























Regardless of how guessable a leaked password may be, it doesn’t just end up on a hacker forum by chance. There’s a five-stage supply chain involved – origin, wholesale, trade, aggregation, and end use.
By analyzing the leaked databases of four cybercrime forums, Comparitech researchers explored the middle three stages in detail to find out how stolen passwords are accessed, traded, and aggregated before being utilized in credential-stuffing campaigns, ransomware attacks, business email compromise, and so on.
To do this, we analyzed over 447,000 leaks, dumps, and breach threads across four forums, containing 1.1 million user records (from 2013 to 2026). The forums were Nulled.cr (2013–2016), BreachForums (2022), the Russian-language ransomware forum RAMP (2021–2024), and the BreachForums revival (2023–2026).
| Stage | What happens here | Visible in our forum data as | Public examples |
|---|---|---|---|
| 1. ORIGIN | Passwords are first compromised through a corporate database breach, an infostealer infection on a consumer endpoint, oran initial-access compromise of a corporate network. | Limited (this stage happens off-forum) | RockYou 2009 (32M plaintext); LinkedIn 2012 (117M); Yahoo 2013–14 (3 billion); modern infostealer infections (Redline, Lumma, Vidar, Stealc, RisePro, AMOS) |
| 2. WHOLESALE | Initial access (SSH, RDP, VNC, Shell) and ransomware-affiliate recruitment. The stage where the supply for the breach economy is brokered. | RAMP (Russian-language): Access sub-forum 328 threads; Partners Program/RaaS sub-forum 59 threads (3 languages). | RAMP, XSS, Exploit (Russian-language); Genesis Market (seized April 2023); Russian Market |
| 3. TRADE | Compromised data is posted, sold, traded, and reposted across hacker forums, both as free downloads and inside paid marketplaces. | Nulled.cr (2014): ~436,479 leak/dump/combo topics. BreachForums (2022): 10,467 dedicated breach threads, 58% free. BreachForums revival (2023–2026): 339,331 new users. | BreachForums; Nulled.cr; LeakBase (Telegram); onion shops (HQER for Euros, Counterfeit USD, etc.) |
| 4. AGGREGATION | Compromised credentials are deduplicated across breaches, combined into combolists, fed into credential-stuffing campaigns, and indexed into public lookups. | Inferred from cross-forum reposting patterns; combo list sub-forums on Nulled (101,423 topics), and BreachForums. | Have I Been Pwned (14B+ records); Collection #1–5 (~2.2 billion unique pairs); SecLists; rockyou.txt |
| 5. END USE | Compromised credentials are used for: credential stuffing against unrelated services, ransomware deployment, business email compromise, and (publicly) the source data behind every annual Password Day report. | Forum view counts (e.g. Pompompurin's 'Collection of Databreach Lists' — 352,386 views in 5 months). | Credential-stuffing platforms; ransomware affiliates; annual reports (NordPass, Specops, Keeper, Hive Systems) |
RAMP, the Russian-language ransomware forum, demonstrates the supply side of the password economy. A leaked database from RAMP highlights how its biggest market sub-forum was not breached data, but initial access. This includes access to corporate networks via SSH, RDP, VNC, and others. In the database were 328 active threads selling pre-authenticated entry into corporate networks.
In other words, RAMP was an access market that fed the breach market.
Three things stand out in the RAMP database:
Hacker forum users post both free and paid data. Across both Nulled.cr (2014) and BreachForums (2022), the dedicated breach sub-forums hosted more free topics than paid ones. The gap between paid vs. free decreased from 2014 to 2022.
| Era | Free leak topics | Paid leak topics | Ratio of free to paid | Info |
|---|---|---|---|---|
| Nulled.cr 2014 | 434,860 | 2,613 | 70:1 | Free significantly dominated paid topics |
| BreachForums 2022 | 6,081 | 4,386 | 1.4:1 | Free still dominated but the paid market grew faster than free in the gap between eras |
Pompompurin, BreachForums’ own administrator, was the fourth-most prolific free-database sharer on that forum in 2022. His ‘Collection of Databreach Lists’ was also the single most-viewed thread on the forum (352,386 views). This highlights how forum operators aren’t landlords, they’re participants. Pompompurin (real name Conor Brian Fitzpatrick) was arrested in March 2023.
Pompompurin’s March 2023 arrest didn’t end BreachForums. It was relaunched under new operators in mid-June 2023. In just 33 months, nearly 340,000 new users have signed up to the forum (an average of 332 per day).
Two further takedowns took place in May 2024 and July 2025, but the data shows that any troughs in registrations recovered within a quarter.
User ID 2 on the successor forum belongs to ShinyHunters, one of the most prolific threat actors at present, with recent breaches including Tokopedia, Wattpad, Mathway, Microsoft GitHub, and 2024 Snowflake.
The most consequential single trend visible in the BreachForums 2022 data is the seven-month, 29-fold growth of the dedicated Stealer Logs sub-forum. Infostealers are a type of malware whose main objective is to steal credentials, cookies, tokens, etc. stored on a device before exfiltrating them to an attacker’s server, including password managers.
From four threads in March 2022 to 116 in October, this rapid growth shows the supply-side curve of the threat that, by 2026, dominates fresh credential compromise. Infostealers have become one of the biggest dark web markets because they facilitate initial compromise and are often used as a precursor to ransomware.
| Month (BreachForums 2022) | Stealer-log threads posted | Bar (each # ≈ 4 threads) |
|---|---|---|
| March 2022 | 4 | # |
| April 2022 | 14 | #### |
| May 2022 | 15 | #### |
| June 2022 | 14 | #### |
| July 2022 | 34 | ######## |
| August 2022 | 55 | ############## |
| September 2022 | 86 | ###################### |
| October 2022 | 116 | ############################## |
| November 2022 | 108 | ########################### |
While data breaches on big tech companies in the West may dominate the headlines, the views on these data breach forums tell a different story. Indonesian and Chinese leaks dominate the top of the list.
| Views | Posted by | Named victim |
|---|---|---|
| 352,386 | pompompurin (BF admin) | Collection of Databreach Lists |
| 338,345 | Bjorka | IndiHome (Indonesia's largest ISP) |
| 168,051 | HolisticKiller | Facebook Database |
| 107,699 | jacka113 | 000webhost Database |
| 93,423 | f4bb6 | SF Express (Chinese logistics giant) |
| 69,752 | f4bb6 | China Weibo — 500M phone numbers |
| 67,998 | jacka113 | Canva Database |
| 63,767 | jacka113 | Tokopedia Database |
| 59,421 | blackhand | SHEIN Database |
| 59,270 | GokhanR00T | Turkish Citizenship Database 2015 |
| 57,623 | AcoBaco | LinkedIn Scraped Data — 400M |
| 46,546 | Riptide | Roblox Database |
Bjorka’s IndiHome leak (Indonesia’s largest ISP) drew TWICE the views of the same forum’s Facebook database thread: 338,345 vs 168,051.
Each of the four forums in our analysis occupies a different slot in the pipeline. The numbers below come straight from the leaked SQL backups, except where noted (Nulled user count is the publicly reported figure from the 2016 leak).
| Info | Nulled.cr | BreachForums | RAMP | BreachForums (revival) |
|---|---|---|---|---|
| Date | 2013–May 2016 | Mar–Nov 2022 | Dec 2021–Feb 2024 | Jun 2023–Feb 2026 |
| Language | English | English | English, Russian, Chinese | English |
| Role in pipeline | Trade (mass) | Trade (mass) | Wholesale | Trade (mass) |
| Forum software | IPB | MyBB | XenForo | MyBB |
| User records | ~536,000 | 212,254 | 7,709 | 339,331 |
| Sub-forums | 167 | 84 | 20 | n/a |
| Total threads | ~3.2M | 42,147 | 1,703 | n/a |
| Leak/dump topics | ~436,479 | 10,467 | 125 | n/a |
| Free vs paid breach split | 70:1 | 58:42 | n/a | n/a |
| Password hash | IPB md5 | MyBB md5 | bcrypt | Argon2i |
| Hashing in 2026 terms | Obsolete | Obsolete | Modern | State of the art |
Data researcher: Mantas Sasnauskas
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。