Regardless of how guessable a leaked password may be, it doesn’t just end up on a hacker forum by chance. There’s a five-stage supply chain involved – origin, wholesale, trade, aggregation, and end use.
By analyzing the leaked databases of four cybercrime forums, Comparitech researchers explored the middle three stages in detail to find out how stolen passwords are accessed, traded, and aggregated before being utilized in credential-stuffing campaigns, ransomware attacks, business email compromise, and so on.
To do this, we analyzed over 447,000 leaks, dumps, and breach threads across four forums, containing 1.1 million user records (from 2013 to 2026). The forums were Nulled.cr (2013–2016), BreachForums (2022), the Russian-language ransomware forum RAMP (2021–2024), and the BreachForums revival (2023–2026).
Key findings:
- Free data was posted on forums more often than paid data
- Forum administrators aren’t just ‘landlords’, they’re often top-volume suppliers. For example, in 2022, BreachForums’ administrator Pompompurin posted the most-viewed breach thread of the year (352,386 views)
- Indonesian and Chinese breaches attracted more views in 2022 than Western big-tech breaches. Bjorka’s IndiHome leak got 338,345 views vs. Facebook’s 168,051
- Takedowns of these forums might cause short-term delays but they usually don’t last. Registrations on replacement forums tend to recover within a quarter. For example, BreachForums’ successor signed up nearly 340,000 new users in 33 months
The five-stage supply chain for leaked credentials
| Stage | What happens here | Visible in our forum data as | Public examples |
|---|---|---|---|
| 1. ORIGIN | Passwords are first compromised through a corporate database breach, an infostealer infection on a consumer endpoint, oran initial-access compromise of a corporate network. | Limited (this stage happens off-forum) | RockYou 2009 (32M plaintext); LinkedIn 2012 (117M); Yahoo 2013–14 (3 billion); modern infostealer infections (Redline, Lumma, Vidar, Stealc, RisePro, AMOS) |
| 2. WHOLESALE | Initial access (SSH, RDP, VNC, Shell) and ransomware-affiliate recruitment. The stage where the supply for the breach economy is brokered. | RAMP (Russian-language): Access sub-forum 328 threads; Partners Program/RaaS sub-forum 59 threads (3 languages). | RAMP, XSS, Exploit (Russian-language); Genesis Market (seized April 2023); Russian Market |
| 3. TRADE | Compromised data is posted, sold, traded, and reposted across hacker forums, both as free downloads and inside paid marketplaces. | Nulled.cr (2014): ~436,479 leak/dump/combo topics. BreachForums (2022): 10,467 dedicated breach threads, 58% free. BreachForums revival (2023–2026): 339,331 new users. | BreachForums; Nulled.cr; LeakBase (Telegram); onion shops (HQER for Euros, Counterfeit USD, etc.) |
| 4. AGGREGATION | Compromised credentials are deduplicated across breaches, combined into combolists, fed into credential-stuffing campaigns, and indexed into public lookups. | Inferred from cross-forum reposting patterns; combo list sub-forums on Nulled (101,423 topics), and BreachForums. | Have I Been Pwned (14B+ records); Collection #1–5 (~2.2 billion unique pairs); SecLists; rockyou.txt |
| 5. END USE | Compromised credentials are used for: credential stuffing against unrelated services, ransomware deployment, business email compromise, and (publicly) the source data behind every annual Password Day report. | Forum view counts (e.g. Pompompurin's 'Collection of Databreach Lists' — 352,386 views in 5 months). | Credential-stuffing platforms; ransomware affiliates; annual reports (NordPass, Specops, Keeper, Hive Systems) |
Stage 2 (Wholesale): Where the access is brokered
RAMP, the Russian-language ransomware forum, demonstrates the supply side of the password economy. A leaked database from RAMP highlights how its biggest market sub-forum was not breached data, but initial access. This includes access to corporate networks via SSH, RDP, VNC, and others. In the database were 328 active threads selling pre-authenticated entry into corporate networks.
In other words, RAMP was an access market that fed the breach market.
Three things stand out in the RAMP database:
- Languages: every sub-forum title is rendered in Latin English, Cyrillic Russian, and Han Chinese.
- The dedicated Partners Program/RaaS sub-forum: 59 active threads were recruiting ransomware affiliates publicly, with a built-in escrow service (the 担保人/ Escrow/Гарант navigation node) and an Abuse/Rippers section for blacklisting scammers.
- Password storage: bcrypt $2y$10 password hashing used for its users’ accounts, which is two cryptographic generations ahead of the MyBB md5 used by BreachForums in 2022 but a step behind the Argon2i deployed by the BreachForums revival in 2026.
Stage 3 (Trade): Free distribution dominates
Hacker forum users post both free and paid data. Across both Nulled.cr (2014) and BreachForums (2022), the dedicated breach sub-forums hosted more free topics than paid ones. The gap between paid vs. free decreased from 2014 to 2022.
| Era | Free leak topics | Paid leak topics | Ratio of free to paid | Info |
|---|---|---|---|---|
| Nulled.cr 2014 | 434,860 | 2,613 | 70:1 | Free significantly dominated paid topics |
| BreachForums 2022 | 6,081 | 4,386 | 1.4:1 | Free still dominated but the paid market grew faster than free in the gap between eras |
Pompompurin, BreachForums’ own administrator, was the fourth-most prolific free-database sharer on that forum in 2022. His ‘Collection of Databreach Lists’ was also the single most-viewed thread on the forum (352,386 views). This highlights how forum operators aren’t landlords, they’re participants. Pompompurin (real name Conor Brian Fitzpatrick) was arrested in March 2023.
Stage 3 (2026): BreachForums’ successor and the progression of cryptography
Pompompurin’s March 2023 arrest didn’t end BreachForums. It was relaunched under new operators in mid-June 2023. In just 33 months, nearly 340,000 new users have signed up to the forum (an average of 332 per day).
Two further takedowns took place in May 2024 and July 2025, but the data shows that any troughs in registrations recovered within a quarter.
User ID 2 on the successor forum belongs to ShinyHunters, one of the most prolific threat actors at present, with recent breaches including Tokopedia, Wattpad, Mathway, Microsoft GitHub, and 2024 Snowflake.
From Stage 1 to Stage 3: the visible birth of the stealer-log economy
The most consequential single trend visible in the BreachForums 2022 data is the seven-month, 29-fold growth of the dedicated Stealer Logs sub-forum. Infostealers are a type of malware whose main objective is to steal credentials, cookies, tokens, etc. stored on a device before exfiltrating them to an attacker’s server, including password managers.
From four threads in March 2022 to 116 in October, this rapid growth shows the supply-side curve of the threat that, by 2026, dominates fresh credential compromise. Infostealers have become one of the biggest dark web markets because they facilitate initial compromise and are often used as a precursor to ransomware.
| Month (BreachForums 2022) | Stealer-log threads posted | Bar (each # ≈ 4 threads) |
|---|---|---|
| March 2022 | 4 | # |
| April 2022 | 14 | #### |
| May 2022 | 15 | #### |
| June 2022 | 14 | #### |
| July 2022 | 34 | ######## |
| August 2022 | 55 | ############## |
| September 2022 | 86 | ###################### |
| October 2022 | 116 | ############################## |
| November 2022 | 108 | ########################### |
Top 12 most-viewed breach threads (BreachForums 2022)
While data breaches on big tech companies in the West may dominate the headlines, the views on these data breach forums tell a different story. Indonesian and Chinese leaks dominate the top of the list.
| Views | Posted by | Named victim |
|---|---|---|
| 352,386 | pompompurin (BF admin) | Collection of Databreach Lists |
| 338,345 | Bjorka | IndiHome (Indonesia's largest ISP) |
| 168,051 | HolisticKiller | Facebook Database |
| 107,699 | jacka113 | 000webhost Database |
| 93,423 | f4bb6 | SF Express (Chinese logistics giant) |
| 69,752 | f4bb6 | China Weibo — 500M phone numbers |
| 67,998 | jacka113 | Canva Database |
| 63,767 | jacka113 | Tokopedia Database |
| 59,421 | blackhand | SHEIN Database |
| 59,270 | GokhanR00T | Turkish Citizenship Database 2015 |
| 57,623 | AcoBaco | LinkedIn Scraped Data — 400M |
| 46,546 | Riptide | Roblox Database |
Bjorka’s IndiHome leak (Indonesia’s largest ISP) drew TWICE the views of the same forum’s Facebook database thread: 338,345 vs 168,051.
The four forums, side by side
Each of the four forums in our analysis occupies a different slot in the pipeline. The numbers below come straight from the leaked SQL backups, except where noted (Nulled user count is the publicly reported figure from the 2016 leak).
| Info | Nulled.cr | BreachForums | RAMP | BreachForums (revival) |
|---|---|---|---|---|
| Date | 2013–May 2016 | Mar–Nov 2022 | Dec 2021–Feb 2024 | Jun 2023–Feb 2026 |
| Language | English | English | English, Russian, Chinese | English |
| Role in pipeline | Trade (mass) | Trade (mass) | Wholesale | Trade (mass) |
| Forum software | IPB | MyBB | XenForo | MyBB |
| User records | ~536,000 | 212,254 | 7,709 | 339,331 |
| Sub-forums | 167 | 84 | 20 | n/a |
| Total threads | ~3.2M | 42,147 | 1,703 | n/a |
| Leak/dump topics | ~436,479 | 10,467 | 125 | n/a |
| Free vs paid breach split | 70:1 | 58:42 | n/a | n/a |
| Password hash | IPB md5 | MyBB md5 | bcrypt | Argon2i |
| Hashing in 2026 terms | Obsolete | Obsolete | Modern | State of the art |
Sources
- Nulled.cr 2013–May 2016 (full database, MariaDB / IPB schema), released after the May 2016 hack of Nulled.IO. ~10 GB. Parsing recovered 167 sub-forum records (~436,479 dedicated leak/dump/combo topics) and approximately 536,000 user records (publicly reported figure). Hash format: IPB md5 (32-char hash + 5-char salt).
- BreachForums full database, generated 29 November 2022 (MyBB schema). 2.2 GB. Parsing recovered 84 sub-forum records, 42,147 thread records, and the full mybb_users table (212,254 user records). Hash format: MyBB md5(md5(salt) + md5(password)).
- RAMP (XenForo schema), data window December 2021 – February 2024. ~235 MB. Parsing recovered 20 sub-forum records (1,703 threads, 7,439 posts), the xf_user table (7,709 user records), and the xf_user_authenticate table. Hash format: bcrypt $2y$10 (XenForo XF:Core12 scheme).
- BreachForums users-roster export, March 2026 (671 MB). 339,331 user records with registration timestamps. Hash extraction confirmed 99.2% of records use Argon2i ($v=19$m=65536,t=4,p=1).
Caveats
- Topic and thread counts are not unique-breach counts; a single breach can be reposted multiple times.
- View counts reflect attention at the moment of each dump; older threads have had longer to accumulate views.
- The 2026 BreachForums data is users-only; thread-level statistics for the successor forum cannot be enumerated from this corpus.
- RAMP’s smaller user base (7,709) and shorter window (26 months) mean cross-forum scale comparisons should be read with that in mind. RAMP’s role in the pipeline is upstream of mass distribution, so absolute size comparison is not the right yardstick.
- Other significant venues (Russian-language XSS / Exploit, onion-only marketplaces, Telegram channels) are not in this corpus.
Data researcher: Mantas Sasnauskas
