The FBI and French investigators have seized at least one domain for a popular cybercrime forum being used as a leak site in connection with the recent Salesforce breaches.
Screenshots posted to X (formerly Twitter) reveal the clearweb site for BreachForums now embossed with the logos of the FBI, Justice Department, French cybercrime police group BL2C and Paris Prosecutor’s Office division JUNALCO.
“The FBI and our partners have seized domains associated with BreachForums, a major criminal marketplace used by ShinyHunters, Baphomet, and IntelBroker to traffic stolen data and facilitate extortion,” the accompanying post explained.
“This takedown removes access to a key hub used by these actors to monetize intrusions, recruit collaborators, and target victims across multiple sectors. It demonstrates the reach of coordinated international law enforcement operations to impose cost on those behind cybercrime.”
The FBI and our partners have seized domains associated with BreachForums, a major criminal marketplace used by ShinyHunters, Baphomet, and IntelBroker to traffic stolen data and facilitate extortion.
This takedown removes access to a key hub used by these actors to monetize… pic.twitter.com/aiTRzFCIYU
— FBI (@FBI) October 12, 2025
Read more on Salesforce breaches: Google Among Victims in Ongoing Salesforce Data Theft Campaign
Although the notice references more than one domain, widespread reports suggest that the authorities have only disrupted “breachforums[.]hn,” with the related .onion site still online.
This means the seizure will do little to stop the ongoing extortion of victims of the recent Salesforce campaign. Scattered Lapsus$ Hunters claims to have over one billion records in its possession, and provided an October 10 deadline to negotiate.
A separate PGP-signed statement from ShinyHunters reposted by SOCRadar claimed the Feds have also seized every database backup for the BreachForums site since 2023, and that all escrow databases have been compromised. The backend servers have been destroyed, it added.
“BreachForums is never coming back, if it comes back, it should immediately be considered a honeypot,” the statement continued.
“There is not much to say about this seizure but one thing to note is, the recent action the US government has took against us, has no impact on our Salesforce campaigns.”
Salesforce Victims Remain Exposed
Noelle Murata, senior security engineer at Xcape, agreed that the takedown would do little to halt the extortion campaign.
“Organizations affected by the Salesforce breach should prepare for potential data exposure, even with the forum offline. This includes strengthening monitoring efforts and having response plans in place,” she argued.
“The increased effectiveness of law enforcement in this situation is matched by the threat actors’ ability to adapt and find new platforms, highlighting the ever-changing interplay between attack, defense, and the role of law enforcement.”
However, the seizure of backups could help law enforcers with other investigations, said AppOmni chief security officer, Cory Michal.
“If that’s accurate, it’s interesting because it means investigators now have access to historical user data, including registration details, IP logs, private messages, and transaction records from one of the most active criminal communities over the past few years,” he added.
“That level of visibility can directly aid in mapping relationships, attributing aliases to real identities, and building stronger criminal cases against repeat offenders. It’s not just a domain seizure, it’s potentially a treasure trove of evidence to further the investigation.”
It’s believed that dozens of organizations were breached via the Salesforce campaign, including FedEx, Home Depot, Google, Air France/KLM, Chanel, Pandora and Adidas.
Victims were either targeted via a vishing campaign in which they were tricked to download a malicious version of Salesforce’s Data Loader app or compromised via OAuth tokens associated with the third-party Salesloft Drift application.
