authenticity), stating that the seizure of the domain was inevitable and writing that “the era of forums is over.” According to them, all BreachForums backend servers have been seized by the authorities.
Although none of the site’s main administrators were reportedly arrested, the hackers write that they will not relaunch BreachForums again, emphasizing that from now on any such sites should be regarded as honeypots.
The notice also stresses that the seizure of the domain and servers does not affect the progress of the extortion campaign tied to Salesforce. As a reminder, Scattered Lapsus$ Hunters are attempting to extort numerous well-known brands and organizations, including: FedEx, Disney and Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald’s, Walgreens, Instacart, Cartier, Adidas, Saks Fifth Avenue, Air France and KLM, TransUnion, HBO Max, UPS, Chanel, and IKEA.
The hackers also posted a separate entry on the site addressed to Salesforce. The extortionists demanded a ransom from the company to prevent the “leak” of all data of affected customers (a total of about 1 billion records containing personal information).