Breachforums latest domain
Executive summary
The most recently reported clearnet registration tied to BreachForums is breachforums.bf, a .bf domain whose WHOIS records show creation on 2025-11-18 and an update timestamp 2025-12-04, and which security researchers and trackers have treated as the forum’s latest listed domain [1]. That said, BreachForums has repeatedly migrated between clearnet domains, .onion mirrors, and has been subject to law‑enforcement seizures and public data leaks, so any “latest” domain is fluid and contested in the open reporting [2] [3] [4].
1. How the .bf registration fits the recent history
Security monitoring of BreachForums captured WHOIS metadata showing the breachforums.bf registration (creation 2025‑11‑18; WHOIS update 2025‑12‑04), and Resecurity’s writeup reproduces that registry detail as the currently documented clearnet pointer for the forum in December 2025 [1]. That registration occurred after a string of earlier takedowns, seizures and recoveries—BreachForums has been a moving target since the RaidForums seizure in 2022 and subsequent arrests and domain forfeitures—so researchers view the .bf entry as the latest incarnation in a long series of domain hops [5] [2].
2. Other recent domains and law‑enforcement actions to consider
Before the .bf registration, BreachForums operated on breachforums[.]hn until it was repurposed and later seized in October 2025 amid investigations linked to ShinyHunters extortion activity; multiple reports tie the .hn domain’s seizure to coordinated action by the U.S. DOJ, FBI and France’s BL2C [2] [6]. The forum also briefly surfaced on variants such as breached[.]fi and maintained .onion mirrors; sources show administrators and threat‑intelligence analysts frequently referring to clearnet mirrors alongside the original dark‑web .onion address [4] [3] [7].
3. Why “latest domain” is an unstable label
BreachForums’ operators have historically rotated domains to evade takedown and to recover after seizures, and security reporting repeatedly documents seizures, domain recoveries via EPP codes, and relaunches under new admin handles—so a domain that is “latest” at publication can be replaced within days [5] [2] [4]. Researchers also warn that some resurrected domains may be honeypots or controlled infrastructure, a concern voiced by threat actors and analysts alike when new clearnet or mirror domains appear [4] [3].
4. The leak and its timing complicate attribution of domain activity
A significant data leak published on January 9–10, 2026 exposed roughly 324,000 user records tied to BreachForums, and multiple outlets tied that dataset to an August 2025 compromise that occurred while the site was being restored from the .hn domain—an element that underlines how restoration windows and temporary storage of backups can create new exposure and prompt domain moves [8] [6] [9]. The leak’s author alias “James” and the forum admin “N/A” both appear in reporting, with admins claiming the table was taken during recovery, which reinforces that domain changes and data incidents are often linked operationally [10] [11].
5. What can be concluded right now and reporting limits
Based on the available open reporting, breachforums.bf is the clearnet registration most recently documented in WHOIS traces and security coverage [1], but the site continues to keep .onion mirrors and has a track record of rapid domain rotation and seizure responses [3] [4]. There is no single source in the provided reporting that confirms the long‑term persistence or live resolution status of breachforums.bf at the current moment, and past patterns mean any clearnet domain associated with BreachForums should be treated as ephemeral and subject to change or seizure [2] [4].