Hidden Threats in Underground Business Forums – How BreachForums Operates on the Dark Web

Western cybersecurity regularly monitors activity on underground trading forums to understand how cybercriminals operate and what products and services they offer in their underground economy. Dark web forums like BreachForums are among the largest hubs of organized criminal activity. Below is a detailed analysis of what happens inside this dark ecosystem.

This article is educational and does not encourage darknet usage.

From RaidForums to BreachForums – the birth of an underground platform

Before BreachForums became the most famous cybercrime forum on the dark web, it operated under the previous name – RaidForums. The platform was founded in 2015 by Portuguese hacker Diogo Santos Coelho. Initially, it functioned as a community focused on “attacking” websites as a joke and trolling. However, when they engaged in mass data theft from social media platforms and corporate sites, RaidForums quickly transformed into one of the most profitable hubs of illegal business.

The history of BreachForums is a chain of takeovers, arrests, and revivals. In 2022, Europol and US intelligence agencies jointly seized the platform and arrested Diogo Santos Coelho, who is currently in a UK jail awaiting extradition. The site was then restored by a user with the pseudonym PomPomPurin, who was also arrested by the FBI in 2023. In fact, BreachForums is known for repeatedly resuming activity under new operators – the latest takeover by the FBI occurred in May 2024.

Despite repeated law enforcement interventions, the forum remains actively operational. Cybersecurity experts speculate, however, that the current version may be a monitored “trap” set by the FBI to track criminals and gather evidence.

The criminal ecosystem – what does BreachForums really offer

Immediately upon entering BreachForums, open invitations to illegal activities are visible. Unlike other cyber forums that pretend to be communities of security enthusiasts, BreachForums never hide its true nature. On the homepage, one can find post after post offering forbidden services – from hiring MS13 gangs for $10,000 (more of a scam than an authentic offer), to selling data leaks.

The forum chat displays users discussing in real-time the sale of user data stolen from streaming services like Netflix, Paramount Plus, OnlyFans, or stolen login credentials for corporate email accounts. Activity on the forum is intense – all posts shown in the study appeared within a few hours, indicating a vibrant underground community.

One of the largest subforums is dedicated solely to data leaks. Users sell email login sets for high-level company executives, identity documents from the UAE, India, Qatar, or Saudi Arabia. Leaks from Australian health insurer MedBank, which was indeed hacked by Russian cybercriminals in 2022, are particularly popular – at that time, personal data of 9.7 million Australians was stolen. Many of these offers, however, are from old leaks (e.g., from 2016), which sellers reintroduce as “fresh” – another example of scams even among criminals.

Service catalog – a professional illegal business

Dark web forums like BreachForums offer a catalog of services that could be found in legal marketplaces – except all are illegal. Criminals are hired to perform DDoS attacks, where botnets flood a website to demand ransom or sabotage competitors.

Another popular service is remote access to the victim’s computer (HVC – Hidden Virtual Computer), allowing hackers full control over the device. An interesting discovery was that cybercriminal groups advertise these services just like legitimate companies – with detailed descriptions of features, prices, and customer support in Russian and English.

The forum also includes services for mass email campaigns for phishing, “flooders” to clog victims’ inboxes, and entire catalogs of programming services to create fake landing pages for data theft. Instead of traditional bank transfers, all transactions are conducted via cryptocurrencies, ensuring anonymity.

However, due to multiple seizures of the forum, most accounts are less than 2 years old, which results in a lack of seller reputation and many scams. Some sellers do offer “escrow” services – where a trusted third party holds funds until both sides are satisfied. This is a better indicator that the seller actually has what they claim.

Internal scams – when criminals cheat each other

An interesting aspect of this underground trading forum is a thread dedicated to reporting scams. The forum documents cases where users like uuu732 reported being scammed by sellers such as PennyTrate-x. They paid $300 for software to bypass malware detectors, but the seller never delivered the product. When a moderator intervened, the seller refused to respond, and their account was blocked.

Another case involved a user who spent $500 trying to buy a stolen database from a Swiss insurance company, and an additional $1,300 on a Swiss retailer’s database – neither of which was ever delivered. These cases show that even in a lawless underground environment, scams are common, and moderators struggle to enforce regulations.

Consequences – how criminals use stolen data

Data exchange on dark web forums has concrete and dangerous consequences for victims. When criminals buy login credentials and passwords for email accounts, they use them to hack into PayPal bank accounts, social media profiles, or e-commerce sites to make unauthorized transfers or purchases.

Personal data is also used for identity theft – criminals apply for loans in someone else’s name using stolen passport documents. In many cases, data is used for blackmail – when a hacker gains access to sensitive information on a victim’s account, they threaten to publish it.

Defense – how to protect yourself from online threats

While dark web forums pose real threats, specific steps can be taken to protect yourself. First and foremost – do not visit the darknet at all. This is the most effective defense.

For regular internet users, basic protection includes enabling two-factor authentication (2FA) on all accounts – meaning you’ll need a second device, like your phone, to log in. Carefully check URLs before clicking – scammers often create sites nearly identical to legitimate ones. Never download files from untrusted sources and never click suspicious links.

If you want to check whether your email appears on the dark web, you can use the “Have I Been Pwned” tool available in the regular internet – no need to access the darknet. If you find your email on such a forum, change your password immediately, enable 2FA, and consider changing your entire email address if you notice suspicious activity.

Frequently asked questions about the dark web and security

Can I access the dark web on a Chromebook?
Technically yes – by installing Linux via Crostini and adding the Tor browser repository. However, we strongly advise against doing this unless you are conducting journalistic or academic research. The risk of encountering scammers and criminals far outweighs the benefits.

Why does the dark web have a “scary” reputation?
Many popular YouTube videos show creators opening “mysterious packages” from the darknet, and the internet is full of horror stories inspired by this theme. In reality, most of these are staged performances. The dark web is less “scary” and more business-oriented – people access it to share information without censorship (like whistleblowers) or simply to commit cybercrimes.

What should I do if my email appears on the dark web?
Change your password immediately, enable two-factor authentication, and carefully monitor your activity. If you see suspicious logins (such as emails requesting confirmation), consider changing your email address entirely.

Monitoring dark web activity by cybersecurity experts aims to inform users of real threats. Knowing how criminals operate is the first line of defense in protecting yourself against them.