-
The FBI and its legal partners shut down key dark web platforms used by hacker groups to traffic stolen Salesforce customer data and heists.
-
The culprits involved were Scattered Lapsus$ Hunters, comprising illicit hacker groups such as Baphomet, IntelBroker, and ShinyHunters.
-
The crackdown followed shortly after the hacker group threatened to leak customer information on October 10, 2025.
FBI Cracks Down on BreachForums, Disrupting Hackers’ Nefarious Move
The Federal Bureau of Investigation (FBI) has announced the termination of the dark web platform BreachForums due to its association with the recent Salesforce attack incident.
The federal agency took to the public on X during the early hours of Monday, October 13, 2025, announcing that, thanks to a combined effort with some of its partners, they had seized domains connected to BreachForums.
This move occurred a few hours after the cybercriminal group “Lapsus$ Hunters” threatened to release stolen customer data of the CRM giant. The watchdog further emphasized that, by their confiscation, BreachForums will no longer be able to monetize illegal hacks, recruit collaborators, and target victims across various sectors.
Additionally, the FBI asserted that this step demonstrates the effect of “coordinated international law enforcement” agencies to penalize individuals responsible for cybercrimes.
The federal agencies that partnered with the FBI to handle the seizure include the US Department of Justice (DoJ), the Paris Prosecutor’s Office, and France’s BL2C.
The landing page of BreachForums now displays the United States and French law enforcement agency logos. Also, it is worth noting that while the platform’s clearnet version is shut down, its onion site still remains operational.
Salesforce Refuses to Negotiate with Cybercriminals Regarding Ransom for Customer Credentials
Recently, the Scattered Lapsus$ Hunters group breached the renowned British CRM company, Salesforce’s database, stealing 989.45 million customer records.
According to Reuters, the group explained that they had stolen the Salesforce customer credentials by targeting over 40 firms that use its software for their operations.
Lapsus$ Hunters also told Reuters that several of the records contain customers’ identifiable information.
However, in response to the cyberattack, Salesforce informed customers, via an email to Bloomberg, that it will not negotiate or pay a ransom demand from the hacker group.
The attack was connected to its third-party app, SalesLoft Inc., particularly its Drift app, which automates user service interactions by integrating with Salesforce. However, earlier this year, due to a compromise of the app, there was a massive data theft from numerous companies that use Salesforce.
A Salesforce spokesman, Allen Tsai, told Bloomberg that the firm won’t interact, negotiate with, or pay the cybercriminal’s demand. He noted that the firm is aware of the recent extortion attempts and maintains communication with affected clients to offer support.
Also, a report from researchers at Google warned that the recent data hack of Salesforce could result in further nefarious activities, which eventually happened only two months later.
From Online Hacking Forum to Extortion Portal
In a similar development, earlier in October, BreachForum posted a farewell message on its website, signifying a shutdown. Shortly after that, the same domain came back active as a dedicated blackmail site.
The Lapsus Hunters planned to use the new platform to leak stolen data from Salesforce credentials for refusing to meet with their ransom demands.
