BreachForums Founder, Aged 20, May Face Up to 5 Years in Prison for Breaches.
Conor Brian Fitzpatrick, a 20-year-old man and founder of the now-defunct BreachForums, has been charged with conspiracy to commit access device fraud in the United States. Fitzpatrick, who went by the online name “pompompurin,” may face up to five years in prison if found guilty.
He was arrested on March 15, 2023. The charges come after an investigation by the Department of Justice (DoJ) led to the shutdown of BreachForums, which was used as a marketplace for trading hacked or stolen data, including bank account information, Social Security numbers, hacking tools, and databases containing personally identifying information (PII).
Undercover agents from the FBI purchased five sets of data offered for sale on BreachForums, with Fitzpatrick acting as a middleman to complete the transactions. Fitzpatrick’s links to pompompurin came from nine IP addresses associated with service provider Verizon that Pompompurin used to access the pompompurin account on RaidForums.
The investigation also found that Fitzpatrick had logged into various virtual private network (VPN) providers from September 2021 to May 2022 to obscure his true location and connect to different accounts.
Further investigation revealed that Fitzpatrick had made several OPSEC errors, including logging into BreachForums on June 27, 2022, without using a VPN service or the TOR browser. This exposed his real IP address (69.115.201.194), which was used to access his iCloud account about 97 times between May 19, 2022, and June 2, 2022. The FBI also obtained a warrant to get Fitzpatrick’s real-time cell phone GPS location from Verizon, which showed he was logged in to BreachForums while his phone was at his home.
“Cybercrime victimizes and steals financial and personal information from millions of innocent people,” said U.S. Attorney Jessica D. Aber for the Eastern District of Virginia. “This arrest sends a direct message to cybercriminals: your exploitative and illegal conduct will be discovered, and you will be brought to justice.”
The investigation into BreachForums and Fitzpatrick’s involvement continues. Baphomet, who had taken over the responsibilities of BreachForums, shut down the website days before Fitzpatrick’s arrest out of concern that law enforcement may have obtained access to its backend.