
We accessed BreachForums, a private online forum teeming with a cybercrime community, to explore the various products and services being offered on the digital black market of the dark web.
Here’s what we discovered.
This piece is intended for educational purposes only and does not promote the use of the dark web.
What is the dark web?
To give you some context, let’s define the dark web and cybercrime forums. The dark web is an obscure section of the internet that can only be accessed using specialized software such as Tor, which emphasizes user anonymity.
This hidden web functions as a hub for both legitimate activities, such as private browsing, and illicit actions, including the sale of stolen data, drugs, weapons, services, and other contraband items.
Cybercrime forums on the dark web are communities where hackers, fraudsters, and other criminals share information, tools, and services, frequently using cryptocurrencies to make transactions anonymous.
What is BreachForums?
BreachForums began as RaidForums in 2015, founded by Portuguese hacker Diogo Santos Coelho. The platform was initially a community geared towards ‘raiding’ websites for pranks, trolling, or disruptions.
As users on the site began to compromise social media platforms and websites, obtaining millions of user credentials, they quickly shifted to selling this information to the highest bidders. RaidForums soon became one of the most sophisticated and established hubs of organized criminal behavior on the dark web.
When Binance faced a breach in February 2024, the first instance of leaked user KYC details for sale was seen on BreachForums, similarly, the leaked Bitcoin ATM code from El Salvador also appeared for sale on BreachForums in April of that year.
The site began attracting cybercriminals seeking sensitive information from corporate breaches and even leaked government documents, making it a target for international law enforcement agencies.
In 2022, Europol and U.S. intelligence teamed up to shut down the website and apprehend founder Diogo Santos Coelho, who currently remains in UK custody pending extradition to the U.S. on cybercrime charges.

RaidForums was quickly reestablished as BreachForums by a user named PomPomPurin, who was arrested by the FBI in 2023, with another user, Baphomet, taking over thereafter. The FBI seized BreachForums again in May 2024, although copies of the site have since emerged.
Despite the ongoing activity, online chatter suggests many users believe the website may be a ‘honeypot’ set up by the FBI to observe and capture cybercriminals for prosecution.
What we found on the dark web crime hub BreachForums
Upon entering BreachForums, we were immediately greeted by a plethora of illegal offerings. Unlike some cybercrime forums that disguise themselves as IT or cybersecurity interest groups, BreachForums makes no attempt to obscure its intent, as its homepage at the time of our visit displayed offers for violent services from the MS13 or La Mara Salvatruca gang for $10,000.
While such violent posts are more likely to be scams than legitimate proposals, illegal activities didn’t end there. The site’s scrolling chatbox also exhibited discussions in real time regarding sales in the forum’s bustling marketplace, which featured sellers offering illegal goods like stolen data, bank fraud tutorials, credit card fraud techniques, IP tracking, and more.
Interestingly, there was even a thread dedicated to Anime and Manga appreciation, illustrating that even cybercriminals have their interests.

All posts mentioned in this article were made within hours of our initial login, indicating a lively online community that remains very active, although likely under close surveillance from law enforcement.
The above image depicts users selling access to a wide range of platforms, including online streaming services like Paramount Plus and Netflix, alongside breached OnlyFans accounts.
Leaked data postings included users peddling credentials, including bundles of email logins for C-Suite executives of various companies, ID documents from the UAE, India, Qatar, and Saudi Arabia, plus a leak of files and images allegedly taken from Saudi Arabian military emails.
The military document leak appears authentic based on our preliminary assessment, albeit dated from 2016, suggesting that the user is attempting to market old leaks as current, highlighting the scams prevalent even among cybercriminals.
One user claimed access to a leak from the Australian health insurer MedBank, which indeed suffered a major breach by Russian hackers in 2022, compromising the personal information of 9.7 million Australians.

Unlike the infamous hitman-for-hire advertisements commonly associated with the dark web, these document and identity leaks are disturbingly plausible, as BreachForums primarily facilitates the sale of stolen data, a booming business for years.
However, given the ongoing seizures and arrests, many of these postings could also be traps set by the FBI or other agencies aiming to capture criminals red-handed.
Services found on BreachForums
In addition to stolen data, enterprising cybercriminals offer various services for hire on the dark web, typically accepting cryptocurrency as payment.
Upon browsing BreachForums, we found users claiming to provide DDoS services, allowing criminals to execute distributed denial-of-service attacks to incapacitate targeted websites, either for extortion, competition, or sheer malice.

One group of developing cybercriminals offered HNVC, or Hidden Virtual Network Computing services, allowing remote access to a victim’s computer.
It was noteworthy that, akin to a legitimate online service advertisement, the listing included a comprehensive set of features along with pricing and customer support offered in both Russian and English.

Other services included the provision of phone numbers, enabling criminals to receive login codes for online accounts without revealing their identities.
We identified bulk email senders utilized for illicit mass marketing campaigns, phishing scams, and other malware, along with advertisements for email flooders that inundated target inboxes to disable them or conceal malicious activities like unauthorized login alerts.
One email flooder even featured what appeared to be an AI-generated promotional banner and logo, the name of which we have hidden to avoid promoting their services.

We observed entire threads dedicated to services offering access to remote online servers, web development programming, and even graphic design services that could facilitate sophisticated scams, such as creating fake landing pages that steal users’ data.
While some of these services may be legitimate, many are likely fraudulent, especially given the history of the site being seized and reopened multiple times, leading to all accounts being less than two years old.
Cybercrime forums typically operate on an escrow system or trust, based on users having verified histories of ‘honest’ transactions, but this site lacks significant safeguards against scams.
We did note several listings that accepted escrow payments, indicating a vetted third party would hold funds until both parties are satisfied, as seen with a developer advertising pre-made phishing websites and landing pages.

The willingness to accept escrow suggests this seller may indeed be delivering what they claim, although scams involving escrow payments remain likely on this site.
Furthermore, the site features an entire scam thread documenting user reports of fraudulent activities.
User uuu732 shared an experience where their attempt to defraud others failed as they fell victim to a scam on BreachForums, having paid user PennyTrate-x $300 for software to bypass malware detection and send infected PDFs to targets.

The seller did not fulfill their end of the deal, and when the moderator sought clarification, they opted not to reply, leading to a ban on their account.
Another user reported a dispute with a different vendor, detailing $500 spent on a database of user credentials from a Swiss insurance firm, plus an additional $1,300 for data from a Swiss retailer. Neither transaction yielded the promised documents.
What do dark web criminals do with stolen user data?
Cybercriminals purchase login information and personal data to breach email and social media accounts, enabling access to users’ finances for theft or sensitive information exploitation.
For example, hackers might infiltrate a user’s PayPal account to execute unauthorized purchases or reroute funds to different accounts, or even commit identity theft by applying for loans using another person’s identity and passport details.
This information is often exploited for extortion and blackmail, particularly when criminals uncover sensitive data from their victims’ accounts.
How to stay safe online
As illustrated, the dark web presents numerous dangers. Even on a website that has been repeatedly seized and reopened, one encounters a bustling marketplace of criminal activities ranging from illegal services and products to inter-member scams.
For safety on the clearnet, users can implement two-factor authentication on their devices and accounts, ensuring a secondary device, such as a phone, is required to log in. This measure aids in mitigating hacking and phishing attempts. Additionally, verifying URLs before clicking can prevent falling victim to fraudulent websites.
Users unwittingly exploring the dark web, even out of curiosity, risk encountering seasoned scammers and hackers seeking any vulnerabilities. It is advisable to refrain from clicking on unknown links or downloading files, and making any purchases can lead to serious legal and illegal repercussions.
In fact, the safest approach to the dark web is simply not to visit it! Allow us to conduct that exploration for you. Our intention is to regularly investigate various aspects of the dark web and report our findings, providing updates on this underground aspect of the global internet.
How to access the dark web on a Chromebook?
This question comes up frequently, and the answer is somewhat complex. Firstly, we advise against accessing the dark web! While it may be intriguing from a journalistic standpoint, the area is rife with scammers and criminals that could be dangerous. To reach the dark web on a Chromebook, individuals generally install Linux through the Crostini app and then add the Tor browser repository to access Tor’s hidden services, also referred to as the dark web. However, we reiterate that this is not advisable unless conducted for research or journalistic purposes.
Why is the dark web so unsettling?
The dark web’s eerie reputation stems partly from popular YouTube videos in which content creators claim to open ‘mystery boxes’ sourced from the dark web, as well as the widespread allure of short stories and ‘creepypastas.