FBI查封Scattered Lapsus$ Hunters用于勒索Salesforce的BreachForums新域名，BreachForums论坛时代已然终结

今日，FBI查封了勒索软件团伙Scattered Lapsus$ Hunters使用的BreachForums域名（Breachforums.hn），正如前期“暗网下/AWX”报道，勒索组织针对Salesforce及其客户开展黑客攻击后开设了暗网泄密网站，而该域名是数据泄露网站在明网的镜像。

今年夏天，Breachforums[.]hn域名曾用于重新启动暗网数据泄露论坛Breachforums，但在一些核心运营管理员被捕后，该网站很快再次下线。根据“暗网下/AWX”之前的报道，今年6月份，法国执法部门逮捕了包括ShinyHunters、Hollow、Noct和Depressed在内的四名BreachForums成员，美国起诉了另一名BreachForums成员IntelBroker。7月份，ShinyHunters曾宣布重新启动 BreachForums，一个月后，新BreachForums论坛下线，ShinyHunters发布了一条带有PGP签名的消息，称该论坛的基础设施已被法国BL2C部门和FBI查封，并表示不会再重启。

本月初，该域名被Scattered Lapsus$ Hunters团伙转变为针对Salesforce数据泄露的网站，目的是勒索Salesforce以及受到影响的客户公司。根据“暗网下/AWX”之前的介绍，Scattered Lapsus$ Hunters团伙由与Scattered Spider、Lapsus$和ShinyHunters勒索软件团伙有关联的成员组成。

本周，Breachforums[.]hn域名已经无法访问，10月8日，该团伙在Telegram频道宣布不再运营明网域名。10月9日，Breachforums[.]hn域名被FBI接管，域名的NS服务器被切换为ns1.fbi.seized.gov和ns2.fbi.seized.gov，目前访问该域名显示巨大的扣押横幅。

根据扣押信息，在Scattered Lapsus$ Hunters团伙开始泄露Salesforce被盗数据之前，美国和法国的执法部门合作控制了BreachForums的所有网络基础设施。

FBI在X上称，联邦调查局及其合作伙伴已查封与BreachForums相关的域名。该犯罪市场平台被ShinyHunters、Baphomet和IntelBroker等团伙用于贩卖窃取数据并实施敲诈勒索。此次行动切断了犯罪分子利用该枢纽平台牟利、招募同伙及跨行业锁定受害者的关键通道，彰显了国际执法协同行动的威慑力——必将让网络犯罪幕后黑手付出代价。

See more

The FBI and our partners have seized domains associated with BreachForums, a major criminal marketplace used by ShinyHunters, Baphomet, and IntelBroker to traffic stolen data and facilitate extortion.

This takedown removes access to a key hub used by these actors to monetize… pic.twitter.com/aiTRzFCIYU

— FBI (@FBI) October 12, 2025

对此，Scattered Lapsus$ Hunters团伙在Telegram频道挑衅道，扣押一个域名不会影响其行动，FBI还需要更加努力。

Scattered Lapsus$ Hunters团伙在Telegram频道发布声明回应明网域名被扣押

10月10日，Scattered Lapsus$ Hunters团伙在Telegram频道、暗网网站以及pastebin同步发布带有PGP签名的声明，确认Breachforums[.]hn域名已被美国联邦调查局及其国际合作伙伴查封，并表示早在数日前，美国政府已没收了所有的BreachForums明网域名，BreachForums论坛时代已然终结。

“暗网下/AWX”已经确认该声明使用ShinyHunters的PGP密钥进行签名，证实该消息来自ShinyHunters，该声明的其他备份：

shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid[.]onion/end.txt.asc
https://web.archive.org/web/20251010015015/https://pastebin.com/raw/70p8bG5B
https://pastebin.com/raw/70p8bG5B

根据该声明，该团伙称，自明网域名被FBI夺走后，其对BreachForums基础设施进行了全面检测，发现原本该团伙掌控、FBI无法触及的所有资源均已荡然无存，从而确认自己遭到了“美国政府黑客”的攻击：

• BreachForums最新数据库备份遭破坏，2023年至今所有数据库备份均已失效
• 自发布以来所有托管数据库均遭入侵
• 后端服务器本身已被查封并销毁

该团伙提醒成员及用户加强操作安全防护，他们称确信FBI及相关国际合作伙伴将在未来数周至数月内对众多个人展开严厉打击。

该团伙表示，多年来，BreachForums历经重大动荡，包括RaidForums论坛被查封在内，这已是FBI第四次采取行动。该团伙称其无力抗衡这场战争，现在正式宣告终结。

该团伙又重新梳理了BreachForums的生命线：当RaidForums被查封后不久，BreachForums随即上线，而pompompurin不过是个幌子，他们精心策划了BreachForums的上线；然而此后因种种突发状况，一切彻底陷入混乱，这促使ShinyHunters在2023年公开露面，与Baphomet共同接管论坛；但2024年又因意外变故导致论坛再度被查封。

该团伙称，BreachForums将永远不复存在，如果重新出现，应当视为诱饵陷阱。

但是该团伙特别说明：美国政府近期查封BreachForums明网域名的行动，对其Salesforce营销活动毫无影响。真正触发今日查封的导火索，是因为BreachForums明网域名可以访问数据泄露网站。

该团伙在暗网上的数据泄露网站列出了受Salesforce供应链影响的公司名单，其中包括联邦快递、迪士尼/Hulu、家得宝、万豪、谷歌、思科、丰田、Gap、麦当劳、沃尔格林、Instacart、卡地亚、阿迪达斯、Sake Fifth Avenue、法航和荷航、Transunion、HBO MAX、UPS、香奈儿和宜家等。

该团伙让大家继续关注2025年10月10日纽约时间晚上11:59，并留下两个邮箱供媒体咨询：shinycorp@tutanota.com, shinygroup@onionmail.com

Scattered Lapsus$ Hunters团伙发布的带有PGP签名的原版声明

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

Hello,

BreachForums was seized by the FBI and international partners today. This was inevitable and I am not surprised. Neither I and others involved with this group have been arrested. All our BreachForums domains were taken from us by the US Government a few days ago. The era of forums are over.

We have conducted a thorough incident response on the BreachForums infrastructure ever since the domains were taken:

— BreachForums latest database backup was compromised along with every single database backup since 2023 till now.
— All escrow databases were compromised ever since it’s release.
— The backend servers itself were seized and destroyed.

In the simplest terms, we very likely got hacked by the US Government, considering their splash page is up on the BreachForums onion, it’s a clear sign how everything in our control that they wouldn’t have been able to reach is gone.

For your own safety, security, and sanity keep your opsec in check. I have no doubt the FBI and other international partners involved will be cracking down on many individuals in the next coming few weeks to months.

Over the years, BreachForums has undergone significant turbulence. To my count this is the 4th time, including RaidForums seizure that the FBI has took action, consistently. We are not fighting this war anymore, this is officially the end.

To confirm a wild conspiracy theory brought up by multiple individuals and some security researchers over time:

The following is not common knowledge among the general community and public but when RaidForums was seized and BreachForums was launched shortly after, pompompurin was just a front. We all carefully planned the launch of BreachForums since day 1, ever since then everything has went to complete shit because of unforeseen circumstances and situations. Which lead me to coming out publicly in 2023 and owning the forum along with Baphomet, again, unforeseen circumstances lead to the seizure once again in 2024. Now we’re here. Ever since the beginning, nothing good has come from this. BreachForums is never coming back, if it comes back, it should immediately be considered a honeypot.

There is not much to say about this seizure but one thing to note is, the recent action the US Government has took against us, has no impact on our Salesforce campaigns. The fact that our DLS was also hosted on BreachForums clearnet domain and because we planned to re-open the forum to leak the data of companies who have not complied with us when the deadline arrived onto the re-opened BreachForums was likely the cause of todays seizure.

Time to move on, stay tuned for 11:59 PM New York time on 10/10/2025!

Media enquiries: shinycorp@tutanota.com, shinygroup@onionmail.com

— ShinyHunters / BreachForums Administration Team
—–BEGIN PGP SIGNATURE—–

iQIzBAEBCgAdFiEEH8TQsd7pFLsFtX+r8fG5ilHJibMFAmjoZKcACgkQ8fG5ilHJ
ibM7KxAArFuEeNT04QTTdNSJvkwY5f+hmQv6ktPLxGvH2x1pznMf1PVmDH+spvQQ
I3xeX/MKB6qr1ChECCvar/6Y7OGIu7PX/iz8EkaTHFmPfOLqv8nKWdhRxnPINFIY
oHBLboL/rhX/iLEZA4QBZU2mncNhsR+hdnDJx4x1nVq4J11wR62mRCBVjh+akPeM
jtEdLHfUSJm84zOwR07M6Xpn3Qeo/FWbDYq9B477Yun/MAkzkQXzBSZyUlcdvuvb
5kg+W8xPWOEuJwQRcZWIbaVWf4q7x2I7taOYPvkqKLnf8AGo54WGfICxGAtpsLOA
Kot0aJI7p/ofF5IirYVlQO5ZA/xmeiwSc4C0FLX7YtpKVSueseLcVuU8hIKTALAY
DZ7faXg59+ZzLVHr9wwhDxB18AYx8RCXiQTKqdbC+AYZ27L6G0QTuo7XEBanAC9z
qxmwRukRljwYtDl5PwSfUVgcjl6ueq/mT0KrXVd5RtmHRgit3yq/Yy9zOFeSCX8m
NemDoVIf/6BzLc+xTQqAQ0i+BGXYsx6VzmEOAeWAsLC1pOvymau5zxuFWDuCazb4
tOS4wnL++2xsgpse/g9VkyNzcNAlFTxiqunWrfqIt7NhYGDN17N/yeD+0UQTdsAy
Z53C9JaNVDL8aWHvctA3m9Ed8yd12sYH9kXY3kh6Nt4HFWnBP0A=
=YyrQ
—–END PGP SIGNATURE—–