On 25 June 2025, France’s specialist cybercrime unit (BL2C) detained five French nationals accused of administering BreachForums, a notorious global data-theft marketplace. This operation marks a critical win in disrupting underground cybercrime networks tied to massive breaches.
According to LeParisien, a coordinated sweep carried out by the Brigade de lutte contre la cybercriminalité (BL2C) on 25 June 2025 resulted in the arrest of four high-profile individuals in metropolitan France and La Réunion, following an earlier arrest in February of one administrator known as “IntelBroker.” The accused-using the online aliases ShinyHunters, Hollow, Noct, and Depressed-allegedly operated BreachForums, one of the largest platforms for trading stolen personal data globally.
This arrest disrupts a thriving ecosystem: BreachForums facilitated the sale of massive data troves from companies such as Boulanger, SFR, France Travail, and the French Football Federation, affecting millions of individuals. Breaking this network sends a strong message to cybercriminals, including in the Middle East and Africa (MEA), about the expanding reach of European cyber enforcement.
Timeline of Key Events
From RaidForums to BreachForums
- March 2022: BreachForums launched as a successor to the seized RaidForums.
- March 2023: Founder Conor “Pompompurin” Fitzpatrick was arrested by the FBI. The site went offline briefly.
- May 2024: Site relaunched under alias ShinyHunters and IntelBroker following an FBI seizure.
Recent Arrests
- February 2025: IntelBroker was apprehended in France.
- 25 June 2025: BL2C arrested four more suspects across Hauts-de-Seine, Seine-Maritime, and La Réunion.
Who Were the Suspects?
The French-linked operators-ShinyHunters, Hollow, Noct, and Depressed-were alleged to manage BreachForums v2, facilitating data dumps and forum administration. IntelBroker, previously arrested, had overseen the platform post relaunched.
Security expert Benoît Grunenwald (ESET) commented:
“They are technically sophisticated-it takes proven skill to administer a site like BreachForums in a community built on trust and anonymity.”
Grunenwald added French involvement should not surprise:
“Homegrown talent with cyber capabilities-think of the MBA hackers in MEA markets; here, you have a domestic threat acting globally.”
MEA and Global Implications
Regional Risk and Regulatory Signals
Although based in France, BreachForums’ stolen data reached victims worldwide, including MEA regions. Local organisations should be alert to breached credentials circulating via this network. Under UAE’s NESA, Kenya’s Data Protection Act, and other MEA frameworks, firms must strengthen awareness, breach response, and security services against third-party data leaks.
Global Law Enforcement Pressure
The arrests show an upswing in international cooperation—Europe, the US (FBI), and Africa-led forces have collectively pressured cybercriminal forums. This aligns with ENISA, CISA, and Interpol’s trend of coordinated takedowns.
Technical Profile: Dark Forum Operations
MITRE ATT&CK Technique Mapping
--------------------------------
Initial Access = T1190 (Web forum exploitation)
Privilege Escalation = T1068 (Misconfigured forum software)
Defense Evasion = T1027 (Encrypted/private comms)
Collection = T1411 (Forum database access)
Exfiltration = T1041 (Post and data distribution)
Impact = T1496 (Data manipulation/leakage)- The forum leveraged MyBB software; in April 2025, admins claimed a MyBB 0‑day had been patched after suspected infiltration.
- BreachForums’ infrastructure facilitated massive data trades, offering APIs for searching breaches.
Law Enforcement & Community Response
The operation was led jointly by BL2C and FBI-supported investigations, reflecting a surge in enforcement intensity, particularly after previous disruptions in May 2024. This action comes as the forum has hosted leaks affecting millions e.g., the France Travail breach of 43 million records.
10 Defensive Steps for Organisations
- Monitor Dark Web Forums: Use OSINT tools to detect leaked MEA-based credentials.
- Rotate Leaked Credentials: Revoke and update any staff accounts exposed in known leaks.
- Enforce MFA & Strong Access Control: Protect business-critical accounts against password reuse.
- Secure Forum Software: Use tools like MyBB or phpBB; disable unused modules and patch zero-days.
- Third‑Party Risk Management: Require forensic due‑diligence for data brokers and partners.
- Threat Intelligence Subscriptions: Subscribe to
cybercory.com/alertsfor dark-web monitoring. - Incident Response Playbooks: Include dark-web leak response in your IR plans.
- Employee Awareness Training: Regular awareness sessions on phishing and dark web exploitation.
- Collaboration with Law Enforcement: Report leaks to local CERTs or Interpol-supported units.
- Continuous Penetration Testing: Engage external pentesting firms via saintynet.com/security-services.
Conclusion
The arrest of these BreachForums admins is a landmark moment in the global fight against cybercrime. It shows that cybersecurity, in MEA or beyond, demands vigilance against clandestine platforms enabled by skilled but rogue actors. Cooperation between public and private sectors will remain essential to anticipate leaks, enforce best practices, and safeguard digital assets.
Sources
- BleepingComputer – BreachForums operators arrested in France, 25 June 2025
- SiliconAngle – BreachForums leaders arrested, 25 June 2025
- InfoSecurity Magazine – French authorities arrest BreachForums members, 25 June 2025
- Wikipedia – BreachForums shutdown and arrests, June 2025
- Zataz – MyBB zero‑day infiltration reported, 2 May 2025
- CPO Magazine – FBI seizure history, May 2024
- ENISA/CISA joint takedown references from previous law enforcement actions. (cybercory.com, bleepingcomputer.com, siliconangle.com, infosecurity-magazine.com, zataz.com, cpomagazine.com)
