Breach Forums presents itself as a successor to Raid Forums

On March 16, about three weeks after Raid Forums was seized, a threat actor named “pompompurin”, previously very active on Raid Forums, launched an alternative illicit hacking community called Breach Forums. In the menacing actor’s thread, “pompompurin” said that he created Breach Forums as an alternative to Raid Forums, but was “not affiliated with RaidForums in any capacity.”

“If RaidForums ever returns in an official capacity,” pompompurin wrote, “this forum will be closed and this domain will be redirected there.”

At the time of this publication, Breach Forums has over 1,500 members and continues to grow.

Heir to the throne of the Raid Forums?

Although Breach Forums seems like the most likely candidate to replace Raid Forums, the site is still new and still has a long way to go before it reaches the level of popularity that Raid Forums once enjoyed among threat actors. . The following table contains comparisons of key site metrics between Raid Forums on February 23, 2022 (two days before its alleged seizure on February 25) and Breach Forums on March 25 (nine days after the site went live):

Key indicators Raid Forums Infringement Forums
Total number of registered members 748 348 1,527
Most users online at the same time 14,763 1,441
Active users in the last 60 minutes (from first site visit) 7,882 232
Total number of threads 121 271 1,189
Total number of posts 3,821,914 6,833

Migrating Raid Forums to Breach Forums

So far, Flashpoint has observed dozens of malicious actors on the Breach forums who shared identical usernames with users on the Raid forums. Although the people behind these usernames may not be the same in all cases, username reuse is a good general indicator that threat actors have likely migrated.

Pompompurin offered former Raid Forums users to keep their paid ranks, which could be purchased for additional authority on an individual’s account. Pompompurin announced that it would accept receipts to restore an account’s status.

This free pom pom offer to former users of the Raid Forums, allowing them to retain the same rank they had on the Raid Forums on the Breach Forums, the nearly identical look and feel between the two forums, and the fact that Breach Forums is run by a reputable old Raid forum. user are all incentives for former users of Raid forums to migrate from Raid forums to Breach forums.

Threat actor ‘pompompurin

The pompous English-language threat actor became active on the Raid forums in October 2020 and quickly gained a reputation for his high profile database breaches, leaks and offers. Pompompurin became a household name within the cybercriminal underground following a November 12, 2021 cyberattack led by pompompurin in which the threat actor compromised the FBI’s email system through a vulnerability in its website and then used the access to send thousands of prank emails from an official FBI email address. The FBI then confirmed this attack the following day.

Breach Forums draws attention to XSS and Telegram

As of March 25, Flashpoint has observed several references to Breach Forums outside of the Breach Forums community since the site went live on March 16, 2022. Of these references, Flashpoint has identified the following as worth noting:

  • Breached Forums has been mentioned several times in the Telegram group chat “LAPSUS$ Chat”, owned and operated by the data breach and extortion group “LAPSUS$”.
    • This discussion group currently has over 45,000 members, the vast majority of whom are simply LAPSUS$ fans and not genuine LAPSUS$ threat actors, however, due to the high number of users and high visibility of this discussion group, these mentions on the violation forums have likely brought additional traffic and members to the site.
  • In a thread posted on the Russian-language hacking forum XSS on March 21, about the alleged seizure of Raid Forums, a threat actor posted a link to Breach Forums and recommended it as an alternative to Raid Forums.
    • XSS is a higher level forum and the reference to breach forums on XSS could potentially attract higher level threat actors to breach forums. Although pompompurin has an account on XSS, the threat actor has yet to openly advertise the forum itself on the site.
    • Additionally, references to Breach forums on XSS also have the potential to attract Russian threat actors to Breach forums who were banned from Raid forums after the Russian invasion of Ukraine on February 24, and just before the Raid forums closing on February 25.

Bans following the removal of the Raid Forums: AgainstTheWest

During the period between the disappearance of Raid Forums owner “Omnipotent” from January 31 to February 25, scammers and groups offering fake data apparently had free rein on Raid Forums. One of the most notable groups in this category, called “AgainstTheWest”, has been involved in publishing high-profile leaks of alleged government and corporate data linked to China, Iran, North Korea and China. Russia. However, after reviewing these alleged leaks, Flashpoint analysts found that they consisted of publicly available information that the group had simply aggregated and consolidated into an alleged leak offering.

Shortly after the closure of Raid Forums and the emergence of Breach Forums, AgainstTheWest migrated to Breach Forums on March 18th. Shortly after joining the forum, pompompurin permanently banned the group from the forum. While no clear reason for the ban was provided, Flashpoint assesses with moderate confidence the group’s involvement in tampered leaks that likely led to their pompous ban on the Breach forums.

Screenshot of AgainstTheWest’s banned profile on the Breach forums.

AgainstTheWest’s banning of the Breach forums is a good sign for the future of the forum and indicates that pompompurin is trying to legitimize the forum by removing users and groups involved in false or illegitimate postings.

The Future of Infringement Forums

At this early stage in the life of the Breach Forums, it has nowhere near the user base and popularity that the Raid Forums once held. However, given the incentives offered to former Raid Forums users, the nearly identical look and functionality of the site to Raid Forums, and Breach Forums being owned and operated by well-known and reputable former Raid Forums user, pompompurin, Breach Forums has the potential to become a suitable replacement for Raid Forums and over time the site could meet or surpass its predecessor as the most popular clearnet hacking forum.

Pompompurin’s banning of non-credible threat groups like AgainstTheWest could make room for more credible threat actors.

While the Breach Forums are still small compared to the Raid Forums, Bobblehead hasn’t actively shopped the site around them on higher level forums like XSS and Exploit either. This may be because pompompurin wants to fix potential site bugs and issues before fully releasing the site. Flashpoint will continue to monitor indications of a breach forum marketing campaign and indications that the site is gaining popularity among higher level threat actors.

Prepare for ransomware with Flashpoint

Request a demo Where free try today and see for yourself how Flashpoint’s Threat Response and Readiness offerings ensure your entire team is prepared and able to respond to any ransomware attack. And when equipped with Flashpoint Intelligence Platform and our dedicated, prebuilt ransomware dashboards, you’re one step ahead of ransomware attacks and the cybercriminal groups that use them.

Harry L. Blanchard