{"id":30952,"date":"2025-04-30T20:55:31","date_gmt":"2025-04-30T20:55:31","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=30952"},"modified":"2025-04-30T22:38:41","modified_gmt":"2025-04-30T22:38:41","slug":"breachforums-is-down-pgp-signed-message","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/breachforums-is-down-pgp-signed-message\/","title":{"rendered":"BreachForums is Down, Admins Posted a PGP-Signed Message"},"content":{"rendered":"

BreachForums, an infamous Darknet forum, has gone offline recently, only to get back<\/strong> up with a worrying message on its main page. The administration posted a notice, signed with PGP for authenticity, stating they took the site offline after learning of a MyBB 0day exploit by law enforcement.<\/p>\n

BreachForums Administration Posted a PGP-Signed Message<\/h2>\n

BreachForums, a well-known English-language marketplace for stolen data and hacking tools, has a documented history of disruptions by law enforcement, followed by periods of resurgence. The latest outage, beginning around April 15, 2025<\/strong>, triggered widespread speculation about its cause, ranging from Distributed Denial-of-Service (DDoS) attacks to law enforcement actions.<\/p>\n

However, on April 28, 2025, the administration posted a PGP-signed message<\/a> on the forum\u2019s landing page, providing clarification. The message from BreachForums administration appears authentic, and explains a voluntary shutdown due to a suspected MyBB 0day exploit by law enforcement, with no infrastructure compromise or data infiltration.<\/p>\n

\"BreachForums
BreachForums mainpage on April 30, 2025<\/figcaption><\/figure>\n

What do they say & is it true?<\/h2>\n

Let’s analyze the message to shed some light on what’s going on. The message, signed with PGP using SHA512 for hashing and including a signature block. It states that around April 15, 2025, confirmation was received about a MyBB 0day vulnerability<\/a> that had been suspected since the forum\u2019s launch, based on information from trusted contacts. In response, the infrastructure was immediately shut down and incident response procedures were initiated. No compromise or data breach was found.<\/p>\n

The exploit was identified in the PHP code of the MyBB source, and a full backend rewrite is currently in progress. An apology is offered for the lack of earlier communication, explaining that the focus was on ensuring the safety of the infrastructure, the staff, and the community. The message denies any arrests of team members<\/strong> and reassures that the infrastructure is secure. It also warns users not to engage with BreachForums clones, calling them likely honeypots<\/a>. So, given the PGP signature and corroboration, the message appears authentic.<\/p>\n

What were the risks for BreachForums?<\/h2>\n

BreachForums faced serious risks that could have led to its shutdown, loss of user trust, or legal consequences for its operators. Law enforcement may have exploited a critical vulnerability<\/a> in the forum\u2019s software to gain covert access, possibly identifying users or collecting evidence. Admin accounts were compromised, and some moderators went silent, hinting at arrests or infiltration. On top of that, the 0day exploit exposed the backend, creating a high risk of surveillance or data leaks.<\/p>\n

Fake clones of the forum appeared, likely set up to trick users into revealing sensitive info \u2013 classic honeypot strategy. Finally, past data breaches show that user info like IPs and emails could easily be exposed if the forum\u2019s security fails again. In short, the main risk is getting access to the forum backend by law enforcement agencies, with subsequent deanonymization of both users and admins.<\/p>\n

By the way, about the admins and their hasty reaction. The admins\u2019 paranoia isn\u2019t just a vibe \u2013 it\u2019s survival instinct. One of the original founders was arrested in March 2023<\/a> and even did time in jail (even though it was just 17 days). Then in May 2024, the forum got seized again<\/a> after an Europol-related leak. So yeah, they\u2019ve got a bit of trauma.<\/p>\n

\"BreachForum
FBI banner, that once toppled BreachForums’ main page<\/figcaption><\/figure>\n

April 2025, an admin\u2019s Telegram account suddenly redirects to an FBI channel, and two mods vanish into thin air \u2013 one deletes their account, the other goes invisible. But the admins later confirmed that law enforcement had been exploiting a MyBB 0day vulnerability, which led to the forum being shut down voluntarily.<\/p>\n

There\u2019s also a deep distrust in the community. After the 2024 takedown, no user data was restored, and features like the shoutbox were disabled to reduce attack surfaces. Add in legal risks, constant pressure from law enforcement, and the fact that they’re running an underground operation<\/strong> \u2013 that explains a lot.<\/p>\n

Current Status<\/h2>\n

The outage began around April 15, 2025, with initial claims of a DDoS attack<\/a> by the Dark Storm Team, a pro-Palestinian hacktivist group. Another analysis suggests law enforcement action is more probable. However, given the lack of typical seizure indicators like FBI banners, the latter is unlikely. In addition, DNS records remained with DDoS-Guard, not Cloudflare, typical for FBI seizures.<\/p>\n

As of April 30, 2025, no significant updates post the April 28 message, with the forum offline<\/strong>. BreachForums Displays Message About Shutdown, focusing on the message, suggesting ongoing efforts but no return yet.<\/p>\n","protected":false},"excerpt":{"rendered":"

BreachForums, an infamous Darknet forum, has gone offline recently, only to get back up with a worrying message on its main page. The administration posted a notice, signed with PGP for authenticity, stating they took the site offline after learning of a MyBB 0day exploit by law enforcement. BreachForums Administration Posted a PGP-Signed Message BreachForums, […]<\/p>\n","protected":false},"author":7,"featured_media":30954,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[1221],"class_list":{"0":"post-30952","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-breachforums"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2025\/04\/Breachforums.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/30952","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=30952"}],"version-history":[{"count":11,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/30952\/revisions"}],"predecessor-version":[{"id":30964,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/30952\/revisions\/30964"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/30954"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=30952"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=30952"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=30952"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}