In the years following the decline of large darknet marketplaces, cybercrime did not disappear. It reorganized. Instead of Tor-only drug markets, a new kind of platform rose to prominence, more public, more audacious, and deeply embedded in the modern data-breach economy. That platform was BreachForums.
Operating in plain sight on the surface web and intermittently on Tor, BreachForums became the central trading floor for stolen databases, breached credentials, ransomware leaks, and hacking services. Its takedown in 2023 marked one of the most visible blows against the contemporary cybercrime ecosystem. Its subsequent re-emergence showed just how resilient and decentralized that ecosystem has become.
From RaidForums to BreachForums
BreachForums was the direct successor to RaidForums, a popular hacking forum seized by U.S. authorities in 2022. RaidForums had long served as a hub for database leaks and credential trading, but its closure left a gap that was quickly filled.
BreachForums launched shortly thereafter, positioning itself as both a continuation and an upgrade. It adopted a cleaner interface, more aggressive moderation, and a reputation-driven economy that rewarded high-profile leaks.
This was not a hidden criminal bazaar. It was a showcase.
A marketplace built on reputation
Unlike darknet markets that relied on anonymity alone, BreachForums thrived on status. Users built credibility by releasing high-impact datasets, sometimes for free, sometimes for sale. Reputation points became a form of currency, signalling trustworthiness and technical skill.
The forum specialised in:
- Corporate and government database breaches
- Credential dumps and session cookies
- Ransomware data leaks
- Access brokerage, including RDP and VPN credentials
High-profile threat actors used BreachForums to amplify their exploits. Posting a breach on the forum was not just about profit. It was about visibility and influence.
The administrator known as "pompompurin"
At the centre of BreachForums was its administrator, operating under the alias “Pompompurin.” Online, the persona was brash and confident, openly mocking law enforcement and boasting about the forum’s reach.
Behind the handle was Conor Brian Fitzpatrick, a young American living with his parents in New York. Unlike the elusive operators of darknet markets, Fitzpatrick ran BreachForums with striking visibility. He interacted with users publicly, managed disputes, and promoted the platform openly on social media. This confidence proved to be a liability.
The Achilles' heels of cybercrime
BreachForums was brought down following a familiar pattern seen across cybercrime history: basic operational security failures.
Investigators later revealed that Fitzpatrick had used personal email addresses connected to administrative activity, logged into BreachForums accounts from identifiable locations, and left payment and hosting traces that linked online personas to his real identity.
The forum’s partial reliance on surface web infrastructure further simplified surveillance. While Tor was used intermittently, much of BreachForums’ activity occurred on clearnet domains, making traffic analysis and legal takedowns easier.
The arrest and seizure
In March 2023, the FBI arrested Fitzpatrick and seized BreachForums’ infrastructure.
The site went offline abruptly. Law enforcement banners replaced its homepage, signalling yet another high-profile cybercrime takedown.
Court documents alleged that BreachForums facilitated the sale of stolen data belonging to millions of individuals and thousands of organisations. Fitzpatrick later pleaded guilty to charges related to access device fraud and possession of child sexual abuse material, although the forum itself was the focus of the cybercrime investigation.
It appeared that BreachForums had met the same fate as RaidForums.
The return
That moment did not last.
By mid-2024, new versions of BreachForums appeared under different administrators. Using mirrored infrastructure, recycled branding, and reconstituted user bases, the forum returned with familiar functions and familiar risks.
This time, however, trust was thinner. Users questioned whether the new operators were legitimate, compromised, or acting as honeypots. The once-central role of BreachForums fractured as splinter communities formed across Telegram, Discord, and invite-only forums.
The brand survived. The monopoly did not.
A shift in cyber-crime culture
BreachForums represented a shift in cybercrime culture. It demonstrated that:
- Cybercrime no longer requires Tor-level secrecy to thrive
- Reputation and visibility can be as valuable as anonymityes
- Data breaches have become a primary commodity in their own right
Unlike drug markets or laundering platforms, BreachForums traded in information, making it deeply intertwined with ransomware operations, access brokers, and fraud rings. It was a public square for digital crime.
Lessons learnt
BreachForums did not disappear. It mutated. Its takedown weakened trust, scattered users, and pushed some activity into more private channels. Yet its influence persists in how modern breaches are marketed, verified, and monetised.
BreachForums rose by embracing visibility. It fell because visibility cuts both ways.