几天前,“暗网下/AWX”报道了新的暗网论坛BreachForums再次出现,且无法确定其背后是什么人在运营,当时据称“由于持续的技术问题和大规模DDoS攻击”,该论坛仅可访问,但无法登录。目前,该论坛已经可以在明网正常登录发贴,但暗网地址依旧无法访问。
此外,威胁行为者之间的战争仍在持续。闪光猎手组织在shinyhunte[.]rs网站上发布了更多人肉线索与内幕,为警方打击提供了更多的便利。
新BreachForums再次恢复了访问
正如前期介绍,新的BreachForums使用之前公开泄露的BreachForums备份进行搭建,因此前期的BreachForums用户均无需注册即可访问。
在技术问题和大规模DDoS攻击问题解决之后,新的BreachForums再次开放访问,该论坛目前添加了DDOS-GUARD来防护DDoS攻击,在明网访问的速度还不错。
虽然许多传言显示新BreachForums是蜜罐,但由于缺少有力的竞争对手,该论坛依旧收获了大量粉丝。从论坛的在线状态看,一小时在线用户1000人,注册用户占1/5,在没有大规模推广的背景下,已经收获了相当大的人气。
上次已经介绍,新的BreachForums发布的明网与暗网地址如下(仅供网络安全研究人员与警方调查研究使用):
明网地址:breachforums[.]bf
暗网地址:http://breachedmw4otc2lhx7nqe4wyxfhpvy32ooz26opvqkmmrbg73c7ooad[.]onion
威胁行为者之间的内讧刚刚开始
上次已经介绍,在新BreachForums背后,至少有两波人在交战:一方自称是闪光猎人(ShinyHunters),另一方则是散落的拉普斯猎人(Scattered Lapsus$ Hunters,简称SLSH)。
黑客团伙ShinyHunters与勒索软件团伙Scattered LAPSUS$ Hunters(简称SLSH)的内部冲突正在升级,一方宣称可以向联邦调查局、BL2C、国际刑警组织免费提供另一方的犯罪线索。根据对shinyhunte[.]rs网站更新内容的整理,时间线如下:
2025年10月16日:网站发布消息,直接威胁名为“James”的法国人(疑似代号S.E./X*K)。消息声称真正的ShinyHunters正在完成FBI未竟的事业,语气敌对,这是威胁行为者之间首次公开升级。
2025年10月21日:发布一封信件风格的消息,针对“James”,警告他选择的道路带来的后果比想象中更严重,断绝后路绝非明智之举。引用拉丁语短语“sic transit gloria mundi”(世间荣华转瞬即逝),并警告每一步行动都将引发远超预期的连锁反应。
2025年12月14日:否认与#SLSH(Scattered LAPSUS$ Hunters)联盟的传闻。同时链接BreachForums重启(可能试图为疑似蜜罐操作正名)。威胁如果James不回应,将在24小时内公开曝光其信息。
2025年12月18日:发布详细的PGP签名声明,附带倒计时器和逮捕照片(涉及Yuro,即A.E.,以及Trihash,即R.L.)。指控法国人“James”通过滥用信任窃取Trihash的PGP密钥,并未经其他成员同意便实施了针对Salesforce的攻击行动。声明称,归咎于ShinyHunters与SLSH的勒索事件,主要由S.E.(别名X*K,亦使用化名“James”)策划实施,他已不再是ShinyHunters(SH)成员。
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256Statement Regarding the Shiny Hunters and Scattered Spider Groups
The Shiny Hunters group includes several members, one of whom goes by the name “James.” Following the arrests of Yuro (A.E.) and, more recently, Trihash (R.L.), this individual has been attempting to divert investigators’ attention by leading them toward false trails.
Currently, he is posing as a member of the Scattered Spider group. He claims that the attacks attributed to Shiny Hunters were actually carried out by supposed English-speaking or Russian-speaking actors, with the goal of claiming credit for most of the previous operations orchestrated by the group’s members.
In reality, he is a former associate who operated in the shadows to organize ransomware attacks, particularly the one targeting Salesforce without the approval of the other members.
To note:
The ransoms attributed to the Shiny Hunters and Scattered Spider groups are largely the work of S.E., alias X*K, who also uses the pseudonym “James.”Important clarification:
After this publication, this individual will likely continue to muddy the waters by trying to make people believe that the perpetrators are English-speakers. In fact, he is a French individual suffering from psychological disorders, exhibiting multiple personalities.The infamous “James” is a Frenchman who has always been very close to Trihash and Yuro, under this same identity.
Related events:
He is also involved in the attack on the WEMIX token, as well as several other ransom operations signed with Shiny Hunters’ PGP key.Key point:
He is no longer part of Shiny Hunters (SH)! Furthermore, he holds the PGP key, which he obtained from our friend Trihash by abusing his trust in order to orchestrate ransoms under the pretense of exonerating him.Contact Telegram : https://t.me/wokawoka10
—–BEGIN PGP SIGNATURE—–iQGzBAEBCAAdFiEE6AwTCKCewa3EGMPwJXiYj2m8o/wFAmlDM7IACgkQJXiYj2m8
o/ySagv+NpqTnTYm3AxL6T64BAnZP78TM8lnjSwZ3W1ce+gECrgjZO9dSE219wg4
mhKxpZ+M6W2YIZTjxnHU84GDQZRBOAM5Xqnf4nhUzIkrNealZnEaSRbqfrZ1v1cQ
0+fwASirV1Tru8OJLa3g3K5V9IKFwXb/d8exW2adY9HyoDoGicLMZQnrysSdKVuB
Otfv0yFxInuMNQ4Dr6F6IwYxfHicWTCtWohkd7P85VgyVroh5IaDSfgMhqnEL9l/
ebldfkJKgMRwoY61fZ4nQ232ktx6YH9FlI1J46C90vRF+MBdSw31EEal2cgZgb/W
C2rhffKqU6G/RqIXtawm5S+vB6MRWUB/Qp2zaqthrSy+6AnYdUowTaJGDkzyxm3J
xGKDlU+BZGx3zGYUy9eOMVbV8MzsgLF2rcHj9hHkty+SADKs68JK362BxNMFaIn2
4DCHMO45AlnJIorh49NhHvss9sZcHrGV8/n7p0NKwIP0Id9IBP97b/2ww9AbnzhK
XoD0tJrV
=nCfG
—–END PGP SIGNATURE—–
2025年12月19日:冲突进一步升级,揭示“James”的新别名“M.S”。宣布当日为ShinyHunters运营结束日,使用戏剧性“showtime”信息,并带有恶魔表情,暗示即将有重大行动或曝光。
2025年12月21日:网站更新最新内容,公开曝光SLSH中的“Shiny”成员真实身份,声称其名为Mattys Savoie,并公布其犯罪记录,包括:Salesforce——客户数据泄露和针对该公司的敲诈勒索未遂事件、Millicom——对电信公司进行敲诈勒索、Wemix – 通过被入侵的 GitHub 代码库窃取代币,可以向联邦调查局、BL2C、国际刑警组织免费提供。
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256THE TRUTH ABOUT Scattered LAPSUS$ Hunters
For these last three days, we have talking & puttin pressure on our old partner.
He has our money and he has chosen not to give back. Now it’s time to pay with money or no.Since the arrests of Raphaël (Trihash/Hollow) and Adel (YuroSH), no one can make sense of what is happening anymore.
Just before Trihash/Hollow was arrested, he made a deal with his French friend Mattys Savoie by giving him the SH PGP key.
Why? To create the fake Telegram group, keep talking publicly, cause as much chaos as possible, and try to clear Trihash/Hollow’s name.
But Mattys’s plan went so far: to continue ransomware attacks and launch his own forum (breachstars.io) to get the same notoriety as BreachForums and recruit a new team of hackers.
This plan was against what Raphaël believed in — Mattys just abused of ShinyHunters PGP key.Salesforce, Wemix… and others.
it was him, alone without any other guy “unc1201,unc154” all are his other accounts.Message to the authorities:
Try to speak with Raphaël again. You’ll maybe get the truth.Any message signed with the PGP key “SHINY HUNTERS” is Mattys Savoie. No need to look elsewhere.
What we’re holding against him:
He never stopped pretending to be someone else — notably on a Telegram channel claiming to be Scattered LAPSUS$ Hunters, when it was all a fraud it was just “mattys savoie”.
Salesforce – Customer data leak and attempted extortion against the company. Millicom – Extortion attempt against the telecommunications company. Wemix – Theft of tokens through a compromised GitHub repository.All this was made to make feds/public think that “ShinyHunters” hasn’t been arrested.
We have far more proofs proving his involvement.
FBI, BL2C, Interpol… We have what you need, and we’re giving it to you. For free. Only because he has no brain.To contact us: @wokawoka10
Best regards.
—–BEGIN PGP SIGNATURE—–iQGzBAEBCAAdFiEE6AwTCKCewa3EGMPwJXiYj2m8o/wFAmlHGhYACgkQJXiYj2m8
o/wEbwv/cPXHB0dm+AjrlkUpQOm+PkzxHlZfxcNRNWNLzYE/Ipi7IliB+CF3SxoH
N+NG/VxI85JwdOGADECAy4EOrulnhX41Qg6c8S2Orp4NXDPrO4y/NyCg/AoEmQnX
heli1OyB8OGeqHCrl8pnCUhnugp8muglz/7Qb76pcQUrPbdr3BsFhOJVEmQbq3e/
BN+u89AZgNv0lSZ4UCV0u8BEg6c+htDQd6rkXJpWK4tTIInaxbI+IikEoeHh7gwv
Jubvwa957mNu/72yHdSoJOfo/zMhSxLWlqi3fIZb0K1gkEI+hPR09k0l3OYk4wXX
iulX/XJGnVBHY5t7y4lPa3A+ChKCLWXPG0CaHC50/us3WVRBmWlF82wxy8P/AlJG
m9RexGnTdIuUKytwIMv0fUkPwaNxnHeHXFolfRkNuMFb2GTn3Rl70vaI6pVeUlLR
Wm4Cg3W2K2HY3hVtJFxOOhW3fDmnoFAAoe4DnDDnOeTaMPg8luhklAalXlJm9SQF
VrKB/6ji
=IspH
—–END PGP SIGNATURE—–
最新的shinyhunte[.]rs网站的archive.org缓存链接同时公布在新BreachForums的置顶广告中,这证明新BreachForums背后的威胁行为者冲突从威胁逐步升级到个人曝光和团体分裂,目前事件仍在发展中,“暗网下/AWX”将持续关注。