A newly launched dark web forum, PwnForums, has published the full user database of rival forum DarkForums, exposing approximately 427,000 records that tie usernames to real IP addresses, hostnames, and posting activity. The dump, released on April 15 by a PwnForums administrator using the handle "john," includes roughly 44,300 unique users and 78,000 unique IP addresses, many of which resolve directly to residential ISPs and known VPS providers. Security researchers describe the disclosure as one of the most significant attribution windfalls handed to law enforcement in recent memory.
What Happened
PwnForums, reportedly founded by former moderators and senior members of the Indra-era BreachForums, positioned itself as a successor community to the dismantled BreachForums ecosystem. Within weeks of going live on its clearnet domain (pwnforums[.]st) and its onion service (pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd[.]onion), the forum's administrator "john" published a thread titled "DarkForums · 420k rows · Posts/Users/IPs."
In the post, john claimed the team exploited a myBB vulnerability to extract the DarkForums user dataset, openly mocking DarkForums operator "Knox" and accusing the rival forum of disabling its onion service, blacklisting Tor exit nodes, and logging IP addresses tied to every post made on the platform. The leak therefore represents not a single point-in-time login record but a longitudinal map of which threat actors posted from which IP addresses across the lifetime of the forum.
What Was Taken
The dataset published by PwnForums contains the following, per the original disclosure:
- Approximately 427,000 records spanning post IDs 0 to 442,200, each linking a post ID to a username, IP address, and hostname.
- Roughly 44,300 unique users with exposed IP addresses.
- Approximately 78,000 unique IP addresses.
- Around 19,300 connections established through Tor exit nodes.
- Approximately 15,200 connections originating from VPN or hosting provider ranges.
- Roughly 97,400 records resolving to residential ISP hostnames, indicating real home broadband connections.
- About 168,400 records with no reverse DNS, IP only.
- Approximately 122,700 error records, including 67,000 deleted posts, 43,000 timeouts, and 7,500 access-denied events.
Sample data reviewed by the original reporter is said to include accounts active in malware distribution and ransomware coordination threads.
Why It Matters
DarkForums had marketed itself on operational security and user privacy. The leak strips that veneer entirely. For the roughly 97,400 records tied to residential hostnames, the dataset effectively constitutes a directory of real-world identifiers for the forum's most operationally careless users. Even Tor and VPN users are not insulated, because operational mistakes such as a single login from a residential IP, a misconfigured client, or session reuse during a posting career are now permanently visible alongside their handles.
For law enforcement and intelligence agencies, the dataset accelerates attribution work that would otherwise require months of subpoenas, undercover engagement, or technical exploitation. For threat intelligence teams, the leak offers a rare cross-reference between known criminal aliases and the infrastructure (VPS providers, hosting ranges, residential ISPs) those actors rely on. The strategic implication is broader still: trust within the post-BreachForums ecosystem is collapsing as competing successor forums weaponize each other's user data as a market tactic.
The Attack Technique
According to john's own statement, the intrusion leveraged a vulnerability in myBB, the open-source forum software DarkForums was running. The exact CVE has not been disclosed, and it is unclear whether the issue was a known unpatched flaw or a zero-day developed or purchased by the PwnForums operators. The attackers were able to read directly from the backend database, including columns that DarkForums administrators had quietly populated with per-post IP logging, a practice that was not advertised to the forum's user base.
The depth of the extraction, covering post IDs from the earliest activity through April 2026, suggests either full database access or sustained read-level persistence over an extended window. There is no public indication yet of how DarkForums was initially compromised beyond the myBB vector named by the attackers.
What Organizations Should Do
- Threat intelligence teams should ingest the leaked dataset through legal channels and cross-reference exposed IPs and hostnames against known malicious infrastructure, ransomware affiliate aliases, and prior incident telemetry to enrich attribution.
- SOC and incident response teams should treat any internal hits on residential or VPS IPs appearing in the leak as high-priority pivots when investigating malware, initial access broker activity, or ransomware preludes.
- Hosting providers and ISPs identified in the dataset should anticipate law enforcement requests and preserve relevant subscriber and connection logs in line with their legal obligations.
- Defenders running myBB or other community forum software should audit installations immediately, apply the latest patches, restrict administrative access, and monitor for unauthorized database reads.
- Organizations operating any user-facing platform should review their own logging practices to ensure that telemetry collected for abuse prevention is protected with the same rigor as customer credentials, since attacker-controlled forums are now a proven exfiltration target.
- Insider risk and trust-and-safety teams should monitor whether employees, contractors, or vendor staff appear in the leaked username or IP set, particularly for roles with privileged access.