Aazani Security
Original Research

Inside DarkForums: BreachForums' successor

By Aazani IT & Security editorial8 min readUpdated July 14, 2026

When law enforcement seizes a major cybercrime forum, the story usually ends with a triumphant press release and a seized-domain banner. What rarely gets covered is what happens next: within weeks, the displaced community simply moves somewhere else, and the cycle starts over. This isn't a one-off - it's the fourth time in a decade this exact pattern has played out, and understanding the pattern matters more than any single forum's name, because the pattern is what keeps producing a place for your stolen data to land.

Diagram showing a data breach traveling from theft to a dark web forum, then weeks later to a public breach notification email

A decade of the same forum dying and coming back

The lineage goes back further than most coverage acknowledges. RaidForums launched in 2015 and grew into one of the largest English-language marketplaces for stolen data before the FBI arrested its owner, Diogo Santos Coelho ("Omnipotent"), and seized it in 2022. A user named Pompompurin, active on RaidForums, immediately spun up BreachForums as the replacement. That didn't last either: Pompompurin (Conor Brian Fitzpatrick) was arrested in March 2023, and the FBI seized BreachForums' clearnet domains that June.

BreachForums came back - more than once. It was seized again in May 2024 (clearnet site, onion site, and associated Telegram, all in one sweep), revived again under new stewardship, and seized a third time in October 2025. That last collapse is the one that matters most for where things stand today, because instead of one clear heir, the userbase fractured into competing successors: PwnForums and Breached.st, plus a third effort from a figure known as HasanBroker running something called DoxByte. KELA, which has tracked this lineage closely, now describes 2026 as an active "succession war" rather than a settled outcome.

Where DarkForums fits into that war

DarkForums itself predates the October 2025 collapse and isn't a direct party to the PwnForums/Breached.st rivalry. It launched in 2022 as "DARK4RMY Forums," tied to a hacking collective called D4rk4rmy, under a founder going by "Lucifer." Lucifer announced his retirement in August 2024 and handed control to an admin known as "Knox."

What made DarkForums matter at scale was a different, earlier BreachForums seizure in April 2025. When that happened, DarkForums - not PwnForums or Breached.st, which didn't exist yet - absorbed the bulk of the displaced community. KELA recorded a 600% surge in the forum's activity between April and June 2025 alone, and DarkForums' design and feature set converged on what BreachForums had offered: the same combination of leaked databases, stealer-log dumps, combo lists, cracked accounts, and hacking tools.

Timeline of DarkForums from its 2022 launch through 2026, highlighting the 600 percent activity surge after BreachForums was seized in April 2025 and the forum's continued operation into 2026

So there are, in effect, two separate successor lineages running in parallel by 2026: DarkForums (which inherited the April 2025 wave and has simply kept operating since, never seized) and the PwnForums/Breached.st/DoxByte three-way split (which inherited the October 2025 wave and is still actively fighting over legitimacy and users).

How the membership economy works

DarkForums runs on a tiered access system - VIP, MVP, and GOD ranks - that functions less like a hacking forum and more like a frequent-flyer program for crime. Reputation and payment both buy you further up the ladder: paid tiers unlock private Telegram channels and exclusive data-leak feeds that never touch the public-facing forum at all. That structure does two things for the operators. It creates a retention mechanism (why would a paying VIP member risk their rank by getting the forum flagged), and it means the material with the most immediate resale value for identity theft and account takeover - fresh stealer logs, unreleased database dumps - is deliberately kept out of view of researchers and casual visitors, surfacing publicly (if at all) only after the paying tier has already extracted its value.

KELA's activity analysis found something odd: the posting patterns of founder "Lucifer" and later admin "AnonOne" line up so neatly - their active periods never once overlap - that researchers suspect they may be the same person operating two identities. If true, it means DarkForums has effectively had one continuous operator behind two "different" admin personas since 2022, rather than the leadership handoff it presents publicly.

The exit-scam scare - context, not breaking news

In July 2025, admin "AnonOne" disappeared mid-"middleman deal" (a transaction structure where a trusted third party holds funds until both sides deliver, which criminals rely on precisely because they can't take a dispute to court). The disappearance set off exit-scam and arrest rumors on the forum's own Telegram. Owner "Knox" responded publicly, saying a user had tried exploiting an XSS bug and falsely claimed a full breach; Knox maintains no real compromise occurred.

To be precise about timing: this episode is over a year old. It's here for context on how the forum runs and who runs it, not as current news.

The legitimacy crisis nobody in the rival camp can shake

The BreachForums successor race has a credibility problem that's specific to 2026 and worth understanding on its own. On January 9, 2026, a leak nicknamed "James/Doomsday" exposed roughly 324,000 user records from one of the successor sites, badly damaging trust in the faction behind it. Then, on March 26, 2026, ShinyHunters - the extortion group that owned the original BreachForums brand - issued a PGP-signed public statement disavowing every current "BF"-branded successor site as fraudulent, stripping legitimacy from both remaining camps at once.

That's left the ecosystem split along operating philosophy rather than just branding. Breached.st, launched by HasanBroker in January 2026, has matured into what KELA characterizes as active criminal infrastructure: brokering supply-chain compromises and distributing ransomware-as-a-service affiliate access, not just hosting forum posts. PwnForums, which emerged publicly in April 2026 after the prior Indra/N/A moderator team's own lineage collapsed in an exit-scam scandal, positions itself closer to a community-continuity effort than an active crime brokerage.

What's actually current: it never got seized

Forum2025-2026 status
BreachForums (original + all revivals)Seized four times since 2022; final collapse October 2025
PwnForumsEmerged April 2026 after its own predecessor's exit-scam collapse
Breached.stLaunched January 2026; now active RaaS/supply-chain brokerage
DarkForumsStill active since 2022 - no law enforcement takedown

DarkForums' real distinction in this landscape isn't that it "won" some succession contest. It's that it's the only major English-language hub in this entire lineage that has never been seized at all, while everything bearing the BreachForums name has now been taken down four separate times.

Stolen data and stealer-log dumps routinely surface on forums like DarkForums weeks before the affected company sends any official breach notification. That gap is why threat-intelligence vendors treat these platforms as tier-1 monitoring targets - it's the earliest warning signal available, well before a company's own disclosure process catches up.

How we verified this

Our approach here is deliberate: cross-reference every claim across multiple independent threat-intelligence sources that don't simply cite each other, rather than treating direct engagement with active criminal infrastructure as a credibility requirement. Interacting with a live cybercrime forum adds legal and operational risk without adding confidence beyond what corroborating independent reporting already provides - and every material fact in this piece (the RaidForums-to-BreachForums-to-DarkForums lineage, the four separate seizure dates, the 600% activity surge figure, the January and March 2026 legitimacy-crisis events, the membership tier structure) is confirmed across separately-reported sources: KELA's own leadership and succession-war analyses, SC Media's and SiliconANGLE's independent reporting on the BreachForums migration, Flashpoint's and Security Boulevard's historical timeline of failed successors, and Leakd's coverage of the AnonOne disappearance. All of them agree, with no contradictions found.

Why this matters if you're not a security professional

There's a real gap between when your data starts circulating on a forum like this and when you get the official notification email. That gap is where the actual damage happens: credential stuffing against your other accounts, targeted phishing that uses your real name and account history to look legitimate, and account takeovers, all before you've been told anything is wrong. Understanding that this pipeline exists, and that it has now survived four consecutive law-enforcement takedowns of the exact same brand by simply relocating each time, is why "wait for the breach email" was never a viable strategy on its own. A password manager with a unique password per site, plus two-factor authentication everywhere it's offered, is what actually limits the damage, regardless of which forum your data eventually turns up on, and regardless of which faction wins the current succession war.

Sources

Inside DarkForums: BreachForums' successor — Aazani IT & Security