Conor Brian Fitzpatrick, the creator and administrator of the notorious cybercrime marketplace BreachForums, has been sentenced to time served alongside a 20-year supervision period. Dubbed “pompompurin” online, Fitzpatrick’s activities were brought to light following his arrest in March 2023 in New York, where he was charged with conspiracy to commit access device fraud and possession of child pornography.
Following his arrest, Fitzpatrick was released on a $300,000 bond. In July 2023, he pleaded guilty to the charges. BreachForums operated as a key platform for cybercriminals involved in trading stolen data since March 2022, during which it amassed over 340,000 members before being shut down a year later.
The marketplace facilitated the sale of sensitive information, including bank details, Social Security numbers, personally identifiable information (PII), hacking tools, breached databases, and access credentials for compromised accounts across various service providers. Importantly, BreachForums also offered services to enable unauthorized access to victim systems, affecting millions of U.S. citizens and numerous domestic and foreign entities.
Additionally, Fitzpatrick oversaw the “Leaks Market,” wherein he acted as a trusted intermediary for users trading hacked data and illicit goods. The U.S. Department of Justice has noted that Fitzpatrick managed an “Official” databases section through which access to verified hacked databases was sold via a “credits” system, enhancing the platform’s operational robustness.
Recent court documents indicate that Fitzpatrick’s mental health issues may have influenced the leniency of his sentencing. One day prior to sentencing, prosecutors had recommended a 15-year prison term. The 21-year-old is now required to serve the first two years of his supervised release under home confinement, equipped with a GPS monitor, and must engage in mental health treatment. Additionally, he is prohibited from using the internet for the first year and must register with the state’s sex offender database based on his residency.
As of now, the restitution amount Fitzpatrick owes to victims remains uncertain. Notably, he was recently jailed for violating the conditions of his pre-sentencing release by accessing an unmonitored computer while using a virtual private network (VPN).
Despite the legal crackdown on BreachForums, reflected in the seizure of its domains in March 2023, the platform has reportedly reemerged. In June 2023, it was revived by the notorious ShinyHunters group, previously known for their activities on Raid Forums, following its takedown.
From a cybersecurity perspective, this incident underscores the rising threat posed by advanced adversary tactics, especially in the context of data breaches. Techniques associated with initial access, persistence, and privilege escalation, as outlined by the MITRE ATT&CK framework, could have been employed by those interacting with BreachForums to exploit vulnerabilities in victim systems and gain unauthorized control.
