BreachForums disclosure surfaces falling out among ShinyHunters thieves

Disgruntled hacker exposed identities of forum users, sparking debate and opportunities for law enforcement action

Takeaways

• A disgruntled ShinyHunters member exposed the identities of over 323,000 BreachForums users, revealing usernames, emails, and other metadata.
• Internal disagreements within the cybercrime group, especially regarding attack targets, appear to have motivated the leak and highlight ethical divides among threat actors.
• Although law enforcement may already be aware of some individuals, the newly revealed information could lead to more arrests, especially if suspects reside in countries with extradition treaties.
• The incident underscores ongoing risks of cybercriminals shifting platforms and the challenge for authorities to apprehend them before they disappear into new online forums.

Sunlight is said to be the best disinfectant, so now that the real identities of hundreds of thousands of alleged cybercriminals have been revealed, it will be interesting to see how many wind up in prison. Earlier this month a disgruntled member of the cybercrime syndicate known as ShinyHunters decided to disclose detailed information on 323,986 users of an online BreachForums site where cybercriminals acquire tools and share tactics and techniques.

Apparently upset about cyberattacks targeting organizations in France, a cybercriminal only identified as “James” decided the time had come to show his former compatriots that they are no longer able to anonymously launch cyberattacks.

The database published on a website named after ShinyHunters included usernames, email addresses, IP addresses, registration dates, and other metadata that could help law enforcement agencies identify members of the syndicate.

Potential impact of the disclosure

Knowing someone has committed a criminal act, however, is not one in the same as apprehending them, especially if they reside in countries that don’t have extradition treaties with the United States. It’s also probable law enforcement agencies already know who many of the individuals are. The FBI seized BreachForums servers late last year, and French authorities arrested four members of the group. Two years ago, the U.S. District Court in Seattle also sentenced another French member of the group to three years in prison after having him successfully extradited to the U.S from Morocco after he was arrested there. Many BreachForums users, as a result, have probably already moved on to other forums on the assumption that authorities were already monitoring activity.

The fact that cybercriminals might have a falling out amongst themselves isn’t all that unusual, but for one of them to go to the length of publishing a database of identities because of which organizations are being targeted suggests that some of the individuals involved have some sort of code of ethics they follow. That doesn’t necessarily mean they might be willing to testify against their cohorts, but it does appear distinctions are being made about what constitutes a legitimate target.

Internal conflict and its consequences for a cybercrime syndicate

It’s not clear to what degree authorities might be sowing dissent among the rank and file of the hacking community, but differences of opinion over what constitutes a legitimate target might lead additional cybercriminals to provide tips leading to the arrest of individuals that might be targeting a specific country or perhaps some type of non-profit healthcare institution serving the public good.

The one thing that is certain is that more arrests will likely occur once the authorities investigate the individuals listed in the database. Not everyone, of course, listed in that database may even be an actual cybercriminal. They could, in fact, be a cybersecurity researcher or someone affiliated with an intelligence service. The one thing that is certain is authorities should have more visibility into clandestine activities of members of a ShinyHunters syndicate that for the better part of this decade has been responsible for cyberattacks involving Salesforce, AT&T and a small host of other organizations such as Google that were later impacted downstream. The challenge and the opportunity now is to make sure that the members of this syndicate don’t scurry off to another dark part of the web before authorities can locate and arrest them.