BreachForums administrator facing 30-year sentence after pleading guilty to three charges

The former administrator of a popular cybercrime forum pleaded guilty this week to three charges related to his operation of the site and to having child pornography on one of his devices.

Conor Brian Fitzpatrick was arrested at his home in Peekskill, New York in March by the FBI for his role in running BreachForums – one of the most visited cybercrime forums available to those looking to sell or purchase stolen data.

During his arrest, the FBI said the 21-year-old Fitzpatrick admitted to being BreachForums’ leading administrator “pompompurin,” and he was eventually charged with one count of conspiracy to solicit individuals with the purpose of selling unauthorized access devices.

First reported by DataBreaches.net, the court documents filed on Thursday show Fitzpatrick ended up pleading guilty to conspiracy to commit access device fraud, solicitation for the purpose of offering access devices and possession of child pornography. The first two charges carry a 10-year maximum sentence and the child pornography charge carries a 20-year sentence.

The plea agreement, which Fitzpatrick and his lawyer signed, says he “knowingly possessed approximately 26 files containing visual depictions of minors engaged in sexually explicit conduct.”

All three charges come with significant fines and Fitzpatrick has agreed to forfeit his assets. While the plea agreement means Fitzpatrick will not face more charges in the Eastern District of Virginia, the agreement does not give him immunity from prosecution in other states.

If or when he is released, he will be forced to sign up for the sex offender registry.

Fitzpatrick signed the agreement on July 10 and prosecutors signed it on Thursday.

Running BreachForums

Fitzpatrick’s plea agreement says he helped run BreachForums from March 2022 to March 15, 2023 – which in turn helped others market stolen payment card data, bank routing and account numbers, Social Security numbers, login credentials and more.

“The purpose of BreachForums, and Fitzpatrick’s intent in operating the forum, was to commit and aid and abet the trafficking of stolen or hacked databases containing, among other things, access devices, and the posting of solicitations to offer databases containing access devices,” the plea agreement said.

“In particular, Fitzpatrick intentionally ran BreachForums in a manner that made it an attractive marketplace for cybercriminals to frequent in an effort to buy, sell, or trade stolen or hacked access devices. At all relevant times, Fitzpatrick knew and understood that the access devices that BreachForums possessed and helped to traffic were stolen or obtained with the intent to defraud.”

As founder and administrator, Fitzpatrick was responsible for designing the website and creating the infrastructure around it. He hired a team of staffers to help him with this and registered dozens of domains under fake names and proxies. Fitzpatrick and his team made at least $698,714 through their running of the site.

In total, prosecutors found 888 databases consisting of 14 billion individual records as of March 7. The site had more than 333,000 members and was considered the largest English-language data breach forum of its kind before it was taken offline by the FBI.

Fitzpatrick was not only a hacker and administrator but also served as a middleman, holding funds in an escrow-like system as hackers bartered and verified stolen data.

The document references several specific cases, including a headline-grabbing post on December 18, 2022 concerning stolen information on 87,760 members of InfraGuard, a partnership between the FBI and private sector companies focused on the protection of critical infrastructure.

A January 4 attack on an unnamed social media site is also referenced due to the size of the posting. The hacker behind it claimed to have contact information for about 200 million users of the social media site.

The agreement notes Fitzpatrick’s role in the sale of sensitive data stolen from Washington D.C.’s healthcare marketplace, one used by members of Congress.

He also obtained “videos depicting prepubescent minors and minors who had not attained 12 years of age engaging in sexually explicit conduct.”

For the child pornography, prosecutors said Fitzpatrick saved the files in folders named "14yo," "15yo," and "Hebephilia." At least one file saved in February was named "13y-fully-nude" and contained graphic images.

The computers where the files were found belonged to him and were only used by him.

“The Statement of Facts include those facts necessary to support the defendant's guilty plea. It does not include each and every fact known to the defendant or to the government and it is not intended to be a full enumeration of all the facts surrounding the defendant's case,” prosecutors said.

Despite claims that the platform would be restarted, the administrator who took over for Fitzpatrick said they plan to shut down the site over concerns that it had been infiltrated too deeply by law enforcement.