BreachForums.bf Returns Online Amid Ongoing Rivalry and Security Allegations

Overview

Monitoring of underground cybercrime forums indicates breachforums.bf has resumed accessibility following prior disruption and domain redirection activity. The restoration follows the disappearance of breachforums.jp and occurs alongside continued activity from alternative platform breachforums.cz, where competing threat actors continue to dispute legitimacy and security posture.

Timeline Of Breachforums Domain Evolution

• 2022: BreachForums launched
• 2023: Founder arrest triggers ownership transition
• 2024–2025: Repeated outages and infrastructure disruptions
• Early 2026: breachforums.bf experiences accessibility disruption
• 2026: breachforums.jp observed as temporary replacement or redirect destination
• 2026: breachforums.cz launched claiming alternative leadership
• 2026: breachforums.jp becomes inaccessible
• 2026: breachforums.bf accessibility restored

Domain Transition And Forum Fragmentation

The breachforums.bf domain previously experienced accessibility disruptions and was observed redirecting users to breachforums.jp. However, current monitoring indicates that breachforums.jp is no longer accessible, while breachforums.bf has resumed normal availability, suggesting a return to the original domain infrastructure.

Public attribution for breachforums.bf administration remains unclear following previous law enforcement actions and administrative turnover. Prior underground discussions referenced an individual using the alias ‘Loki’ in connection with breachforums.bf, though no confirmed ownership attribution was established.

Separately, breachforums.cz continues operating as an alternative forum platform. The site publicly identifies threat actors HasanBroker as owner and breach3d as co-owner. Administrators of breachforums.cz continue to dispute the legitimacy and security posture of competing BreachForums infrastructure.

Forum Comparison Summary

Dispute Between Competing Forum Operators

Threat actor breach3d claims breachforums.bf attempted to damage breachforums.cz credibility by reposting staff chat logs and conducting personal attacks against HasanBroker. The actor states these actions triggered internal infrastructure review and led to the discovery of alleged security failures. These claims remain unverified.

Actor Conflict And Ecosystem Instability

Forum fragmentation reflects instability following repeated law enforcement disruptions and leadership turnover. Rival operators often attempt to establish legitimacy through technical accusations or reputation attacks.

Alleged Security And Privacy Weaknesses

Threat actor breach3d alleges breachforums.bf contains vulnerabilities exposing connection-related user metadata, contradicting stated privacy protections. The actor claims BBCode image tags process external URLs without validation, enabling blind server-side request forgery. This behavior could expose backend infrastructure details, including origin of IP addresses behind protective services.

The actor also alleges insufficient rate limiting on the thread creation endpoint, allowing high-volume submission requests capable of causing service degradation or database strain.

breach3d further claims indicators suggest possible third-party attempts to access connection metadata. No proof-of-concept, screenshots, or independently verified technical artifacts were provided. Open-source monitoring has not identified corroborating evidence at the time of writing.

Technical Appendix: Ssrf Overview

Server-side request forgery occurs when a server processes attacker-supplied URLs and sends outbound requests. This behavior can expose internal infrastructure details, reveal origin IP addresses, or allow unintended service interaction. Blind SSRF refers to scenarios where attackers cannot directly view responses but can infer system behavior through external monitoring.

Review Of Leaked Log Examples

Threat actor also provided logs which contain timestamps, IP addresses, and user-agent data.

Observed entries include:

• Example (redacted): 2026-01-24 20:18:17 | 150.241.115.xxx | Desktop browser (Linux)
• Example (redacted): 2026-01-24 20:18:16 | 150.241.115.xxx
• Example (redacted): 2026-01-24 20:17:59 | 146.103.98.xxx | Desktop browser (Linux)

If authentic, these logs illustrate connection metadata exposure. The entries, however, do not confirm SSRF exploitation or unauthorized third-party access.

Potential Impact

If the claims are accurate, exposed connection metadata could reduce user anonymity. Claimed infrastructure weaknesses could increase service disruption or data exposure risk. These impacts remain theoretical.

Claim Vs Verification

Claimed by actors
– breachforums.cz administrators claim breachforums.bf contains privacy risks, infrastructure weaknesses, and misleading security messaging.

Confirmed independently
– No third-party confirmation exists. No validated technical artifacts or independent research supports the claims.

Threat Intelligence Confidence Scoring

Source Reliability: Low
Claims originate from competing threat actors with reputational incentives.

Information Credibility: Low
No supporting screenshots, exploit demonstrations, or independent validation observed.

Overall Assessment Confidence: Low
Claims remain unverified and require corroboration through independent technical research or infrastructure observation.

Assessment

Current allegations originate from competing actors. Reliability remains low. Continued monitoring of infrastructure changes and actor disputes remains necessary.

The information provided in this article is based on publicly available open-source intelligence (OSINT). It is intended for awareness and defensive cybersecurity purposes only.