BreachForums’ Admin Pleads Guilty, Faces 40 Years in Prison

The administrator of the now-defunct BreachForums, a platform known for the illicit sale of stolen data, has pleaded guilty to two counts of hacking and one count of child pornographic possession.

See Also: JavaScript and Blockchain: Technologies You Can’t Ignore

Conor Brian Fitzpatrick, a 20-year-old resident of Peekskill, New York, popularly known under the alias Pompompurin, made nearly $700,000 running the criminal online forum in just under a year. He opened the forum in March 2022 and administered it until federal agents arrested him on March 15, 2023 (see: FBI Says It Arrested BreachForums Mastermind ‘Pompompurin’).

Fitzpatrick admitted to being the administrator of BreachForums at the time of his arrest and was charged with one count of conspiracy to commit access device fraud, authorities said. But the latest court filings add two more counts: solicitation for the purpose of offering access devices and possession of child pornography.

The perpetrator “intentionally ran BreachForums in a manner that made it an attractive marketplace for cybercriminals to frequent in an effort to buy, sell or trade stolen or hacked access devices,” a plea agreement released by the prosecutors on Thursday says. “At all relevant times, Fitzpatrick knew and understood that the access devices that BreachForums possessed and helped to traffic were stolen or obtained with the intent to defraud.”

Final sentencing is set for Nov. 17. He faces a maximum penalty of 40 years in prison and a fine of up to $750,000.

Signing of the plea deal means Fitzpatrick cannot be further charged in the Eastern District of Virginia but he will have to register as a sex offender after his release from prison.

Pompompurin’s BreachForums

An FBI affidavit unsealed in the federal court in March revealed that the feds had begun the hunt for Pompompurin long before the birth of BreachForums. They kept an eye on the IP addresses he used to connect to the now-dismantled predecessor site, RaidForums, where Pompompurin was an active member until its demise in February 2022 (see: How BreachForums’ ‘Pompompurin’ Led the FBI to His Home).

Fitzpatrick took pains to hide his real IP address by using multiple VPNs, but digital breadcrumbs including an old email address, conorfitzpatrick02@gmail.com, which was used for Zoom and the cryptocurrency e-shopping site Purse.io, eventually led to his undoing.

“Fitzpatrick knowingly falsely registered domain names, including breached.vc, breached.to, breachedforums.com, breachforums.net, breachforums.org, and used these domain names in the course of committing the offense,” says a separate statement of facts submitted last week. The federal government in this operation seized more than 120 domains used in the illicit activities.

Authorities also seized $698,714 and an undisclosed amount in cryptocurrency wallets during the March 15 arrest, prosecutors said, along with several hardware storage devices, laptops and phones linked to Fitzpatrick’s illicit activities.

One laptop with a Samsung 4-terabyte hard drive attached contained videos depicting prepubescent minors engaging in sexually explicit conduct, which led to the child pornography charge.

Prosecutors said BreachForums had more than 333,000 members and was considered the largest English-language data breach forum of its kind. It contained more than 14 billion leaked records from 888 databases.

Most notable among the stolen data was the personal identifiable information of about 200 million Twitter users; data stolen from the online health insurance marketplace used by members of Congress and residents of Washington, D.C.; and details of approximately 87,760 members of InfraGard, a partnership between the FBI and private sector companies focused on the protection of critical infrastructure (see: Hacker Reportedly Breaches US FBI Cybersecurity Forum).

After Fitzpatrick’s arrest, BreachForums continued to operate for a while on separate infrastructure. Fitzpatrick had people to help him keep the illicit operations active during his absence. Days after federal agents arrested Fitzpatrick, a new admin using the moniker Baphomet announced that he was shutting down, citing a suspicious server logon in the new infrastructure. Baphomet wanted to avoid disclosure of his real identity and law enforcement scrutiny.

Cracking Down on Darknet Marketplaces

U.S. law enforcement agencies over the past year have cracked down hard on darknet marketplaces, which provide sites for conducting illicit cybercriminal activities including sale and purchase of data, credentials, access points, weapons, counterfeit currency, stolen credit card details, forged documents, unlicensed pharmaceuticals, steroids and other illicit goods. Among them are Hydra, WT1Shop and Monopoly.

While the crackdown against underground marketplaces has accelerated, so have convictions and sentencing for accused cybercriminals. Last week, 28-year-old Veronica Dittman of Arizona was sentenced to five years in prison for her role in operating multiple darknet web pages and selling illegal drugs alongside two previously sentenced co-conspirators.

Dittman and her co-conspirators, Rick Schiffner and Devin Langer, were based in Phoenix, Arizona, and used the names TrustedTraphouse, GoldenTrails, PopcornPlug and many others across at least a dozen darknet markets, the Department of Justice said. Prosecutors said the three had advertised and sold various controlled substances including crystal methamphetamine, cocaine, heroin and fentanyl-laced counterfeit opiods.

“During the course of the conspiracy, the conspirators made over 1,300 sales of controlled substances over the darknet using these accounts,” the DOJ said. Dittman helped process orders over the darknet, including shipping, and operated her own vendor accounts on the darknet using the pseudonyms VirtualPeddler and Darkette.

Schiffner, arrested in August 2022, was sentenced on April 14, 2023, to 150 months in prison. Langer, who was Schiffner’s roommate, was arrested in October 2022 and sentenced on April 17, 2023, to 84 months in prison, the DOJ said.