Explore the most famous cybercrime forum on the Dark Web in the field of cryptocurrencies

We gained access to BreachForums, a closed forum with a very active community of cybercriminals, in order to understand what products and services are sold on the digital black market, that is to say, the dark web.

Here is what we discovered.

This article is for educational purposes and does not encourage the use of the dark web.

What is the dark web?

For a brief context, let us explain what we mean by dark web and cybercriminal forums. The dark web is a hidden part of the internet, accessible only through specialized browsers like Tor, which focuses on the anonymity of users.

The dark web serves as a hub for both legitimate uses, such as private browsing, and illegal activities, including the sale of stolen data, drugs, weapons, services, and other smuggled products.

Cybercriminal forums on the dark web are communities where hackers, fraudsters, and other criminals exchange information, tools, and services, often using cryptocurrencies to facilitate anonymous transactions.

What is BreachForums?

BreachForums was launched under the name RaidForums in 2015 by a Portuguese hacker, Diogo Santos Coelho. RaidForums was created as a community focused on “raiding” websites and online spaces as a form of joking, trolling, or disrupting online activities.

However, when the site hackers began to hack social media platforms and websites and steal millions of user data, they started selling this data to the highest bidder. RaidForums quickly transformed into one of the most sophisticated and well-established hubs of organized criminal activity on the dark web.

When Gate was hacked in February 2024, BreachedForums was the first place where users' KYC data appeared for sale, and the same happened for the Bitcoin ATM code used in El Salvador, which appeared for sale on BreachForums in April of the same year.

The site began to attract cybercriminals seeking sensitive information from corporate security breaches, and even leaked government documents, making it the target of international law enforcement efforts.

In 2022, Europol and U.S. intelligence agencies collaborated to seize the site and identify and arrest the founder Diogo Santos Coelho, who is currently held in the United Kingdom awaiting extradition to the United States on charges of cybercrime.

RaidForums was quickly relaunched under the name BreachForums by a user named PomPomPurin, who was arrested by the FBI in 2023, and the site was taken over by another user named Baphomet. BreachForums was seized by the FBI in May 2024, although cloned versions of the site have reappeared.

Although the site remains very active, as we will show, many online users speculate that the site could be a “trap” set up by the FBI to monitor cybercriminals and expose them to prosecution.

What we found on the dark web in the criminal hub BreachForums

Upon entering BreachForums, we were immediately confronted with a wave of illegal activities being offered. While some cybercriminal forums take a more subtle approach by masquerading as communities of computer and cybersecurity enthusiasts, BreachForums has never made such efforts to hide its true nature, and the homepage at the time of our connection displayed users offering brutal services from the MS13 gang or La Mara Salvatrucha for 10,000 dollars.

Like all dark web advertisements concerning violence, this is likely more of a scam than a genuine offer, but illegal activities do not stop there. The scrolling chat on the site also displayed users discussing in real-time the sales on the forum market, which was buzzing with sellers offering illegal products such as stolen data, tutorials on bank fraud and credit card scams, IP tracking, and much more.

There was also, of course, a dedicated discussion thread for anime and manga, because even cybercriminals have hobbies.

All the messages shown in this article were posted in the hours following our first connection, showing a great deal of activity in the online community that remains very active, although one might assume it is under close surveillance by law enforcement.

The image above shows users selling access to everything from online video streaming platforms like Paramount Plus and Netflix to hacked OnlyFans accounts.

Messages in the data leaks subforum showed users selling data leaks, including sets of email identifiers for executives of various companies, as well as identity documents from the United Arab Emirates, India, Qatar, and Saudi Arabia, along with a leak of files and images stolen from Saudi military emails.

This latest leak containing military documents appears to be authentic according to our preliminary analysis, but it has also been shown to date back to 2016, indicating that this user is attempting to present old leaked information as new, which is one of many examples of the types of fraud that occur even among online cybercriminals.

A user claimed to have exclusive access to a data leak from the Australian health insurance MedBank, and MedBank Australia was indeed hacked by Russian cybercriminals in 2022, when the personal information of 9.7 million Australians was stolen.

Unlike messages about hitmen, which are known to be scams on the dark web, these leaks of documents and identities are unfortunately very likely, as the main purpose of BreachForums is indeed to sell stolen data of this kind, and the business has been thriving for years.

However, with the repeated seizures and arrests by law enforcement, it is possible that some of these messages are also traps set by the FBI or other agencies seeking to catch criminals in the act.

Services found on BreachForums

In addition to stolen data, industrious cybercriminals also offer various services for rent on the dark web, invariably accepting cryptocurrencies as payment.

On BreachForums, we immediately found users claiming to offer DDoS services, access to distributed denial-of-service attacks, where criminals use a botnet to disrupt the operations of a website, either to extort money from the victim, target competing businesses, or simply harass an enemy.

A group of online cybercriminals had an advertisement for HNVC or Hidden Virtual Computer services, which can be used to gain remote access to a victim's computer.

It was interesting to note that, just like an advertisement for online legal services, the message had a detailed list of available features and pricing options and offered customer support in Russian and English.

Other services included services providing phone numbers that allowed criminals to receive login codes to activate online accounts without identifying themselves or revealing their own phone number.

We have found bulk email senders used for illegal marketing campaigns of products, phishing scams, or other malware, and we have also seen advertisements for email inundators used to overwhelm an enemy's inbox to make email unusable or to hide malicious activities such as login attempt alerts.

One of the email flooders took the effort to create what appears to be an AI-generated advertisement banner and logo for their service, the name of which we have censored to avoid promoting their services.

We have seen entire threads dedicated to services selling access to remote servers online, development services to create websites, and even graphic services that could be used to create sophisticated scams such as fake landing pages to steal the data of victim users.

Of course, while some of these services may be legitimate, many are likely fake, and given that the site has been seized and reopened multiple times, the accounts here are all less than two years old.

Cybercriminal forums often operate on an escrow system, or on a trust basis, where a user has a documented history of “honest” sales, while this new site has little protection against fraud.

We have seen several services announcing that they accept escrow payments, which means that a verified third party holds the funds until both parties are satisfied with the payment, as is the case with this developer offering phishing pages and ready-made landing pages.

The willingness to accept escrow indicates that this user might indeed sell what they claim to be selling, although there are likely many scams involving escrow payments on this site as well.

In fact, the site has a whole thread of scams that shows a log of users reporting fraud on the site.

User uuu732 reports that his attempts to scam others online backfired when he himself became a victim of a scam on BreachForums. He paid user PennyTrate-x 300 dollars for software that would allow him to bypass malware detection software and send malware-infected PDF files to unsuspecting victims.

The seller did not deliver the goods, and when a moderator asked them for explanations, they refused to respond, which led to the deletion of their account.

Another user reported a dispute with another seller. In this case, the user spent 500 dollars trying to purchase a stolen user database from a Swiss insurance company, and an additional 1,300 dollars trying to buy a database from a Swiss retailer. They reported that they did not receive their illegal data in either of the transactions.

What do dark web criminals do with stolen user data?

Cybercriminals buy login credentials and user data to hack email and social media accounts in order to access the user's finances and steal from them, or to gain access to sensitive information that they can further exploit.

For example, a criminal from the dark web could access a user's PayPal account and attempt to make unauthorized purchases or transfer funds directly to another account, or commit identity theft by applying for loans in someone else's name using their passport data.

This information is also commonly used for blackmail and extortion, when criminals find sensitive information by accessing their victims' accounts.

How to stay safe online

As we can see, the dark web is a dangerous subsection of the internet for many reasons. Even on this site that has been seized and reopened multiple times, we find an open bazaar of criminal activities, ranging from illegal services and products to frauds committed against other users. It is crucial to take measures to protect your personal and financial information online.

Use unique and complex passwords for each account, enable two-factor authentication whenever possible, and be cautious with the information you share online. Regularly monitor your bank and credit card statements for any suspicious activity. By staying vigilant and adopting good cybersecurity practices, you can significantly reduce the risk of your personal data ending up on forums like BreachForums.