BreachForums Shut Down After CCITIC Abuse Reports, Admin Seeks New Leadership BreachForums, a prominent underground marketplace for malware and stolen data, was taken offline over the weekend following targeted action by the Cyber Counter-Intelligence Threat Investigation Consortium (CCITIC). The nonprofit organization, which supports law enforcement in cybercrime takedowns, identified the forum’s upstream servers hosted on DigitalOcean’s Frankfurt datacenter (ASN 14061) and filed abuse reports that led to their shutdown. Both the clearnet and Tor versions of the site displayed a 502 Bad Gateway error. The forum’s admin later announced plans to step down, posting a message seeking a successor to take over leadership. While BreachForums has previously been seized by law enforcement first in June 2023 and again in May 2024 it has repeatedly resurfaced under new management. However, CCITIC suggests this shutdown may be permanent, citing a January 2026 data breach that exposed the forum’s user database of approximately 324,000 accounts. The incident has reportedly eroded trust among threat actors, fracturing the underground ecosystem. The takedown highlights how persistent investigative efforts, including OSINT (open-source intelligence) and coordinated abuse reports, can disrupt cybercriminal operations without direct law enforcement intervention. BreachForums’ future remains uncertain as its community grapples with the fallout.

Moltbot Framework Exposes 1,400+ Instances via mDNS Misconfigurations Security researchers have uncovered a widespread exposure of 1,487 Moltbot instances globally, leaking sensitive operational metadata and messaging platform credentials through misconfigured multicast DNS (mDNS) broadcasts. The open-source framework, designed for autonomous agent orchestration, inadvertently disclosed system-level details including hostnames, filesystem paths, service ports, and identity artifacts to any device on the same network segment. ### Key Findings - Exposed Data: Full machine hostnames, Clawdbot Control panel ports (18789), SSH ports, internal IPs, and messaging platform credentials (Signal, Telegram, WhatsApp) containing registration secrets and identity keys. - Geographic Spread: Instances were found across 53 countries, with the highest concentration in the U.S. Major hosting providers included DigitalOcean, AWS, and OVH. - Accessible Control Panels: 88 instances had publicly exposed web interfaces, with 66 leaking both mDNS and web access simultaneously. - Credential Leakage: Open directory listings revealed operational logs, cryptographic material, and runtime caches, enabling full agent impersonation without exploiting vulnerabilities. - Network Reconnaissance: mDNS broadcasts, intended for local service discovery, acted as pre-authentication metadata leaks, exposing systems in workplace Wi-Fi, co-working spaces, and university networks. ### Deployment Failures & Attack Surface The exposure stems from poor deployment hygiene rather than software flaws. Many instances self-announced internal structures via mDNS, providing attackers with reconnaissance data without active probing. A dedicated honeypot with 25 open ports suggested early attacker interest, while 635 accessible web control interfaces further expanded the attack surface. The combination of service advertisements, open directories, and credential leaks creates pre-authentication compromise risks, allowing adversaries to bypass authentication, hijack agent identities, or conduct phishing and lateral movement attacks. The findings highlight systemic misconfigurations in Moltbot deployments, where operators often overlook mDNS implications and basic access controls.

Web hosting provider Digital Ocean experienced a security lapse that exposed some of customer details. An internal Digital Ocean document was mistakenly left accessible online. Digital Ocean says the document contained several types of user account details. This included personally identifiable information such as customer email addresses and their respective Digital Ocean usernames, but also account technical details such as the number of droplets (servers) owned by the customer, the user's bandwidth usage, support or sales communications notes, and the amount of money the customer paid during the calendar year 2018. Digital Ocean said that the internal document was accessed at least 15 times while it was left available online. Digital Ocean said the file contained details for less than 1% of the company's total customer base.