ShinyHunters leak for sale

A cybercrime forum that helped sell other people’s stolen data is now reportedly dealing with its own leak, with a seller tied to the ShinyHunters name advertising about 97,000 lines of forum data for $20,000. The post cited usernames, passwords, internet address logs, and transaction histories, which is the kind of package buyers use to identify, impersonate, or extort other criminals. (x.com) DarkForums matters because it became one of the replacement markets after BreachForums kept getting seized, shut down, or thrown into chaos. Threat intelligence firm KELA said DarkForums activity jumped 600% between April 1 and June 30, 2025, as it absorbed users looking for a new place to trade leaks, malware, and hacking tools. (kelacyber.com) That migration happened after a long chain of forum collapses. Sophos said RaidForums was seized in 2022, BreachForums was launched in March 2022 as its successor, and ShinyHunters later became one of the key personas involved in running and using that ecosystem. (sophos.com) By June 25, 2025, French authorities had arrested four people linked to the ShinyHunters group and BreachForums activity, according to Sophos. That pressure did not end the market for stolen data, and newer forums kept filling the gap. (sophos.com) DarkForums was already showing cracks before this sale listing appeared. In July 2025, Cybernews reported that an attacker claimed to have exploited a server-side request forgery flaw, which is a bug that tricks a website’s own server into making requests it should not make, and researchers said the claim might be legitimate. (cybernews.com) Cybernews said the attacker’s proof suggested they could gather the internet protocol addresses of people who viewed posts on DarkForums. An internet protocol address is the routing label attached to a device’s connection, and leaking it can chip away at the anonymity that forum users rely on. (cybernews.com) That helps explain why a dump with passwords, address logs, and transaction records is different from a simple username list. A buyer can connect forum handles to login secrets, payment behavior, and connection history, which turns a pseudonymous account into something closer to a real-world profile. (cybernews.com) The price tag also fits how this market works. Breachsense said combo lists and credential packs are built from a constant stream of breaches and infostealer infections, and it estimated that 2.67 million devices were hit by infostealers in the first half of 2025 alone, exposing more than 204 million credentials. (breachsense.com) DarkForums grew because criminals still needed a storefront after BreachForums lost ground, but that same concentration made it a target. KELA described DarkForums as a major hub run by administrators known as AnonOne and Knox, which meant one successful intrusion could expose a large slice of a very sensitive user base. (kelacyber.com) The pattern keeps repeating: one forum becomes the center of gravity, law enforcement or rivals hit it, users scatter, and the next forum promises better security until it leaks too. This latest listing is a reminder that even people trading in stolen data can end up as the product. (sophos.com)