DailySun
We successfully gained entry to BreachForums, a private online community thriving with cybercriminal activity, to explore the range of products and services available on the digital black market within the dark web.
Here’s a summary of our findings.
This article is intended for educational purposes and does not promote the use of the dark web.
What is the dark web?
To provide some context, the dark web refers to a concealed section of the internet requiring specific browsing software like Tor for access, prioritizing user anonymity.
This hidden web hosts both legitimate uses, such as privacy-focused browsing, and illegal activities, including the trade of stolen data, drugs, weapons, and other illicit goods.
Within the dark web, cybercrime forums serve as platforms for hackers, fraudsters, and other criminals to share resources, tools, and services, frequently utilizing cryptocurrencies for discreet transactions.
What is BreachForums?
Initially launched as RaidForums in 2015 by Portuguese hacker Diogo Santos Coelho, RaidForums began as a community aimed at ‘raiding’ websites and creating online disruptions.
Over time, as users began breaching various social media sites and amassing millions of user credentials, they switched to selling this information to the highest bidders. Consequently, RaidForums transformed into a highly organized and sophisticated hub for criminal activity within the dark web.
When Binance faced a breach in February 2024, BreachedForums was the first to see user KYC details available for purchase, a trend mirrored by leaked Bitcoin ATM codes from El Salvador that surfaced on BreachForums shortly thereafter.
The forum became a hotspot for cybercriminals eager to buy sensitive information sourced from corporate data breaches and governmental leaks, leading to focused initiatives by international law enforcement.
In 2022, a joint operation by Europol and U.S. intelligence led to the seizure of the site and the identification and arrest of founder Diogo Santos Coelho, who is currently in UK custody pending extradition to the United States to face cybercrime charges.
Shortly after, RaidForums was rebranded as BreachForums by a user nicknamed PomPomPurin, who was arrested by the FBI in 2023, after which another user named Baphomet took control. The FBI seized BreachForums in May 2024, but cloned versions have since re-emerged.
Despite robust activity on the site, there is speculation among users that it might be a ‘honeypot’ set up by the FBI to monitor cybercriminals and collect evidence for prosecution.
What we found on the dark web crime hub BreachForums
While such violent offers are likely scams rather than genuine services, the illegal activities didn’t end there. The site’s chatbox displayed real-time discussions among users, showcasing the active marketplace which buzzed with offers of illegal products including stolen data, bank fraud tutorials, credit card fraud techniques, IP tracking services, and much more.
Interestingly, a thread dedicated to Anime and Manga appreciation was also present, as even those engaged in cybercrime have their interests.
All posts mentioned in this article were created within hours of our initial visit, highlighting the vigorous activity of a community that remains significantly engaged, albeit likely under intense scrutiny from law enforcement.
The imagery above illustrates users selling access to various online streaming platforms like Paramount Plus and Netflix, alongside compromised OnlyFans accounts.
In the leaked data subforum, numerous posts revealed users selling data leaks, including bundles of email login information for C-Suite executives from different organizations, as well as identification documents from countries like UAE, India, Qatar, and Saudi Arabia, alongside files and images infiltrated from emails associated with the Saudi military.
This military document leak appeared authentic based on our initial examination, though it dates back to 2016, indicating that the user is trying to pass off outdated information as recent, exemplifying the numerous scams even prevalent among cybercriminals.
One user asserted they had unique access to a breach involving Australian health insurer MedBank, which indeed suffered a cyber attack in 2022 by Russian criminals, compromising the personal data of approximately 9.7 million Australians.
Unlike the notorious hitman-for-hire advertisements typically associated with the dark web, these document and identity leaks are disturbingly plausible given that BreachForums primarily caters to the sale of stolen data, a thriving business for years.
However, considering the repeated site seizures and arrests, it’s plausible that many posts could also function as traps set by agencies like the FBI to apprehend cybercriminals.
Services found on BreachForums
In addition to stolen data, opportunistic cybercriminals also market various services for hire on the dark web, predominantly accepting cryptocurrency as payment.
Upon entering BreachForums, users could quickly locate services claiming to offer DDoS attacks, where criminals employ a botnet to overwhelm a website, aiming to extort payment from victims or target competing businesses.
One group of cybercriminal developers boasted about HNVC or Hidden Virtual Network Computing services, which can facilitate remote access to a victim’s machine.
Notably, the advertisement resembled a typical legal online service, providing a comprehensive list of features and pricing options, along with customer support in both Russian and English.
Other services included those providing phone numbers enabling criminals to receive login codes for online accounts without exposing their actual phone number or identity.
We encountered tools for bulk email sending, used for illegal mass-marketing, phishing attempts, or other malware, alongside advertisements for email flooders designed to congest enemies’ email inboxes, making them unusable or obscuring malicious activities like unauthorized login alerts.
One email flooder even showcased an AI-generated promotional banner and logo for its service, the name of which we intentionally censored to prevent endorsing their offerings.
We noted threads dedicated to services selling access to remote online servers, programming services for web development, and even graphic design services, all potentially used for orchestrating sophisticated scams, including fraudulent landing pages to pilfer victims’ data.
While some of these services may appear legitimate, many are likely fraudulent, especially considering that the accounts on the site, due to numerous seizures and reopenings, are mostly less than two years old.
Cybercrime forums frequently utilize an escrow system or rely on reputation where users have established records of ‘honest’ sales. However, this newer website appears to have minimal protective measures against scams.
Several services indicated acceptance of escrow payments, wherein a trusted third party would hold funds until both parties verify satisfaction with the transaction, such as one developer offering pre-made phishing websites and landing pages.
The acceptance of escrow might suggest that the seller is offering legitimate products; however, numerous scams likely exist even within escrow transactions on the platform.
In fact, a dedicated scam thread exists where users log incidents of scams encountered on the site.
User uuu732 shared that their attempted scams backfired when they fell victim to a scam on BreachForums. They paid the user PennyTrate-x $300 for software intended to circumvent malware detection, which would facilitate the sending of malicious PDFs to unsuspecting individuals.
The seller failed to deliver the software, and upon moderator inquiry for an explanation, they chose not to respond, resulting in their account being banned.
Another user reported a conflict with a different seller, having spent $500 attempting to acquire a database of user credentials from a Swiss insurance firm, along with $1,300 for a database from a Swiss retailer, ultimately receiving nothing in both transactions.
What do dark web criminals do with stolen user data?
Cybercriminals purchase login and user data with the aim of hacking email and social media accounts, either to access victims’ finances for theft or to gather sensitive information for further exploitation.
For instance, a dark net criminal could infiltrate a user’s PayPal account to make unauthorized purchases or transfer funds to another account, or engage in identity theft by applying for loans under someone else’s name using stolen passport data. This information is also frequently utilized for extortion and blackmail when criminals uncover sensitive data by breaching their victims’ accounts.
How to stay safe online
As demonstrated, the dark web is a perilous segment of the internet for various reasons. Even on a site that has been seized and reopened numerous times, we discover a vibrant marketplace for criminal activities ranging from illicit services and products to scams targeting other forum members.
For safety on the clearnet, users should implement two-factor authentication on devices and online accounts, which requires a second device, such as a phone, to access an account, significantly hindering hacking and phishing attempts. Additionally, verifying URLs is crucial to avoid falling victim to fraudulent sites.
Those exploring the dark web, even from a place of curiosity, will likely encounter seasoned scammers and hackers looking for vulnerabilities to exploit. Visitors should refrain from clicking on unknown links or downloading files, and it goes without saying, making any purchases carries significant risks from both legal and illegal entities.
Ultimately, the best way to ensure safety from the dark web is not to visit at all! Allow us to navigate that space for you. We intend to regularly explore different areas of the dark web and provide updates on our findings, keeping you informed about the darker side of the global internet.
How to get to the dark web on a Chromebook?
This is a frequently asked question, and the answer can be quite intricate. First and foremost, we strongly advise against accessing the dark web! While it can be intriguing from a journalistic standpoint, it’s filled with scammers and other dangerous criminals. Generally, to access the dark web on a Chromebook, individuals install Linux using the Crostini app and then add the Tor browser repository for access to Tor’s hidden services, also known as the dark web. However, we reiterate, this is not recommended unless for research or journalistic purposes.
Why is the dark web so creepy?
The dark web has garnered a ‘creepy’ reputation partly because of the widespread popularity of YouTube videos where individuals claim to unveil ‘mystery boxes’ sourced from the dark web, alongside a plethora of short stories and ‘creepypastas’ that contribute to this perception.
