New #ShadowTalk Episode: ShinyHunters' Expanding Toolkit — Oracle PeopleSoft Zero-Day and the BreachForums Detection Gap ShinyHunters likely exploited a CVSS 9.8 zero-day in Oracle PeopleSoft and breached more than 100 organizations, 68% of them universities. Simultaneously, the group posted a $300,000 BreachForums listing for live SalesForce CRM access and captured data, from the organizations that had previously declined its extortion demands. This week on ShadowTalk, we break down both operations, both defense gaps revealed by them, and what your team can do about each one right now. Tune in on Apple Podcasts or YouTube: ShadowTalk: bit.ly/3IDjhGF

Can anyone give breachforums recent link?

The Vercel breach is the build-in-public nightmare. attacker popped Context AI, used it to take over an employee Workspace account, then pivoted into Vercel. the DB later showed up for $2M on BreachForums. your security is now your AI vendor's security. pick them like it.

On May 13, TeamPCP published the Shai-Hulud worm source code on GitHub. MIT license. Full documentation. The worm that hit 323 npm packages, forged security certificates, and stole credentials from build pipelines is now a public repository anyone can fork. Since then: BreachForums (an underground cybercrime marketplace) started running a bounty challenge. Post proof of a successful supply chain attack using the code, earn reputation and status. Four independent copycat attacks confirmed within two weeks. Each one tweaked the payload but used the same propagation method. Steal an npm token, enumerate the victim’s packages, publish infected versions of all of them. Releasing attack tool source code isn’t new. Metasploit and every red team framework followed the same path. The difference: those target networks. This targets the software supply chain. The blast radius is every project that installs the compromised package, and every project downstream of that. The worm is public. The question is whether the defenses catch up before the copycats get creative.

كيف استطاعت الـFBI القبض على هاكر من اخطر الهاكرز المطلوبين بسبب غلط بسيط ؟ في عام 2021 بدا انتل بروكر مسيرته في استهداف منشآت صغيرة وبدا يخترق المنشاة ورا الأخرى وبعض الهاكرز لاحظو الاختراقات الي صار يسويها لكن في عام 2023 انفجر اسمه بشكل كبير حيث ضج وقتها عالم الانترنت والهاكرز بالتحديد بعد ما اخترق التطبيق الشهير وييي المتخصص في الأطعمة الاسيوية حيث اضاف هالاختراق في المنتدى الشهير BreachForums ومن هنا بدا يبرز اسمه بشكل اكبر حيث كل كم يوم كان ينزل اختراق لشركة او جهة حكومية كبيرة بالمنتدى ومن ضمن اختراقاته كانت : اليوروبول - شركة سيسكو - شركة نوكيا - شركة AMD - البنتاغون الأمريكي وغيرها الكثير من الشركات والجهات الحكومية وكان اذا اخترق أي جهة ينزل عنها في المنتدى موضوع يعرض فيه بيانات الجهة للبيع والدفع يكون عبر عمله مشفرة صعب تتبعها واذا ما حد اشترى يقوم مباشرة بعرضها بلاش للتباهي قدام الهاكرز الاخرين بالاختراق هذا ووصل عدد المواضيع الي نزلها في المنتدى الى 158 موضوع و335 منشور و 2100 تعليق ووقتها تولى إدارة المنتدى وصار هو الي ماسكه وبعد ماشاع صيته بشكل كبير فتحت الـ FBI عيونهم عليه وبدات تتبعه بشكل موسع لكن في يوم من الأيام تواصل معاه عميل من الـ FBI لشراء بيانات مخترقه بقيمة 250 دولار واقنعه بقبول البتكوين من اجل شراء البيانات ذي وبعد ما قبل انه يتم الدفع له بالبتكوين وفعلا تم التحويل بدات الـFBI بتتبع الفلوس الي اتحولت له واستمرو بالامر لمده سنتين الين يوم من الايام اكتشفو ان المحفظه الي تحول لها البتكوين مرتبطه باسم شخص اسمه كاي ويست بريطاني الجنسبة وبعد 3 اسابيع من اكتشاف حقيقته تم القبض عليه في فرنسا كاي ويست المعروف باسم انتل بروكر تسبب في خسائر تقدر ب25 مليون دولار واخترق اكثر من 40 شركة وجهة حكومية ملاحظة بسيطة : فكرة انه تم تتبعه من خلال البتكوين ممكن ان تكون صحيحة لعرضها في ملف القضية لكن الي اتوقعه انهم قدرو يجيبون اسمه من منتدى BreachForums لان كان لدى الـ FBI صلاحية كبيرة عليه لكن مااضافو هالامر من اجل تبنى القضية بشكل صحيح

doxbin mod aswell breachforums person

RATs, sold on BreachForums: REEEEEE THIS IS SPYWARE RATs, written by literal Jewish cabals: This is fine. Yeah, we know who's a rat of the animal kind here.

My point was that there are a lot of shiny clones popping out. Is shiny the real admin of breachforums or just a copycat ? I’ve seen a number of other breaches with people claiming they are shiny. I don’t think real shiny is involved with the Com but is it possible that a copy cat is ? Maybe. And that creates a lot of confusion, which is kind of the whole point.

🚨 UPDATE — Miasma source leak: This was deliberate. TeamPCP previously open-sourced Mini Shai-Hulud on May 12, then announced a supply-chain attack contest on BreachForums. The Miasma leak follows the same playbook — weaponizing the community to launch copycat attacks at scale. Two new critical details: The leaked toolkit needs ZERO C2 infrastructure — it uses GitHub itself as command-and-control, making it impossible to block via domain takedown. And TeamPCP also breached GitHub's own internal repos in May (~3,800 repos) and advertised them for sale on dark web forums. If no buyer emerged, they threatened to leak free. The supply chain war just went open source. 👇 bleepingcomputer.com/news/se…

冒牌Shinyhunters推出的BreachForums与勒索软件团伙ShadowByt3$达成合作关系后，其明网域名被查封 #BreachForums #Ransomware #Shinyhunters anwangxia.com/4892.html

iFood confirmed a breach hitting 1.2M Brazilian customers — and hackers on BreachForums claim the real number is much higher. The delivery app knew your order history, address, and phone. Now everyone does. #Cybersecurity

#threatreport #HighCompleteness Dark Web Profile: Vect Ransomware | 05-06-2026 Source: socradar.io/blog/dark-web-pr… Key details below ↓ 🧑‍💻Actors/Campaigns: Vect (🧠motivation: financially_motivated) Teampcp Dragonforce 💀Threats: Supply_chain_technique, Conti, Lockbit, Qtox_tool, Devman, Credential_harvesting_technique, Shadow_copies_delete_technique, Winrm_tool, Rclone_tool, Canisterworm, Windows_locker, 🎯Victims: Technology, Financial services, Healthcare, Manufacturing, Business services, Energy, Consumer services, Education, Agriculture & food production 🏭Industry: Healthcare, Foodtech, E-commerce, Education, Energy 🌐Geo: Kazakhstan, South africa, Russia, Egypt, India, Ukraine, Africa, Brazil, Israel, Belarus, Spain, Italy 📚TTPs: ⚔️Tactics: 10 🛠️Technics: 31 🧨IOCs: - File: 3 - Command: 1 💽Software: Trivy, LiteLLM, Linux, ESXi, Kubernetes, Microsoft Defender, MariaDB, MySQL, PostgreSQL, Redis, ... 🪙Crypto: monero, bitcoin 🔢Algorithms: base64, chacha20-poly1305, chacha20, poly1305, xor 🔠Functions: randombytes, Set-MpPreference 🗂️Win API: NtQueryInformationProcess, NetShareEnum, MoveFileExW 📜Programming Languages: powershell, python #threatreport: Vect ransomware emerged on December 31, 2025, as a financially motivated double-extortion ransomware-as-a-service operation, advertised on a Russian-language cybercrime forum. The group rapidly established a broad affiliate network, publishing their first 25 victims within four months, and formed alliances that connect them to other cyber threat actors, notably TeamPCP. This partnership enables them to leverage credentials harvested from multiple supply chain compromises, including significant breaches in Trivy and Checkmarx KICS. The Vect ransomware operates through a structured affiliate model, offering one of the lowest entry costs in the ransomware ecosystem at $250 paid in Monero, with waivers for applicants from the Commonwealth of Independent States (CIS). Affiliates gain access to functionality such as a payload builder for various operating systems and a collaborative platform for negotiating with victims. By mid-April 2026, a significant milestone occurred with BreachForums distributing Vect affiliation keys to its entire registered user base, effectively expanding the recruitment pool dramatically without the usual skill or experience requirements. Attacks initiated by Vect typically exploit supply chain vulnerabilities, particularly those exploited in the TeamPCP campaign that targeted multiple software development tools and services. Initial access is achieved through compromise during CI/CD pipelines, allowing them to harvest sensitive credentials, leading to substantial data exfiltration. The encryption process itself operates with a high potential for data loss due to a flaw in their encryption methodology, which inadvertently renders large portions of encrypted files unrecoverable. The Vect encryption routine employs the ChaCha20 algorithm but fails to provide message integrity protection, further destabilizing the viability of victim recovery efforts. Vect’s operational techniques include disabling security mechanisms before executing their ransomware, terminating protective services, and conducting thorough system reconnaissance to maintain an effective foothold. They perform lateral movement through methods that masquerade as legitimate system operations, using scheduled tasks to escalate privileges and propagate throughout networks. Their impact extends across various sectors, with notable concentrations of victims located in the United States and Brazil, while the technology sector suffers the most significant breaches. To defend against Vect ransomware, organizations are advised to promptly rotate any potentially compromised credentials and implement stringent network defenses, especially against Tor traffic, where Vect maintains its command-and-control infrastructure. Monitoring for specific behaviors associated with Vect operations, along with rigorous logging and alerting for unusual system modifications, is essential for detection and prevention. Finally, maintaining immutable backups and following best practices for patch management and security configurations can mitigate the risks associated with this ransomware threat.

The Gentlemen ransomware combine chiffrement Curve25519/XChaCha20 par fichier et autopropagation : 21 tentatives de mouvement latéral par cible via PsExec, WMI, tâches planifiées et WinRM simultanément. RaaS actif depuis mi-2025, ciblant santé, éducation, finance sur quatre continents. Partenariat BreachForums annoncé : le volume d'affiliés va augmenter. Priorités défensives : tamper protection activée, ASR sur PsExec/WMI, controlled folder access, sauvegardes hors ligne isolées. microsoft.com/en-us/security…

A signed-in Google account on ArchiveToday is bad enough. That same email appearing in the BreachForums DB makes it an OPSEC story 😬 Cool use of @OSINTindustries 👇

> bob is a security lead at company foo > convinces execs to burn millions on mythos tokens to find "all" the bugs > tokens burnt, bugs found > mythos says foo is risk free, bob is proud, they sent the report > bob closes the VDP and fires half the security team > bob having the time of his life until lazarus starts selling foo source on breachforums > panic pikachu what is the moral of the story?

What if hacker forums are just ticking time bombs? RaidForums and BreachForums are proof. Weak OPSEC, weak infrastructure. Are you ready for the consequences? @DailyDarkWeb @IntCyberDigest @ADanielHill @Zethrion7X

Key arrests connected to ShinyHunters (also known as ShinyCorp) include the following: Sébastien Raoult (aka “Sezyo Kaizen”) • French citizen from Epinal, France. • Arrested in Morocco in May 2022, extradited to the United States in early 2023. • Sentenced in January 2024 in U.S. District Court (Western District of Washington) to three years in prison plus over $5 million in restitution. • Charged with conspiracy to commit wire fraud and aggravated identity theft. He was linked to the group’s activities involving stealing and selling personal data from millions of victims on dark web forums. justice.gov June 2025 French Arrests (BreachForums/ShinyHunters Administrators) French authorities (Cybercrime Brigade, BL2C) arrested four individuals in their twenties in multiple regions of France around June 23, 2025. They are known primarily by their online aliases: • ShinyHunters (a key/leading persona). • Hollow. • Noct. • Depressed. These arrests targeted individuals associated with running or administering BreachForums (a major marketplace for stolen data) and cybercrime activities linked to the ShinyHunters group/brand. This was part of a coordinated international law enforcement effort. sophos.com Additionally: • Kai West (aka IntelBroker): A British national arrested in France around February 2025. He is closely associated with BreachForums and data sales, with overlaps or collaborations involving ShinyHunters activities. @intelligence Context and Notes • ShinyHunters operates as a loose network or “brand” rather than a tightly structured group, so arrests have targeted key personas, forum admins, and affiliates rather than dismantling the entire operation. The group (or copycats using the name) has continued claiming breaches afterward. en.wikipedia.org • Other individuals (e.g., a 19-year-old U.S. student Matthew D. Lane in a separate but related education-tech extortion case) have faced charges, but direct ties vary.