The 2026 ‘Forum Wars’: Deconstructing the BreachForums Drama

What happens when a threat actor deliberately adopts the identity of a former, fellow, or even rival threat actor in order to benefit from their notoriety?

That’s essentially what’s happening with BreachForums right now.

In this blog, we bring you up to date on the 2026 ‘Forum Wars’ playing out across the cybercriminal community, charting the conflict between the three key antagonists in this story:

• Original BreachForums and its staff (particularly Indra and N/A).
• HasanBroker and his forum NotBreachForums.
• “LAPSUS$”.

BreachForums: a brief history

Launched in 2022 following the seizure of its predecessor RaidForums, BreachForums is the de facto town square of data breach sales, sharing, and discussion in the cybercriminal underground. So strong is the forum’s brand that it has survived multiple law enforcement takedowns, arrests of site administrators, and, ironically, breaches of its own user database. Despite prolonged periods of instability, the ever-evolving iterations of BreachForums consistently outperform other cybercrime forums in terms of activity and userbase, presumably owing in part to brand recognition. Innumerable fakes and imitators have sprung up over the years, typically disappearing in a matter of days; that is, until a threat actor named HasanBroker decided to have a go.

HasanBroker and “NotBreachForums”

HasanBroker has been an active persona in cybercrime circles since at least late 2024. Claiming to have a close working relationship with IntelBroker (real name Kai West, former BreachForums administrator arrested in February 2025), Hasan began efforts to create his own BreachForums in April 2025:

This did not go down well with those in charge of the existing BreachForums, who began the age-old ritual of internet mud-slinging:

To which HasanBroker responded:

Things rumbled on quietly over the following months, with the original BreachForums shutting down and re-emerging a few more times, and Hasan working away at his version (which we’re calling “NotBreachForums”) until it launched in January 2026:

At this point, the userbase of the original BreachForums still dwarfed that of NotBreachForums. When the original BreachForums acknowledged his efforts in an offhand comment regarding “clones”, Hasan began a campaign to cement his site’s claim as the “true” BreachForums once and for all:

Enter “LAPSUS$”

HasanBroker’s Operation Victoria was temporarily successful in suspending the original BreachForums clearweb domain, though it quickly registered a new one. It was clear that to have a more lasting impact, he would need some help. Enter another legacy brand: LAPSUS$:

Yep! Just when you thought it couldn’t get any more confusing, a threat actor posing as a group whose 16 year old leader was arrested in 2022 decides to join the fray. This is not the first time the LAPSUS$ name has been appropriated, with the Scattered Lapsus$ Hunters craze of 2025 still fresh in everyone’s minds. Where’s the originality guys?

Anyway, Hasan and “LAPSUS$” seemingly pooled their resources to launch another attack on the original BreachForums, significantly more devastating than those prior; the forum stayed offline for days, staff members turned on each other, and accusations of scamming abounded:

The tide begins to turn

Most notably, Hasan claimed to have stolen the original BreachForums database, and imported an additional 300,000 users to NotBreachForums. This is where the tide may turn; coupled with BreachForums’ current instability, this rapid growth in userbase could serve to legitimize NotBreachForums in the eyes of the cybercrime community.

While the original BreachForums still exists, there’s currently two competing versions, one of which has the backing of an actor claiming to be ShinyHunters (not another one…). The other is being offered for sale on its front page (screenshot below), also allegedly controlled by “ShinyHunters”! All in all, it’s not looking good for them…

Why this matters

These kinds of spats and infighting within the cybercriminal ecosystem are not the first we’ve seen and won’t be the last. It’s typical of the complex nature of the dark web and forums run by nefarious individuals. At the same time however, these dark web forums, while unstable and deliberately hard to track, are a vital source of threat intelligence for governments and organizations. Threat actors rebranding to evade repercussions, and some now assuming well-known identities for clout all serve to muddy the waters and make it harder and harder for organizations to identify and extract actionable intelligence for cybersecurity purposes.

That’s why at Searchlight Cyber, our threat intelligence team keeps a close track on the lineage of all the actors posing a real threat to organizations, only merging collections when appropriate. We do all the investigation and analysis so you don’t have to, keeping you informed of what really matters: the direct threat posed to your organization by these cybercriminals.