The French Cybercrime Brigade (BL2C) has arrested four individuals suspected of being behind the infamous underground hacking forum BreachForums.
The hacking forum was launched in 2022 and quickly became the preferred dark web marketplace for selling stolen data and recruiting cybercriminals. BreachForums was the successor of RaidForums, which the FBI shut down in 2022.
Meanwhile, the individuals arrested were suspected of using the aliases “ShinyHunters,” “Hollow,” “Noct,” and “Depressed” on BreachForums and are believed to be in their twenties.
More hacking forum BreachForums suspects arrested
The detained BreachForums suspects are accused of cybercrime activities in France, including the sale of stolen data from the Boulanger cyberattack, the France Travail breach, the French telecom provider SFR cyber attack, and the French football federation hack. The France Travail data breach was more significant, impacting over 43 million individuals.
However, “ShinyHunters” stands out due to their alleged role in numerous high-profile data breaches, including AT&T, Salesforce, SnowFlake, PowerSchool, Ticketmaster, Advance Auto Parts, Neiman Marcus, and Cylance. While the name suggests a single individual, it likely represents a group of cybercriminals who frequently collaborate on leaking stolen information.
Nonetheless, their real identities remain undisclosed, likely due to ongoing investigations or other law enforcement sweeps to arrest other cybercriminals linked to the hacking forum.
“Law enforcement agencies must disclose specific details about BreachForums’ modus operandi, like general attack tactics and techniques, targeted vulnerabilities, forum operations, and how they collaborated with other criminals without revealing specific technical details and investigation tactics,” suggested Agnidipta Sarkar, Chief Evangelist at ColorTokens.
Meanwhile, their arrests follow that of another high-profile suspected BreachForums God-level user, IntelBroker, who is believed to be the former administrator of the hacking forum. IntelBroker’s arrest brings the total number of suspects linked to the infamous dark web hacking forum to five.
According to French outlet Le Parisien, police slapped the cuffs on IntelBroker in February 2025. Interestingly, IntelBroker happens to be a British national, highlighting the cross-border nature of cybercrime.
“The global nature of cybercrime is part of the challenge – the actors managing these forums may be in one country or region, but hosting and infrastructure could be in several others,” noted Trey Ford, Chief Information Security Officer at Bugcrowd. “This also underscores the challenge those defending companies face – we’re defending against miscreant threat actors on a global scale, with marketplaces where specialized talent, tools, and services are available.”
Meanwhile, police conducted the raids across France, from Hauts-de-Seine, west of Paris, to Seine-Maritime (Normandy) in the north of the country, and to the Indian Ocean island of Réunion, between Madagascar and Mauritius.
Past law enforcement actions on the hacking forum
Law enforcement authorities have previously cracked down on the hacking forum, arrested suspects, and secured convictions. In March 2023, former BreachForums admin Conor Brian Fitzpatrick, aka “Pompompurin,” was arrested and charged with selling stolen data and hacking tools, and possessing child sexual abuse material.
In 2024, the U.S. national was convicted and sentenced to 20 years of supervised release, which included a two-year house arrest. IntelBroker was linked to various high-profile breaches, such as D.C. Health Link, AMD, HPE, Cisco, General Electric, Nokia, and Europol.
ShinyHunters allegedly took over from Fitzpatrick in June 2023 and operated the site until the FBI shut it down in mid-May 2024, following a DOJ seizure that involved Europol.
In late May 2024, the hacking forum resurrected with ShinyHunters as the admin and “Baphomet” as a moderator, until the former was arrested. Fellow detainee “Hollow” also acted as a moderator until they became cellmates. However, the roles of “Depressed” and “Noct” on BreachForums v2 are sketchy at the moment.
In April 2025, BreachForums experienced a cyber outage that users speculated was related to a law enforcement action. While details regarding the disruption are not public, the incident was likely related to the ongoing crackdown that resulted in the arrest of the suspected high-ranking members.
“These arrests represent a significant win for international law enforcement and demonstrate that cybercriminals can’t hide behind forum anonymity forever,” said J Stephen Kowski, Field CTO at SlashNext. “The fact that these operators were French nationals rather than Russian shows how global and decentralized these criminal networks have become – they’re not just operating from traditional cybercrime hotspots anymore.”
