FBI takedown banner appears on BreachForums site as Scattered Spider promotes leak

Law enforcement agencies in the U.S. and France appear to have seized the BreachForums leak site hours before the Scattered Spider cybercriminal organization and several affiliated groups said they would leak data stolen from Salesforce. 

The cybercriminals revived the forum as part of a campaign to extort 39 high-profile customers of Salesforce, threatening to post stolen information to the platform on Friday. 

Late on Thursday, the breachforums.hn address was replaced with a banner that says “this domain has been seized” above the insignias of the FBI and Justice Department as well as France’s Brigade Centrale de Lutte Contre la Cybercriminalité and Juridiction Nationale de lutte contre la Criminalité Organisée. 

On their Telegram channel, the cybercriminals confirmed that the domain had been taken over but said they have not been arrested. For days, the group has hinted that the FBI had seized the BreachForums domains and said in a lengthy message that the bureau and other agencies had likely seized and destroyed all backend servers. 

“In the simplest terms, we very likely got hacked by the US Government, considering their splash page is up on the BreachForums onion, it's a clear sign how everything in our control that they wouldn't have been able to reach is gone,” the cybercriminals said.

“For your own safety, security, and sanity keep your opsec in check. I have no doubt the FBI and other international partners involved will be cracking down on many individuals in the next coming few weeks to months.”

The FBI and Department of Justice did not respond to requests for comment. Researchers and the group itself said the Tor-based version of the site was restored, and the Telegram post said the takedown “has no impact on our Salesforce campaigns.” They previously claimed to have stolen about 1 billion records by breaching the Salesforce databases of several large companies.

The group still plans to post stolen data on Friday night at 11:59 p.m. Eastern U.S. time.  Lately the criminals have branded themselves as Scattered Lapsus$ Hunters, an amalgamation of several different allegedly English-speaking cybercriminal groups.

No payout

Salesforce told Recorded Future News this week that it would not negotiate with the hackers. Bloomberg reported on Tuesday that Salesforce sent a letter to customers saying it would not pay the ransom demanded by Scattered Spider. The cybercriminal group has not said how much it is asking for but wrote on its Telegram channel that if Salesforce paid, it would stop attempting to extort the cloud giant’s customers.  

“I can confirm Salesforce will not engage, negotiate with, or pay any extortion demand,” a Salesforce spokesperson told Recorded Future News, later reiterating previous statements that the extortion attempts are related to “past or unsubstantiated incidents.”

In the email sent to customers, Salesforce explicitly linked the extortion demands to a security incident that impacted Salesloft, a third party application used by many of their customers. Last month, Salesloft confirmed that hackers had breached its systems and stolen data related to customer service interactions. 

Google is the only company in the initial batch of 39 named by Scattered Spider to come forward and confirm that data was stolen. Several other companies listed told Recorded Future News they are in the process of investigating the claims. 

The FBI published a flash notice three weeks ago warning Salesforce customers that the campaigns began in October 2024 when members of the group gained access to organizations through social engineering attacks that involved contacting call centers and posing as IT employees.

The most recent campaign has involved members of several different allegedly English-speaking cybercriminal groups including Scattered Spider, Shiny Hunters, and Lapsus$.  

Another BreachForums takedown

The Scattered Spider cybercriminal group said this was the fourth time the FBI has taken down a BreachForums site. 

The FBI shut it down in 2023 and arrested the platform’s alleged administrator Conor Fitzpatrick at his parent’s home in New York. Last month, Fitzpatrick was given a new three-year prison sentence after a three-judge panel in January vacated a controversial district court decision that set him free after just 17 days in prison.

According to the Justice Department, BreachForums had more than 340,000 members before it was taken offline. The Justice Department said the platform facilitated access to the sensitive personal information of millions of U.S. citizens. 

Since 2023, several people have tried to revive the BreachForums only to have the FBI take the site down again. 

In June, French authorities arrested several individuals suspected of running a new version of BreachForums. Another suspect, known as IntelBroker, was arrested in a prior operation.