Latest BreachForums Reboot Tied to Fake ShinyHunters Admin | #cybercrime | #infosec

•
April 3, 2026    

See Also: Gen AI Stalls, Shadow AI Rises: A CISO Concern

On Monday, someone claiming to be part of the extortion group ShinyHunters announced the reboot of long-running BreachForums. Also known as Breached, the English-language forum facilitates hackers’ buying and selling of hacked databases, hacking tools and general cybercrime knowledge sharing.

Despite being repeatedly disrupted by law enforcement and occasionally, internal conflict, forums that focus on the buying, trading or selling of data dumps keep reappearing.

But an individual tied to an official ShinyHunters channel said the group has zero involvement in any BreachForums reboots. “We have nothing to do with that forum. We never brought it back up after the FBI seizure on 10 Oct 2025,” they told ISMG.*

This week’s rebooted BreachForums followed “the BreachForums infrastructure, including the complete database and source code,” being “hacked directly from its own hosting server” and offered for sale for $10,000, according to its new administrator, who goes by “X.” The new admin said that when “N/A,” the previous admin, “learned of the breach and the sale he panicked, took what he could and exited immediately with no notice to the community,” after which “the database has since spread into unknown hands.”

The panicking assertion appears to refer to a March 16 message posted to the previous version of the forum, announcing that “BreachForums is dead,” and seeking a replacement management team.

“We are now seeking a responsible individual or group willing to take over the leadership and ongoing support of the forum,” the message said.

Beyond ShinyHunters’ official denial, security researchers have also detailed inconsistencies in X’s story, suggesting it’s false, and said legitimate former BreachForums operators appear to moving to register multiple BreachForums domains to block similar reboot claims.*

ShinyHunters said the reboot is the latest in a series of BreachForum fakes that have been launched using previously leaked data. “Other threat actors were able to restore a similar looking legitimate forum including re-importing old users including my own ShinyHunters account,” said a member of the group.*

Who’s real, fake, in charge or not remains difficult to track. Apparently as a result of last month’s breach of BreachForums, a hacker leaked on Telegram 918 databases of stolen information previously offered for sale on the forum. Many refer to household names, and contain people’s personal names, account usernames, email addresses, passwords, payment card details, job role or health information, said Milivoj Rajić, head of threat intelligence at cybersecurity firm DynaRisk.

He said the leaks include extensive data tied to historical breaches: Nvidia in 2022, Tesco in 2014, Experian and T-Mobile in 2015, Qatar National Bank in 2016 and even LinkedIn in 2012. But because many individuals never change their email address, this data can still be useful for attackers.

“These breaches were already public, but unlike dark web forums where access usually requires payment, they are now free and centralized in one place. The data includes both recent and older leaks from gaming, retail, sports sites and major companies. This centralization makes it easier for hackers to carry out large-scale attacks, including phishing, ransomware and potentially espionage, especially in the context of current geopolitical tensions,” he told me (see: Medtech Firm Stryker Disrupted by Pro-Iran Hackers).

At least two cybercrime forums bearing the banner of BreachForums have been online in recent days. They could be criminal competitors, fake reloads of the dumped databases, or law enforcement honeypots. Who can tell?

On Monday, X claimed their version is the only legitimate one, and said it’s been rebuilt from scratch after N/A allegedly fled the project, stealing $4,000. “Because the database is now in the possession of unknown people, we have made the difficult decision not to restore the original database. Instead, we have rebuilt the entire infrastructure from the ground up. It has been completely rewritten with much stronger security measures in place,” X claimed.

Law enforcement continues to disrupt and infiltrate cybercrime forums, including such marketplaces as RaidForums in 2022. That led directly to the launch of the first BreachForums as a replacement, until it too was disrupted in 2023 and its American administrator, Conor Brian Fitzpatrick, busted and later slapped with a three-year prison sentence.

Under the banner of ShinyHunters – originally the name of a completely different group of extortionists – a new BreachForums launched in 2023, followed by more law enforcement disruption and charges being filed against multiple accused operators (see: French Police Reportedly Bust Five BreachForums Administrators).

In 2025, an international law enforcement operation targeted and disrupted another such forum, called LeakBase. Last October, police disrupted another relaunched version of BreachForums.

On Jan. 9, a website with a ShinyHunters domain name published a database containing details of 323,986 registered BreachForums users. Cybersecurity firm Resecurity said it’s not clear how much of this data is legitimate, and that it’s likely “a method to plant disinformation by actors in order to mislead investigations.”

Resecurity said: “This information should not be interpreted as authentic in any way or form. With such publications, they build a ‘narrative’ to generate media interest and later use it to cause erroneous attribution or even craft a ‘story’ around their activities, often using misleading details.”

One version of BreachForums launched this week lists a number of previously announced ShinyHunters victims, ranging from Harvard University and the University of Pennsylvania to CarGurus to Panera Bread, from which the crime gang said it stole Salesforce customer data through third-party integrations (see: Harvard, UPenn Data Leaked in ShinyHunters Shakedown).

Again, ShinyHunters said it has no affiliation with the site.

The attempt to parrot the group, potentially to try and shake down these victims again, raises the question of how much money criminal operators – or copycats – might earn from offering stolen databases for sale. It’s possible attackers see more value from such sites as a way to trumpet their previous hack attacks, build their brand and attempt to pressure future victims into paying (see: Madman Theory Spurs Crazy Scattered Lapsus$ Hunters Playbook).

*Update April 5, 2026 15:23 UTC: This story has been updated with comment from ShinyHunters stating it has had no involvement in any form of BreachForums since October 2025.