DOJ says ‘millions’ of US citizens victimized by BreachForums administrator

The Justice Department is accusing the administrator of popular cybercriminal platform BreachForums of facilitating access to the sensitive personal information of millions of U.S. citizens.

Conor Fitzpatrick, a 20-year-old arrested last week in Peekskill, New York for allegedly operating as BreachForums administrator pompompurin, appeared in a Virginia court for the first time on Friday.

He faces one count of conspiracy to commit access device fraud and a maximum sentence of five years in prison if convicted.

According to the Justice Department, BreachForums had more than 340,000 members before it was taken offline. As of Jan. 11, the database section of the platform had 888 datasets consisting of over 14 billion individual records.

“Like its predecessor RaidForums, which we took down almost a year ago, BreachForums bridged the gap between hackers hawking pilfered data and buyers eager to exploit it," Deputy Attorney General Lisa Monaco said in a statement.

In court documents published Friday, the government lays out its case against Fitzpatrick.

“From at least in or around March 2022 through the present, Fitzpatrick has facilitated the unauthorized purchasing and selling of stolen identification documents, unauthorized access devices, unauthorized access to victim computer systems, and login credentials through his operation of a data breach website named ‘BreachForums,’” wrote FBI Special Agent John Longmire to U.S. Magistrate Judge John Anderson.

“Fitzpatrick’s victims have included millions of United States citizens, as well as a U.S. company providing electronic healthcare services (‘Victim-1’), a U.S. company providing internet hosting and security services (‘Victim-2’), and a U.S.-based investment company (‘Victim-3’), among others,” Longmire wrote.

Using data obtained from Verizon, Google and Apple through warrants, FBI agents tied Fitzpatrick to the pompompurin administrator account by linking it to several IP addresses.

Verizon records showed that the IP addresses used to access the pompompurin account on RaidForums — a BreachForums predecessor — were tied to mobile devices registered to Fitzpatrick at his father’s home in Peekskill.

Longmire said the FBI and U.S. Department of Health and Human Services have been investigating pompompurin and other members of BreachForums since March 2022, when Fitzpatrick allegedly created the platform in the wake of the government’s shutdown of RaidForums.

Administrator and middleman

Fitzpatrick was charged with conspiracy to commit and aid and abet solicitation for the purpose of offering unauthorized access devices, due to his alleged “operation of BreachForums and his middleman service on BreachForums.”

The platform was widely used by cybercriminals to buy, sell, and trade hacked or stolen data and other information.

The site allowed members to contact people through private messages to buy and trade stolen data.

The affidavit notes that pompompurin did an interview with a website called “DataKnight” where he explicitly states that he created BreachForums because RaidForums was shut down.

“The community needs someplace to congregate on and there are no forums similar to what RaidForums offered currently,” pompompurin said.

When asked whether he was afraid that he may face the same fate as the administrator of RaidForums, pompompurin said “it doesn’t really bother” him.

“If I get arrested one day it also wouldn’t surprise me, but as I said I have a trusted person who will have full access to everything needed to relaunch it without me. This person will also never be made known to the public, so it wouldn’t be possible for the police to also target them in the event that they want to get the forum taken down for good,” pompompurin explained.

Longmire writes that the three unnamed victims referenced in the affidavit confirmed that their data was stolen and added to the forum throughout 2022.

He also walks through several instances where pompompurin mediated between two cybercriminals — effectively serving as a de facto cybercriminal escrow service where he held potential funds while a buyer inspected a stolen database to see if it was legitimate or had the information desired.

In one post, pompompurin says he “has already performed over $430,000 in middleman transactions with zero issues.”

The court document also notes the December incident involving InfraGard — the FBI’s platform for facilitating information sharing from private sector companies. On December 18, someone posted the details of 87,760 members of InfraGard in BreachForums, a fiasco that forced the FBI to make all members sign up for the platform a second time.

RaidForums identification

One small note in the affidavit that stood out to several cybersecurity researchers was the fact that in their take down of RaidForums, the FBI obtained images of servers that had a database of forum activity.

While the fact is listed to explain one of the ways they were able to connect pompompurin to Fitzpatrick, several researchers intimated the finding could spell trouble for other cybercriminals who used RaidForums.

RaidForums operated from 2016 to February 2022 after United Kingdom authorities arrested Diogo Santos Coelho, the alleged founder and chief administrator of the platform.

One of the many ways the FBI was able to tie Fitzpatrick to pompompurin was through messages sent on RaidForums from the account. In one November 28, 2020 exchange, pompompurin questions another user about a stolen database from ai.type — a keyboard installed on over 40 million devices.

According to communications obtained by the FBI, pompompurin asked the hacker whether the database posted contained every user because he searched his email address and did not find it in the stolen trove of data.

Pompompurin says he searched [email protected] as well as the name “conorfitzpatrick” and did not find it.

“I cannot locate myself in the file provided at https://raidforums.com/Thread-ai-type-Database-Leaked-DownloadExclusive. It seems that maybe it is only a partial amount of data from it? I was under the impression that it was the full amount of data from looking at the thread as I didn't see any mention of it only being ‘some’ of the data from the breach,” pompompurin said.

Longmire explained that hackers “commonly search themselves in databases to identify any vulnerabilities they might have and determine if any of their personal information may be accessible online.”

The pompompurin account was also connected to several gmail accounts named “[email protected],” “[email protected]” and “[email protected].”

According to Longmire, during the raid on his home, Fitzpatrick waived his rights and agreed to speak with law enforcement, openly admitting that he was behind the pompompurin account.

“He also admitted that he owns and administers BreachForums and previously operated the pompompurin account on RaidForums. He stated that after RaidForums was seized by law enforcement, he was approached by individuals who thought he would be competent enough to run a similar site. Fitzpatrick stated that he agreed to do so,” he said, later admitting that he was aware that BreachForums is a site where people can and do “solicit the purchase and sale of compromised data.”

“He also stated that he operates a middleman service and he estimated that he conducts 2-3 such transactions a day. He further admitted that these transactions involve the purchase and sale of compromised data. Fitzpatrick stated that he does not charge for the middleman service, but he does charge for credits and membership upgrades on BreachForums. He estimated that he earned approximately $1,000 a day from BreachForums, and that he uses this money to administer BreachForums and purchase other domains.”

The administrator that took over for pompompurin — going by the name “Baphomet” — initially said BreachForums would live on.

But days later, the new administrator said there was evidence to suggest law enforcement had access to pompompurin’s account, prompting them to shut down the platform and make plans to start something new.