Notes

the May 2026 Dark Web Issue Trend Report summarizes the Major Issues that occurred on the deep web and dark web. it stated that due to the nature of the sources, some of the information cannot be fully verified for factual accuracy.

Major Issues

• Hasan’s BreachForums experienced a moderator split, with HasanBroker being ousted and claims of moderator replacement. this has been observed to destabilize the governance structure of BreachForums.
• BreachForums announced an official Ransomware as a Service (RaaS) partnership with DragonForce. this was cited as a move toward integrating stolen data distribution and ransomware operations into one ecosystem.
• A claim was observed announcing a competition between BreachForums and TeamPCP over a Shai-Hulud-based supply chain attack. Shai-Hulud was described as a supply chain attack campaign targeting the npm package ecosystem.
• The T1erOne forum revealed a new Onion address, indicating its intention to continue operations. This is the successor forum to the RAMP forum seizure by the FBI, and it appears to have maintained its RaaS operation-centric nature.
• PwnForums was down for approximately 12 hours following a DNS and IP change. it cited possible technical instability and noted that external pressure could not be ruled out.
• hijacked browser cookie transactions increased across dark web forums. it was explained that hijacked browser cookies can be exploited to access accounts bypassing passwords or multi-factor authentication (MFA), including login session information.
• Google has begun a gradual user rollout of Device-Bound Session Credentials (DBSC) in Chrome with General Availability on May 25, 2026. DBSC is designed to bind session cookies to the TPM on Windows or Secure Enclave on macOS to limit their reuse on other devices, but it has limitations in that it is not retroactive to existing hijacked cookies and falls back to the old way of doing things on older devices, the company said.

Conclusion

may 2026 summarized a further consolidation of dark web forums and threat groups, with BreachForums and DragonForce officially aligning, and competing claims involving BreachForums and TeamPCP. in addition, internal divisions, forum operational instability, and increased trading of hijacked browser cookies were cited as factors that increase the risk of session hijacking-based account compromise. organizations should continue to monitor operational changes and new partnership trends on major dark web forums and the expansion of the complex cybercrime ecosystem.