Global cybercrime marketplace suffers devastating blow as French authorities capture the masterminds behind the world's largest stolen data trading platform
French cybercrime investigators have delivered a crushing blow to the global cybercriminal underground by arresting five key administrators of BreachForums, including the infamous hacker known as IntelBroker. The coordinated arrests on June 23, 2025, represent one of the most significant law enforcement victories against organized cybercrime in recent years.
The Paris police cybercrime brigade (BL2C) executed simultaneous raids across French territories, from Hauts-de-Seine near Paris to the remote island of Réunion in the Indian Ocean. The operation captured four suspects in their twenties using the aliases ShinyHunters, Hollow, Noct, and Depressed, following the earlier February arrest of IntelBroker.
IntelBroker emerged as one of 2024's most prolific cybercriminals, orchestrating high-profile breaches against tech giants including Cisco, Apple, AMD, and Europol. The threat actor's October 2024 Cisco breach alone exposed sensitive GitHub projects, source code, and hardcoded credentials from the networking giant's internal systems.
"The identification of the suspects was made possible thanks to police and judicial cooperation with our foreign partners, particularly the United States," stated Paris prosecutor Laure Beccuau, highlighting the international scope of the investigation that brought down this criminal network.
Understanding BreachForums: The Cybercrime Supermarket
BreachForums operated as the world's most notorious marketplace for stolen data, functioning as a "cybercrime-as-a-service" platform where criminals traded everything from personal information to corporate secrets.
Think of it as Amazon for cybercriminals - a centralized hub where threat actors could buy databases containing millions of records, access credentials, and hacking tools.
The platform facilitated the procurement of cybercrime tools and resources, giving attackers the ability to easily execute their illegal pursuits through this marketplace structure. Since its 2022 launch, BreachForums became the successor to RaidForums and established itself as the primary venue for data trading in the criminal ecosystem.
The French Connection and Global Impact
The arrested administrators allegedly orchestrated attacks against major French organizations, including the Ministry of National Education, French Football Federation (FFF), telecommunications provider SFR, retail giant Boulanger, hospitality conglomerate Accor, and employment agency France Travail. However, their criminal activities extended far beyond French borders.
IntelBroker's 2024 campaign included breaching Apple to steal internal tool source code, compromising AMD for employee and product information, and infiltrating Europol's systems. The scope and audacity of these attacks demonstrate how modern cybercriminal groups operate with the sophistication and resources of nation-state actors.
IntelBroker's success stemmed from exploiting third-party contractors and supply chain vulnerabilities - a technique that has become the hallmark of advanced persistent threat groups. By targeting the weakest links in corporate ecosystems, the group could gain access to high-value targets that might otherwise be impenetrable.
The rise, fall, and subsequent rebirth of BreachForums underscores the difficulty of battling cybercrime, with the site returning to owner control just hours after the FBI seizure in May 2024. This cat-and-mouse dynamic has frustrated law enforcement agencies worldwide, as criminal forums adapt faster than traditional takedown methods.
The French arrests represent a shift toward targeting the human infrastructure behind these platforms rather than just their technical components. By focusing on administrators and key personnel, authorities aim to disrupt the social networks that make these criminal enterprises possible.
Protecting Against the BreachForums Threat
Organizations can defend against threats like those orchestrated by IntelBroker and BreachForums administrators through several critical measures. Implementing zero-trust architecture ensures that even compromised credentials cannot provide unlimited system access. Regular security audits of third-party contractors help close the supply chain vulnerabilities that these groups frequently exploit.
Employee security awareness training becomes crucial, as many breaches begin with social engineering attacks targeting human weaknesses rather than technical flaws. Companies should also monitor dark web marketplaces like BreachForums for their data, enabling rapid response when breaches occur.
The investigation continues under French judicial oversight, with seized computer equipment likely to advance numerous ongoing cybercrime investigations worldwide. This collaborative international approach may serve as a template for future operations against global cybercriminal networks.