The Federal Bureau of Investigation (FBI) shut down BreachForums, a forum for English-speaking black hat hackers, on 21 March 2023, following the arrest of its owner Conor Brian Fitzpatrick. More recent reports, however, stated it’s back up under new management—that of hacking group ShinyHunters and original administrator Baphomet.

Threat researcher Dancho Danchev obtained 573 domains that belonged to several BreachForums members. The WhoisXML API research team expanded this list of indicators of compromise (IoCs) in an effort to obtain more information on their infrastructure. Our in-depth investigation led to the discovery of:

• 12 recently registered domains with the same registrant email addresses as some of the IoCs, one of which turned out to be malicious based on a bulk malware check
• 3,884 domains that shared the dedicated IP hosts of some of the domains identified as IoCs, 22 of which turned out to be malicious based on a bulk malware check
• 9,588 domains that contained strings akin to some of the IoCs, 30 of which turned out to be malicious based on a bulk malware check

A sample of the additional artifacts obtained from our analysis is available for download from our website.

BreachForums Domains IoC Facts

The first step we took to investigate the BreachForums IoCs Danchev collated was perform a bulk WHOIS lookup that provided these results:

• While 324 of the domains identified as IoCs did not have retrievable public registrar data, the remaining 249 IoCs with current WHOIS records were distributed among 90 registrars led by Namecheap (24 domains), GoDaddy (22 domains), GMO Internet (15 domains), PDR (13 domains), and FastDomain (9 domains).

  

• While 310 of the domains did not have retrievable creation dates, the remaining 263 with current WHOIS records were created between 1997 and 2023, with most, 72 to be exact, created in 2022.

  

• While 358 IoCs did not have retrievable public registrant country data, the remaining 215 with current WHOIS records were spread across 32 countries led by the U.S. (64 domains), Japan (17 domains), India (14 domains), France (12 domains), and China (10 domains).

  

It is also interesting to note that the five most used top-level domain (TLD) extensions among the 573 domains identified as IoCs were .com (305 domains), .us (66 domains), .net (23 domains), .science (22 domains), and .org (19 domains). The remaining 138 domains sported 29 other TLD extensions.

BreachForums IoC List Expansion Findings

To know more about the BreachForums members’ cybercriminal infrastructure, we subjected the 573 domains identified as IoCs to an expansion analysis.

A closer look at the IoCs with retrievable WHOIS records showed that several had public registrant email addresses (limited to those used to register 50 or fewer domains each), which were shared by 12 additional domains based on reverse WHOIS searches. One of the email-connected domains—carmainten[.]com—turned out to be malicious based on a bulk malware check.

Next, we conducted DNS lookups for the 573 domains identified as IoCs and found that they resolved to 253 IP addresses, one of which—137[.]184[.]161[.]21—turned out to be malicious based on malware checks.

A bulk IP geolocation lookup for the 253 IP addresses showed that:

• While one did not have available geolocation country data, the remaining 252 were geolocated in 27 different countries led by the U.S. (114 IP addresses), Canada (35 IP addresses), Germany (22 IP addresses), Japan (17 IP addresses), and China (seven IP addresses).

  

  Three of the top 5 IP geolocation and registrant countries—China, Japan, and the U.S.—coincided with one another.

• While one of the IP addresses did not have public Internet service provider (ISP) data, the remaining 252 were spread across 87 ISPs led by Cloudflare (61 IP addresses), Amazon (15 IP addresses), Web-hosting (11 IP addresses), Unified Layer (nine IP addresses), and Google and Hostinger (eight IP addresses each).

  

The lookups also allowed us to limit our study to the 60 dedicated IP addresses that played host to 3,884 domains based on reverse IP lookups. Twenty-two of the IP-connected domains turned out to be malicious based on a bulk malware check. All but two of the malicious domains remained accessible as of this writing.

Checks on Domains & Subdomains Discovery showed that 169 of the strings that appeared in the domains identified as IoCs were also present in 9,588 other domains. Thirty of them turned out to be malicious based on a bulk malware check.

Further scrutiny of the domains identified as IoCs allowed us to see that 23 of them contained six popular brand names—Amazon, Facebook, Gmail, iPhone, Tesla, and Yandex. It is interesting to note that these brand names also appeared in 127 IP- and string-connected domains. We identified some samples in the table below.

None of the 127 brand-containing domains we uncovered could be publicly attributed to any of the six companies cited above based on their WHOIS records. And based on screenshot lookups, 101 of them remained accessible as of this writing even though many led to error or index pages.

Finally, we sought to find out how many of the 13,484 domains potentially connected to the threat by email address, IP address, or string usage shared the five TLD extensions the threat actors most abused based on our further scrutiny of the IoCs earlier. We found that:

• A total of 6,329 connected domains shared four of the top 5 TLD extensions used by the domains identified as IoCs.
• A huge majority of the connected domains, 5,129 to be exact, sported the .com TLD extension.
• Only 101 of the connected domains used the .us TLD extension.
• A total of 723 connected domains utilized the .net TLD extension.
• None of the connected domains sported the .science TLD extension.
• Only 376 of the connected domains used the .org TLD extension.

Take a look at the comparison between the TLD extension usage among the domains identified as IoCs and connected domains below.

Our analysis and expansion of the list of BreachForums domains allowed us to uncover 13,484 potentially connected web properties, 53 of which turned out to be malicious based on malware checks. We also identified commonalities between the domains identified as IoCs and the connected domains, such as that .com seemed to be the most abused TLD extension.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.