When the owner of BreachForums was arrested this week, it was not a total surprise, but there were aspects to it that were curious. DataBreaches wonders whether this was a rushed operation in response to some possibly urgent concern.
Bloomberg Law broke the news Friday that Conor Brian Fitzpatrick, aka “Pompompurin,” was arrested Wednesday, and a search warrant was executed at his family’s home in Peekskill. The affidavit of FBI Special Agent John Longmire claims that Fitzpatrick admitted to being “Pompompurin” and the owner and administrator of BreachForums. He allegedly made those admissions voluntarily after being advised of his Miranda rights.
Fitzpatrick appeared in federal court in New York on March 16. He was released on an unsecured $300,000 bond co-signed by his parents and will have to appear in federal court in the Eastern District of Virginia on March 24.
[NOTE: Two federal cases were opened on March 15: United States of America v. Fitzpatrick, 7:23-cr-2171, US District Court, Southern District of New York; and United States of America v. Conor Brian Fitzpatrick, 1:23-mj-00067-JFA. The New York case does not yet appear on Pacer even though documents from it can be accessed on CourtListener.]
Some background
As Brian Krebs aptly noted, Pompompurin was a thorn in the FBI’s side even before he opened BreachForums. In November 2021, Pompompurin (“Pom”) managed to blast out emails from an FBI portal. Although Pom told DataBreaches that he believed that it would be immediately apparent that these were not real or serious emails, a number of recipients did take them seriously, and the FBI received a number of concerned calls. With the FBI drawing criticism for their security failure, DataBreaches expected law enforcement to make identifying and arresting Pom quickly a priority. But no arrest followed.
Four months later, Pom opened BreachForums to replace the RaidForums forum that had been seized by law enforcement. DataBreaches interviewed Pom at the time and asked him about his security and the forum’s security. In several informal chats with DataBreaches since then, Pom has never expressed any worry for his safety but has also somewhat stoically acknowledged that he might be arrested at some point.
Making the transition from being a RaidForums member to the BreachForums owner and administrator, Pom quickly proved himself not only to be skilled at developing and administering an active forum, but to be kind and helpful to members. That may sound strange to those who assume that the owner of a hacking forum or someone who would allow others to leak or sell sensitive data is an evil criminal with no redeeming virtues, but other than a few people who are laughing at his arrest, the reactions to his arrest by most forum members are sadness and concern for him.
Within a year, BreachForums had registered more than 300,000 members and had become one of the prime sites where hacked data would be listed for sale or leaked. One of the services Pom offered was to serve as a middleman to guarantee that people who paid for data listed by a seller got what they paid for. Even if Pom never did any hacking himself, that service alone might lead to charges that he conspired in certain kinds of crimes.
While Pom was generally nice to most people, he had no patience for specific individuals or entities (see, for example, this post about Club Hydra). One firm, IntelligenceX, wound up in an openly adversarial relationship with Pom and took delight in sending the FBI information on him in January 2023 after he opened an account with them. After Pom’s arrest, they openly bragged about their role. DataBreaches does not know whether their info played any role in his arrest or not.
Not surprisingly, Vinny Troia, who also had an openly adversarial relationship with Pom, expressed some pleasure in Pom’s arrest. Troia sent DataBreaches a text message linking to the Bloomberg report with a message, “AKA thekilob. I love when I’m right.”
But Troia wasn’t right, and when DataBreaches pointed out that Pom wasn’t “theKilob,” Troia claimed that Pom was the first “kilob” or “theKilob” on RaidForums. As far as DataBreaches knows, and as confirmed by theKilob himself, Pom was not the original “kilob” or “theKilob” on RaidForums.
[Note: Of course, this is not the first time Troia has made mistakes in attribution. By DataBreaches’ counter, he’s about 0 for 5 (or maybe it’s 0 for 7 or more) on attributions, starting with his erroneous claims about thedarkoverlord. But as wrong as he was about Pom being theKilob or WhitePacket, Troia does not seem to be taking any credit for the arrest.]
Was March 15 arrest a rush job?
Speculation alert: The rest of this post is pure speculation on my part.
As DataBreaches and news outlets everywhere reported, on March 6, a BreachForums user sold data from DC Health Link that involved members of Congress, their staff, their families, and many other DC entities and businesses. DataBreaches does not know whether the data was sold through BreachForums or off-forum in another setting. After the listing was removed, another version was listed again on BreachForums by a new user called “Denfur.”
Those listings alone would have been enough to put the FBI and law enforcement into high gear because not only were members of Congress making a big stink about the leak, but Denfur revealed that other data would be leaked at some point. “The use of it is something important. More than one database were exposed,” Denfur wrote.
From what DataBreaches was subsequently told, Pom either had those data or would be getting those to act as a middleman. And of note, the data allegedly related to the Department of Homeland Security.
On March 15, when asked by news reporters in Peekskill who saw personnel at Pom’s house with jackets indicating DHS, DHS denied having any operation in Peekskill:
Footage of BreachedForum administrator Pompompurin’s home being raided by the FBI. pic.twitter.com/vR6Kq4tcrS
— vx-underground (@vxunderground) March 17, 2023
So did the March 15 complaint and arrest anything to do with Denfur’s post and reporting on March 14:
From statements made to DataBreaches by Denfur, it sounds like IntelBroker may have acquired millions of records from government systems, but Denfur does not have those data, and DataBreaches was unable to reach IntelBroker to ask about it.
Did law enforcement decide that they’d better not wait and should try to seize any data in Pom’s possession before it leaked? That might explain a hastily filed complaint with so little publicly available information.
DataBreaches sent two inquiries to DHS yesterday asking them to confirm or deny whether the search and arrest on March 15 were to prevent — in whole or in part — the leaking and dissemination of any DHS files or information. DHS was also asked whether the material removed from Pom’s house contained any files from or concerning DHS.
DataBreaches is still waiting for a reply.
IntelBroker has not been seen on BreachForums since after a letter from Congress revealed that the FBI had informed House leadership that they had bought DC Health Link data. Did IntelBroker panic and run to ground? Or has he been arrested, too, and we don’t know it yet?
Does DataBreaches think there’s really just one charge? Heck, no.
DataBreaches suspects that we will eventually see an expanded criminal complaint with more charges. As it is, even one conspiracy charge under 18 U.S. Code 1029(b)(2) can result in a lengthy prison sentence if Pom is convicted and does not make any plea deal.
The Eastern District of Virginia covers the DC Health Link area. It also covers FBI headquarters. So there would be at least two victims possibly involved in the case in the Eastern District of Virginia — plus any other businesses or entities covered by that court (like Infragard) whose data were leaked, hacked, or sold on BreachForums. This is speculative, of course, but Pom could be charged with hacking the FBI portal but also conspiring in other incidents because a conspiracy charge is so broadly worded as to make almost any involvement or knowledge of an incident part of a conspiracy.
To understand some of the charges Pom may eventually be facing, see the second superseding indictment in the case of United States of America v. Diogo Santos Coelho (aka “Omnipotent). Note that the indictment is written by the same Assistant U.S. Attorney assigned to Pom’s case. To the extent that Pom has engaged in some of the same conduct that Omni engaged in, you can see how Pom might be charged.
Does DataBreaches think BreachForums will be seized? Heck, yes.
Is BreachForums safe for users? The moderator called “Baphomet,” announced he had taken steps to take over the forum and secure it.
Baphomet wrote, in part:
I have most, if not all, the access necessary to protect BF infrastructure and users.
I pretty much already assumed the worst at nearly 24 hours of inactivity. It’s not often Pom is gone an extended period of time, and he’s always let me know ahead of time if that would be the case. He’s also never been inactive this long on both Telegram, Element and the forum at the same time. At that point I decided to remove his access to all important infrastructure and restricted his forum account to still login but not to carry out any administrator actions. I also since that point have been constantly monitoring everything and going through every log to see any access or modifications to Breached infra. So far nothing like that has been seen.
When RaidForums was seized, it was months after the forum owner had been arrested. But to repeat: a lot of this post is just speculation on DataBreaches’ part.
Pom will likely be described in headlines and other sites as some kind of notorious criminal or master criminal. On a personal level, I’m sorry to see Pom arrested because while I won’t pretend that I think he’s innocent of any criminal activity, I hope his parents and the courts don’t lose sight of his good qualities and great potential. In all of the interactions I’ve had with Pom over the past few years, he’s struck me as a nice, respectful kid who turned to criminal activity, even though he doesn’t seem to be really motivated by money or amassing a lot of money or expensive cars or anything.
Actually, the only thing Pom ever expressed a strong wish for in our chats was a cat. I hope he can get one.
Update: “Omni” showed up on BreachForums shoutbox to state that on March 15, he had tried to warn Pom that law enforcement knew his real identity. That raises another possible explanation for a rushed arrest and search — if law enforcement knew that Pom had been warned, they might have rushed to seize devices before he could destroy evidence. Either way, though, the arrest and seizure does seem rushed.
Update 2:. It took multiple requests to get a response from the Department of Homeland Security (DHS) as to why they were seen at Pom’s home on March 15th and whether they got involved because of a possibly pending leak of data involving DHS. Here is the reply from Public Affairs Officer Marie L. Ferguson:
As a matter of policy, HSI does not comment on ongoing investigations.
Information regarding publicly filed charges and/or convictions are communicated in coordination with the Department of Justice, when appropriate.
“Actually, the only thing Pom ever expressed a strong wish for in our chats was a cat.”
lol. There is a US Prison where cats are allowed. Hopefully he can do his time there but prob not :/
On a personal level, I’m sorry to see Pom arrested because while I won’t pretend that I think he’s innocent of any criminal activity, I hope his parents and the courts don’t lose sight of his good qualities and great potential.
Indeed. If only you could press a button and inject wisdom into kids.
@freePompompurin