Imagine a notorious hacking forum, a hub for cybercriminals, suddenly having its own secrets exposed. That's exactly what happened when the latest version of BreachForums, a platform infamous for trading stolen data and illicit services, suffered a major data breach, leaking over 324,000 user accounts. But here's where it gets even more intriguing: this isn't the first time BreachForums has been compromised, and some suspect it might now be a honeypot designed to trap cybercriminals.
BreachForums is the latest iteration of a series of hacking forums that emerged after its predecessor, RaidForums, was shut down by law enforcement and its owner arrested. These forums are notorious for facilitating the sale and trade of stolen data, access to corporate networks, and other illegal cybercrime services. Despite facing multiple takedowns and data breaches in the past, BreachForums has persistently resurfaced under new domains, raising questions about its true purpose.
Yesterday, a website named after the ShinyHunters extortion gang released a 7Zip archive titled breachedforum.7z. This archive contained three files: shinyhunte.rs-the-story-of-james.txt, databoose.sql, and breachedforum-pgp-key.txt.asc. Interestingly, a representative of the ShinyHunters gang denied any involvement with the site distributing this archive, adding another layer of mystery to the situation.
The breachedforum-pgp-key.txt.asc file is a PGP private key created in July 2023, used by BreachForums administrators to sign official messages. While the key has been leaked, it remains passphrase-protected, rendering it useless without the password. The databoose.sql file, however, is far more concerning. It contains a MyBB users database table with 323,988 member records, including display names, registration dates, IP addresses, and other sensitive information.
Here’s the part most people miss: while the majority of IP addresses in the database map to a local loopback address (127.0.0.9), over 70,000 records contain public IP addresses. These public IPs could pose a significant operational security (OPSEC) risk for the individuals involved and provide valuable leads for law enforcement and cybersecurity researchers.
The leaked database also reveals that the last registration date was August 11, 2025—the same day the previous BreachForums domain (breachforums[.]hn) was shut down following the arrest of its alleged operators. On that day, a member of the ShinyHunters gang posted a message on Telegram, claiming the forum was a law enforcement honeypot. BreachForums administrators swiftly denied these allegations, but the controversy persists.
The breachforums[.]hn domain was later seized by law enforcement in October 2025 after being repurposed to extort companies affected by the widespread Salesforce data theft attacks carried out by the ShinyHunters group.
The current BreachForums administrator, known only as "N/A," has acknowledged the breach, explaining that a backup of the MyBB user database was temporarily exposed in an unsecured folder and downloaded once. "This is not a recent incident," N/A clarified, attributing the leak to an old users-table breach from August 2025 during the forum's restoration from the .hn domain. While the administrator advised members to use disposable email addresses and downplayed the significance of the leaked IP addresses, the database still contains information that could be of interest to law enforcement.
But here’s the controversial question: Is BreachForums truly a haven for cybercriminals, or has it become a sophisticated trap set by law enforcement? The persistent resurfacing of the forum, coupled with its repeated breaches, has led many to speculate about its true nature. What do you think? Is BreachForums a legitimate hub for cybercrime, or is it a carefully crafted honeypot? Share your thoughts in the comments below—this is one debate you won’t want to miss!
