BreachForums Displays Message About Shutdown, Cites MyBB 0day Flaw

BreachForums posts a PGP-signed message explaining the sudden April 2025 shutdown. Admins cite MyBB 0day vulnerability impacting the site, plan return, deny seizure, and warn of clones.

In early April 2025, the well-known cybercrime and data breach forum BreachForums disappeared from the internet without explanation. The forum, administered and owned by the hacker group ShinyHunters, went offline without any farewell note or clarification, triggering widespread speculation about a possible law enforcement seizure.

Despite these concerns, DNS records for BreachForums remained unchanged, showing the original nameservers at DDoS-Guard, not the typical Cloudflare nameservers seen when the FBI seizes criminal infrastructure. This consistency hinted that the site had not fallen into the hands of authorities but left many questions unanswered.

BreachForums.st DNS Records: 185.129.101.200 185.129.103.200 ns1.ddos-guard.net ns2.ddos-guard.net Typical FBI Seizure DNS Records:

plato.ns.cloudflare.com

jocelyn.ns.cloudflare.com

Earlier today (April 28, 2025), visitors to Breachforums.st have been met with a new development: a detailed message posted on the homepage, allegedly from the forum’s administration, signed with a PGP key.

According to the statement, the administrators shut down operations after confirming the existence of a MyBB 0day vulnerability that left the forum exposed to infiltration attempts by law enforcement agencies.

It is worth noting that in June 2023, when BreachForums was revived under ShinyHunters’ control, it suffered a data breach. The forum administrator attributed the incident to a MyBB 0day vulnerability, which led to the leak of personal details belonging to over 4,000 members.

However, in the latest update, the administrators claimed they acted quickly once they received credible information about the security risk through trusted contacts. They initiated an incident response protocol, shut down infrastructure, and conducted an audit of their systems.

Their findings suggested that although the forum software was vulnerable, the infrastructure had not been compromised and no data had been stolen. The statement also apologized to staff and users for the extended silence, citing operational security as the top priority during the crisis. BreachForums announced that work is underway on a complete rewrite of the forum backend to prevent future vulnerabilities.

Additionally, the message warned users against engaging with various BreachForums clones that have surfaced online, suggesting that these are likely law enforcement honeypots designed to lure and identify cyber criminals. The administrators emphasized that no arrests had taken place and that the original team remained intact.

But Some Questions Remain Unanswered

What the message does not explain is why ShinyHunters deleted their Telegram account. BreachForums had a large and active community on Telegram. What happened to that account, and why were no updates provided on Telegram before taking down the forum?

The sudden disappearance and equally sudden reappearance of BreachForums have raised further concerns within cybercrime circles. While the operators insist the platform remained secure, the revelation of a zero-day vulnerability in the forum software raises new questions about the operational risks associated with underground forums.

ShinyHunters, the hacker group tied to the forum’s ownership, has been linked to several high-profile data breaches over the past few years, which places BreachForums under constant scrutiny by law enforcement agencies worldwide.

The situation is likely to develop as cybersecurity researchers, law enforcement, and threat actors react to the forum’s unexpected return. Until then, BreachForums’ future remains uncertain.