Breach Forums Is Marketing Itself as a Raid Forums Successor
Updated March 29, 2022:
This post has been updated to reflect the most current understanding of Breach Forums, its user base, and operations.
On March 16, just about three weeks after Raid Forums was seized, a threat actor named “pompompurin,” previously highly active on Raid Forums, launched an alternative illicit hacking community called Breach Forums. In the threat actor’s welcoming thread, “pompompurin” stated that they had created Breach Forums as an alternative to Raid Forums but that it was “not affiliated with RaidForums in any capacity.”
“If RaidForums does ever return in any official capacity,” pompompurin wrote, “this forum will be closed and this domain will redirect to it.”
As of this publishing, Breach Forums has more than 1,500 members, and is growing.
Heir to the Raid Forums throne?
Although Breach Forums appears to be the most likely contender for a replacement to Raid Forums, the site is still new and has a long way to go before it reaches the level of popularity once enjoyed by Raid Forums amongst threat actors. The following table contains comparisons of key site metrics between Raid Forums on February 23, 2022 (two days prior to its alleged seizure on February 25) and Breach Forums on March 25 (nine days after the site went live):
|Key Metrics||Raid Forums||Breach Forums|
|Total Number of Registered Members||748,348||1,527|
|Most Users Online at One Time||14,763||1,441|
|Users Active in the Past 60 Minutes (from the time the site was first visited)||7,882||232|
|Total Number of Threads||121,271||1,189|
|Total Number of Posts||3,821,914||6,833|
Migrating from Raid Forums to Breach Forums
Thus far, Flashpoint has observed dozens of threat actors on Breach Forums that shared identical usernames to users on Raid Forums. While the individuals behind these usernames may not be the same in every case, username reuse is a good general indicator that threat actors have likely migrated.
Pompompurin has offered for previous users of Raid Forums to retain their pay-to-play ranks, which could be purchased for additional authority of an individual’s account. Pompompurin posted that they will accept receipts to reinstate the status of an account.
This free offering from pompompurin to former Raid Forums users, enabling them to keep the same rank they had on Raid Forums on Breach Forums, the nearly identical appearance between the two forums, and the fact that Breach Forums is run by a reputable former Raid Forums user are all incentives for former Raid Forums users to make the migration from Raid Forums to Breach Forums.
Threat actor ‘pompompurin‘
The English-language threat actor pompompurin became active on Raid Forums in October 2020 and quickly gained a reputation for their high-profile database breaches, leaks, and offerings. Pompompurin became a household name within the cybercriminal underground following a November 12, 2021 cyber attack carried out by pompompurin in which the threat actor compromised the FBI’s email system through a vulnerability in its website and subsequently used the access to send out thousands of hoax emails from an official FBI email address. The FBI later confirmed this attack the following day.
Breach Forums gets attention on XSS and Telegram
As of March 25, Flashpoint has observed multiple references to Breach Forums outside of the Breach Forums community since the site went live on March 16, 2022. Out of these references, Flashpoint identified the following worth noting:
- Breached Forums has been mentioned a handful of times in the Telegram group chat “LAPSUS$ Chat,” owned and managed by the data breach and extortionist group “LAPSUS$.”
- This chat group currently has over 45,000 members, the vast majority of which are simply fans of LAPSUS$ and not actual LAPSUS$ threat actors, however, due to the high number of users and high visibility of this chat group, these Breach Forums mentions have likely generated additional traffic and members to the site.
- In a thread posted on the Russian-language hacking forum XSS on March 21, on the topic of the alleged Raid Forums seizure, a threat actor posted a link to Breach Forums and recommended it as an alternative to Raid Forums.
- XSS is a higher-tiered forum and the reference to Breach Forums on XSS could potentially attract higher-level threat actors to Breach Forums. Although pompompurin maintains an account on XSS, the threat actor has not yet openly advertised the forum themselves on the site.
- Additionally, references to Breach Forums on XSS also have the potential to attract Russian threat actors to Breach Forums who were banned from Raid Forums following the Russian invasion of Ukraine on February 24, and immediately prior to the shutdown of Raid Forums on February 25.
The future of Breach Forums
At this early stage in the life of Breach Forums, it has nowhere near the user base and popularity that Raid Forums once held. However, given the incentives offered to former Raid Forums users, the site’s near identical appearance and functionality to Raid Forums, and Breach Forums being owned and operated by the well-known and reputable former Raid Forums user, pompompurin, Breach Forums has the potential to become a proper replacement for Raid Forums and in time, the site could reach or exceed its predecessor as the most popular clearnet hacking forum.
Although Breach Forums is still small in comparison to Raid Forums, pompompurin has also not been actively shopping the site around themselves on higher-tier forums like XSS and Exploit. This may be due to pompompurin wanting to fix potential site bugs and issues before fully marketing the site. Flashpoint will continue to monitor for indications of a Breach Forums marketing campaign and indications that the site is gaining additional traction amongst higher-tier threat actors.
Prepare for Ransomware with Flashpoint
Request a demo or free trial today and see firsthand how Flashpoint’s Threat Response and Readiness offerings ensure your entire team is prepped and able to respond to any ransomware attack. And when equipped with Flashpoint Intelligence Platform and our dedicated, prebuilt ransomware dashboards, you move a step ahead of ransomware attacks and the cybercriminal groups who use them.