On June 25, 2025, French authorities announced that four members of the ShinyHunters (also known as ShinyCorp) cybercriminal group were arrested in multiple French regions for cybercrime activities and involvement in the English-language underground forum known as BreachForums. The coordinated global law enforcement effort targeting the ‘ShinyHunters’, ‘Hollow’, ‘Noct’, and ‘Depressed’ personas followed the February arrest of Kai West (also known as ‘IntelBroker’), who previously administered BreachForums.
The ShinyHunters threat group has been active since 2020 and has compromised organizations in industries such as telecommunications, e-commerce, technology, and retail. The group is known for selling stolen data exclusively on RaidForums and BreachForums. The ShinyHunters persona was a key participant in these forums as a contributor and administrator.
Since its original creation as RaidForums in 2015, BreachForums had been taken down numerous times and had been administered by multiple personas. Table 1 lists a timeline of notable events in the forum’s history.
| Date | Event | Detail |
| March 19, 2015 | RaidForums launch | Diogo Santos Coelho (also known as ‘Omnipotent’) founded RaidForums. It became one of the largest data leak forums, peaking at over 530,000 users. |
| January 31, 2022 | Arrest | Coelho was arrested in the UK at the request of U.S. authorities. |
| February 25, 2022 | Forum offline | RaidForums became inaccessible, and a suspected credential-harvesting clone appeared. |
| March 4, 2022 | BreachForums (v1) launch |
Conor Fitzpatrick (also known as ‘Pompompurin’) launched BreachForums as a successor to RaidForums. |
| April 12, 2022 | Domain seizures | U.S. authorities announced the seizure of RaidForums domains as part of Operation TOURNIQUET. |
| March 15, 2023 | Arrest | Fitzpatrick was arrested in Peekskill, New York. |
| March 21, 2023 | Forum offline | An administrator known as ‘Baphomet’ shut down the forum, citing concerns about law enforcement actions. |
| June 12, 2023 | BreachForums (v2) launch |
The ShinyHunters persona and Baphomet relaunched BreachForums (breachforums . vc). |
| June 18, 2023 | Forum compromise | BreachForums was compromised by ‘OnniForums’, and data of approximately 4,000 members was leaked. |
| May 15, 2024 | Domain seizures | U.S. authorities seized multiple BreachForums domains. |
| May 29, 2024 | BreachForums (v3) launch |
BreachForums resurfaced (breachforums . st). Users suspected that it was a honeypot, but it was eventually deemed legitimate. |
| June 14, 2024 | Leadership change | ShinyHunters retired, and ‘Anastasia’ assumed ownership. |
| August 1, 2024 | Leadership change | IntelBroker assumed control. |
| January 1, 2025 | Leadership change | IntelBroker resigned as owner, and Anastasia continued as the forum administrator. |
| February 2025 | Arrest | International law enforcement arrested Kai West (IntelBroker) in France. |
| April 28, 2025 | Forum offline | Despite numerous claims and rumors, it is unclear if the forum administrators, another threat group, or law enforcement was responsible for the disappearance. |
| June 4, 2025 | BreachForums (v4) launch |
ShinyHunters relaunched the forum (breach-forums . st). |
| June 9, 2025 | Forum for sale | ShinyHunters announced the forum was for sale. |
| June 22, 2025 | Arrests | French authorities arrested members of the ShinyHunters threat group during a coordinated law enforcement operation. |
| June 25, 2025 | Federal charges | U.S. authorities unsealed an indictment charging Kai West (IntelBroker) with multiple cybercrimes. |
Table 1: Timeline of major BreachForums events.
The ShinyHunters persona partnered with Baphomet to relaunch the second instance of BreachForums (v2) in June 2023 and later launched the June 2025 instance (v4) alone. The interim version (v3) abruptly disappeared in April 2025, and the cause is unclear. ‘Dark Storm Team’ claimed that it took the forum down via a distributed denial of service (DDoS) attack (see Figure 1). Other personas reported that the Qilin ransomware operators caused the outage in retaliation for their ban from BreachForums. Rumors also circulated that law enforcement was responsible.
Figure 1: Dark Storm claiming responsibility for the BreachForums takedown. (Source: X)
On June 4, Counter Threat Unit™ (CTU) researchers identified the relaunch of BreachForums (v4) under the administration of the ShinyHunters persona. One of the first posts was purportedly by IntelBroker, a prominent BreachForums contributor who took control of BreachForums (v3) in 2024. The persona maintained a reputation for selling access to database dumps and compromised systems and was connected to cybercrime groups CNZ (redacted) and GOLD PUMPKIN (also known as HELLCAT). In January 2025, they stepped down as BreachForums’ owner (see Figure 2), and rumors of their arrest circulated. These rumors were confirmed on June 25, when the U.S. Department of Justice (DOJ) announced the unsealing of an indictment against Kai West, who operated under the IntelBroker alias. West was arrested in February, so the June BreachForums post was submitted by someone impersonating the persona.
Figure 2: IntelBroker announcing resignation as BreachForums owner. (Source: X)
The BreachForums (v4) relaunch was short-lived. On June 9, the bulletin board displayed a notice that it was closed and that the forum was for sale for $2,500 USD (see Figure 3). The message explicitly warned scammers to “stay away”. The ShinyHunters members were arrested two weeks later.
Figure 3: ShinyHunters advertising BreachForums for sale. (Source: BreachForums)
As of this publication, BreachForums remains offline. The forum’s future is unclear, but the pattern of relaunches may continue.
These arrests reflect increasing law enforcement pressure on cybercriminal infrastructure and operations. In the U.S. Department of Justice announcement about the arrest and indictment of Kai West, FBI Assistant Director in Charge Christopher G. Raia stated that the arrests “should serve as a warning to anyone thinking they can hide behind a keyboard and commit cybercrime with impunity; the FBI will find and hold you accountable no matter where you are.” CTU™ researchers continue to monitor law enforcement actions and their impact on the cybercrime landscape.
