🔴 BL2C (Paris Police HQ) & Section J3 of the Paris Prosecutor's Office have seized the profile of hacker "HexDex".

Targeted French public services, companies (Darty, Loxam…) & 10+ sports federations.
French-speaking cybercrime is not a lawless space.
#CTI #Cybersecurity

🔴 After HexDex, "Angel_Batista" has also been seized by BL2C (Paris Police HQ) & Section J3 of the Paris Prosecutor's Office.

Two major French-speaking actors down in a single day.

The message is clear.

#CTI #BreachForums #Takedown

CCITIC's team now brings together cybersecurity, military intelligence and law enforcement. A complementarity that enables us to act with rigor, within a strict legal framework, for sustained action against cybercrime.

It's the weekend, and where's PwnForums? 👀
It looks like they're having a bit of a rough time at the moment
pwnforums[.]st

The big clean-up has begun.

BreachForums was merely the tip of the iceberg.

From now on, we go silent. But some threat actors will soon be held accountable.

🔇 No noise. Results.
⏳ The countdown has started.

— CCITIC

🔐 First #FIC2026 for CCITIC and it was exceptional! 🔥

Enriching connections, massive projects with our partners to hit cybercrime hard. 💪

Huge thanks to our earliest supporters for the invitation.
This is only the beginning. ⚡

#CyberSecurity #OSINT #InfoSec #CyberCrime

The truth of BF

Yes, we submitted an abuse report.

No, the hosting provider did not shut down the breachforums[.]ac server. It was simply the server that had been shut down.

We received the confirmation we needed.

#CCITIC

We deliberately posted we took down breached.st. That was false. It was a test.
Result:
🔹 LAPSUS$ DMs us asking about our investigation
🔹 Threats via email
🔹 Telegram post trying to discredit us
They took the bait.
They're watching. They're panicking.
Thanks for the attention. 🖤

🔥 When panic switches sides…
In 1 month, CCITIC has:
➡️ Taken down BreachForums backend
➡️ Taken down DarkForums
➡️ 3 LAPSUS$ takedowns in 9 days
➡️ Reported their X account
Abuse reports verified by independent parties.
🧵👇

💀 DarkForums: down.

After 3 LAPSUS$ takedowns in 9 days & BreachForums' 3 backend servers this weekend…

🔴 Tonight, CCITIC takes down darkforums[.]st
Error 522 — host server is gone.

💀 LAPSUS$ ✅
💀 BreachForums ✅
💀 DarkForums ✅

3 platforms. 1 month. Zero tolerance.

Who's next? 👀

5/5
🚀 CCITIC will continue to identify, document, and report criminal infrastructure.

4/5
🛡️ This illustrates what operational CTI can achieve when combined with structured abuse reporting to hosting providers, in support of ongoing investigations at the European level.

3/5
💡 Frontend still up, backend gone. That's the classic signature of an infrastructure takedown, not a hack or planned maintenance.
Three identical reports had to be filed — DigitalOcean requires one per IP address.

2/5
🎯 On March 12, CCITIC filed an abuse report with DigitalOcean's SOC targeting breachforums[.]as infrastructure. They reviewed it and actioned the account.
The "upstream server error" everyone saw? The reverse proxy lost its origin server — because the host pulled it offline.

1/5
🔍 BreachForums: not a hack, not maintenance — a takedown.
Two narratives circulated: LAPSUS$ claimed a hack, BF admin said routine maintenance.
The reality is far more straightforward. 🧵

On va pas se voiler la face.

Nous avons identifié plusieurs des acteurs s'attaquant à la France et officiant sur BreachForums.

S'attaquer à la santé ou à ceux en charge de notre sécurité ça ne passe simplement pas et ils finiront devant la justice.

Coming Soon !

#CCITIC

🔴 Third takedown. Nine days. Same group.
Lapsus$ opened lapsus[.]bz & lapsus[.]by yesterday—both offline this morning.

They are rebuilding. They are being shut down by the CTI community.

Thank you to everyone who contributes to our support.
👉 www.ccitic.org (SUPPORT)

Lapsus$ has reopened a site (no, it hasn't been disclosed yet) but we already have the URL.
Two domains
#Lapsus$ #CCITIC

🔴 lapsus.sh is offline.

CCITIC reported the Lapsus$ malicious infrastructure to

Interserver — server successfully taken down.

Thanks Interserver for the quick response. 🤝

Detect. Report. Dismantle.

#ThreatIntelligence #Lapsus #CyberSecurity #CCITIC #OSINT

#lapsus #cybersecurity #threatintelligence #ccitic #infosec #interserver #takeitdown #cybercrime #accountability #osint #cti #hostingabuse #tangodown | CCITIC It's official! 🚨 We have just revealed the infrastructure of LAPSUS$. The host has still not removed it. CCITIC has officially identified and reported the server hosting lapsus(.)sh, the active plat...

Official statement from CCITIC on the Lapsus$ case
www.linkedin.com/posts/ccitic...

#CCITIC #Hacker #Cybersecurity #Blackhat #Cybercrime #Infosec

CCITIC
‪@ccitic.bsky.social‬
The news IP of darkforums(.)hn is 185(.)196(.)11(.)58 (proxy)
hosted by globaldata again !
The ip redirect to darkforums(.)hn

#CCITIC #Hacker #Cybersecurity #Blackhat #Cybercrime #Infosec

#CCITIC exclusive => Information to be verified, but the #Everest ransomware group could potentially be behind or linked to the cyberattack on the Muse software developed by #CollinsAerospace, which paralysed several major airports last month!

#Infosec #Cybersecurity #Cyberattack

#Cybersecurity #Cyberattack #Everest #Hacking #Ransomware #TOR #Offline #ServerOffline #Takedown #Leaks #CollinAerospace #Aviation #Airport #CyberNews #InfoSec #CCITIC #Hacked #Cybercrime #Infosec

Sources:
www.cyberdaily.au/security/127...

Update to our report on Datacarry ransomware
#CCITIC
#Ransomware #Hacker #Cybersecurity #Threat #Datacarry #Blacksuit #Akira

📢 Just out:
our new #CTI report on the
#Datacarry #Ransomware group

✏Summary
📆 11 orgs hit (Jun '24 – Jun '25)
🛠️ CVE-2023-48788 (Fortinet EMS)
🕸️ Chisel over WebSocket, solid infra & tooling

💻Full technical breakdown
ccitic.org/assets/repor...

📄by Kévin Wiart, Hyuna Lee and Rakesh Krishnan