Hello @Pablo BJB,
1. Kindly take a look at this link:
https://www.conquer-your-risk.com/2022/11/30/4-websites-to-check-if-your-password-is-in-the-darkweb/
https://haveibeenpwned.com/
The above website (have i been pwned) should be helpful in exploring the possibility that your user's accounts were breached as part of various data breaches at various companies and compounded by potential password sharing.
The above website (have i been pwned) allows you to enter the email address and it will show all the breaches for that particular email address (you might have to scroll down a bit to see the detailed breach history).
As part of troubleshooting and diagnosis, kindly consider checking various email addresses of the users you suspect are posting spam (perhaps involuntarily due to things going wrong somewhere and them being a trusted user) in the above website (have i been pwned). If their credentials were breached, you will probably see their email addresses as part of multiple breaches.
2. As part of further troubleshooting and diagnosis effort, you could perhaps contact the user (assuming you have their phone number - sms / call as you deem appropriate, or send a personal email to their registered email - different from the usual forum notification which they might not read) and perhaps convince them to change their password and add in a 2FA and see if the problem goes away. This way you might be able to mitigate the issue. Part of the problem in handling data breaches is that people don't know that their credentials have been breached. And as a friendly suggestion, you might want to word it in a way that doesn't set off panic in the contacted user : (hey, I need your help in troubleshooting an issue with the forum, something along the lines of that, describe the issue and long term trusted users should be more than willing to help you out). And (assuming) that if indeed the user's creds have been breached, your user would need to change the passwords on all affected services.
Good luck with your troubleshooting and do keep us posted.
Regards,
TwinTurbo.