-
The FBI has seized an open-net website linked to hackers threatening to release personal data of Qantas customers within the next 24 hours.
-
The group announced that its BreachForums website domains are all down, and the clear websites linked to the group are showing a message saying the site had been seized by authorities.
-
The group had presented a deadline for Qantas to pay a ransom to prevent the release of sensitive data.
The US Department of Justice, the FBI, and France’s BL2C cybercrime unit, in collaboration with the Paris Prosecutor’s Office, have successfully seized and destroyed the group responsible for the Qantas hack.
In July, hackers accessed a huge amount of personal records via the Qantas offsite call center in Manila, gaining access to the Salesforce operating system. The attack exposed more than 5.7 million Australians, whereby their personal details, like phone numbers, names, email addresses, residential addresses, dates of birth, and many more, were stolen.
The group that claimed to be behind the hack, Scattered Lapsus$ Hunters, was threatening Qantas, along with almost 39 other companies, including Disney, UPS, McDonald’s, and others, to pay a ransom by 1:59 pm AEST on Saturday or risk exposure of customer data on the dark web.
In total, the group claims that it’s in possession of the personal information of almost one billion people.
The crackdown
The FBI, in collaboration with the US Department of Justice, France’s BL2C cybercrime unit, and the Paris Prosecutor’s Office, has finally dismantled the BreachForums domain run by the cybercriminal group ShinyHunters.
Unlike the predecessor iterations, the domain was an extortion portal of the group’s campaign that targets Salesforce customers, which marks a strategic shift from the marketplace operations to pressure tactics on corporate victims.
Now the breachforums.hn is showing a seizure message bearing logos of the US and French authorities, which confirms that indeed the forum’s infrastructure is currently in federal hands as part of the coordinated international operation.
However, the takedown affected the Clearnet portion of the portal, but the onion version is still running, indicating that the authorities might have only gained partial access. Therefore, with the Tor version still accessible, the hackers claim they’ll begin leaking data. Perhaps, despite this latest action, ShinyHunters claims that the takedown “has no impact” on their Salesforce campaign and teased a leak or update schedule for 11:59 pm ET on October 10, 2025.
Shortly after the takedown, ShinyHunters posted a PGP-signed message on their Telegram admitting the loss of BreachForums domains. “BreachForums was seized by the FBI and international partners today. This was inevitable, and I am not surprised. Neither I nor others involved with this group have been arrested,” the message read.
Backups under FBI control
Additionally, apart from seizing the data leak site, ShinyHunters went on to confirm that the authorities gained access to the archived databases for the previous incarnations of the BreachForums.
In a Telegram post, the threat actor said that seizure was inevitable, and that the “era of forums is over.” They also added that the backend servers have also been seized. In fact, the group has warned users to treat any future iterations of BreachForums as compromised or simply law enforcement-controlled.
FBI and Qantas response
At the time of writing, neither the FBI nor Qantas has publicly given an update about the claims on the website seizure.
Perhaps the takedown comes merely two days after Qantas confirmed it was still supporting its customers who were affected by the hacking incident. A Qantas spokesperson said the incident is the priority, “ensuring continued vigilance and providing ongoing support for our customers remains our top priority following our cyber incident in early July.”
So, will BreachForums still go ahead with the threat and release customer data?
Perhaps the FBI seizing the Clearnet BreachForums domain doesn’t necessarily mean that Qantas customers’ data won’t be released through the dark web after the given deadline elapses. Besides, the group still has the data and obviously has the website; therefore, it won’t be a surprise if they don’t release the data, as they definitely won’t get any ransom.
There’s no denying that, indeed, the law enforcement has momentarily disrupted the group’s plans, but it’s only a small win in a big game. The game isn’t over yet, but at least for now, their countdown clock only hit a glitch.
