Justice Department Announces Arrest of “Pompompurin” and Disruption of BreachForum’s Operation

The full text of DOJ’s press release today follows. A few questions from me are included after the press release:

The founder of BreachForums made his initial appearance today in the Eastern District of Virginia on a criminal charge related to his alleged creation and administration of a major hacking forum and marketplace for cybercriminals that claimed to have more than 340,000 members as of last week. In parallel with his arrest on March 15, the FBI and Department of Health and Human Services Office of Inspector General (HHS-OIG) have conducted a disruption operation that caused BreachForums to go offline.

According to court documents unsealed today, Conor Brian Fitzpatrick, 20, of Peekskill, New York, allegedly operated BreachForums as a marketplace for cybercriminals to buy, sell, and trade hacked or stolen data and other contraband since March 2022. Among the stolen items commonly sold on the platform were bank account information, social security numbers, other personally identifying information (PII), means of identification, hacking tools, breached databases, services for gaining unauthorized access to victim systems, and account login information for compromised online accounts with service providers and merchants.

“Today, we continue our work to dismantle key players in the cybercrime ecosystem,” said Deputy Attorney General Lisa O. Monaco. “Like its predecessor RaidForums, which we took down almost a year ago, BreachForums bridged the gap between hackers hawking pilfered data and buys eager to exploit it. All those operating in dark net markets should take note: Working with our law enforcement partners, we will take down illicit forums and bring administrators to justice in U.S. courtrooms.”

“People expect that their online data will be protected, and the Department of Justice is committed to doing just that,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Criminal Division. “We must and will remain vigilant to the threat posed by those who attempt to undermine our digital security. We will continue to disrupt the forums that facilitate the theft and distribution of personal information and prosecute those responsible.”

Fitzpatrick’s alleged victims have included millions of U.S. citizens and hundreds of U.S. and foreign companies, organizations, and government agencies. Some of the stolen datasets contained the sensitive information of customers at telecommunication, social media, investment, health care services, and internet service providers. For instance, on Jan. 4, a BreachForums user posted the names and contact information for approximately 200 million users of a major U.S.-based social networking site. Further, on Dec. 18, 2022, another BreachForums user posted details of approximately 87,760 members of InfraGard, a partnership between the FBI and private sector companies focused on the protection of critical infrastructure.

“Cybercrime victimizes and steals financial and personal information from millions of innocent people,” said U.S. Attorney Jessica D. Aber for the Eastern District of Virginia. “This arrest sends a direct message to cybercriminals: your exploitative and illegal conduct will be discovered, and you will be brought to justice.”

“The FBI will continue to devote all available resources to deter, disrupt, and diminish criminal enterprise activity,” said FBI Deputy Director Paul Abbate. “We will work alongside our federal and international partners to impose costs on malicious cyber actors around the world and continue to bring justice to those who victimize the American public.”

“Following the seizure of RaidForums last year, cybercriminals turned to BreachForums to buy and sell stolen data, including breached databases, hacking tools, and the personal and financial information of millions of U.S. citizens and businesses,” said Assistant Director in Charge David Sundberg of the FBI Washington Field Office. “The FBI and our partners will not let cybercriminals and those who enable them profit from the theft of sensitive data while hiding behind keyboards. This arrest and disruption of yet another criminal marketplace demonstrates the potency of our joint work to dismantle the digital structures that facilitate cybercrime.”

As part of the scheme, Fitzpatrick allegedly supported the activities of cybercriminals by creating and operating a “Leaks Market” subsection that was dedicated to buying and selling hacked or stolen data, tools for committing cybercrime, and other illicit material. To facilitate transactions on the forum, Fitzpatrick allegedly offered to act as a trusted middleman, or escrow service, between individuals on the website who sought to conduct these types of illicit transactions. In addition, Fitzpatrick allegedly managed an “Official” databases section through which BreachForums directly sold access to verified hacked databases through a “credits” system administered by the platform. As of Jan. 11, the Official database section purported to contain 888 datasets, consisting of over 14 billion individual records. These databases belong to a wide variety of both U.S. and foreign companies, organizations, and government agencies. Fitzpatrick allegedly profited from the scheme by charging for forum credits and membership fees.

“This case sends a clear message that illicitly stealing, selling, and trading the personal information of innocent members of the public will not be tolerated, and that malicious cyber actors will be held accountable,” said Special Agent in Charge Stephen Niemczak of the HHS-OIG. “HHS-OIG and our law enforcement partners remain dedicated to protecting the American public and the integrity of government networks and data from these egregious cyberattacks.”

The BreachForums website has supported additional sections in which users discuss tools and techniques for hacking and exploiting hacked or stolen information, including in the “Cracking,” “Leaks,” and “Tutorials” sections. The BreachForums website also includes a “Staff” section that appears to be operated by the BreachForums administrators and moderators.

Fitzpatrick is charged with conspiracy to commit access device fraud. If convicted, he faces a maximum penalty of five years in prison.

Fitzpatrick’s arrest and the disruption of BreachForums comes nearly a year after the Department of Justice announced the seizure of a predecessor hacking marketplace, Raidforums, and unsealed criminal charges against RaidForums’ founder and chief administrator, who is the subject of extradition proceedings in the United Kingdom.

The law enforcement actions against Fitzpatrick and BreachForums are the result of an ongoing criminal investigation by the FBI Washington Field Office, FBI San Francisco Division, and HHS-OIG, with assistance provided by the U.S. Secret Service, Homeland Security Investigations New York Field Office, New York Police Department, U.S. Postal Inspection Service, and Peekskill Police Department. The U.S. Attorneys’ Office for the Northern District of California, the District of Maryland, and the Southern District of New York have also provided assistance in this matter.

The Justice Department’s Office of International Affairs is handling the extradition.

The Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorney Carina A. Cuellar for the Eastern District of Virginia are prosecuting the case.

A criminal complaint is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

---

Note 1: DataBreaches has sent an inquiry to DOJ asking why the reference to “the extradition.” What extradition? Fitzpatrick is an American citizen who was arrested in New York and is facing charges in Eastern District Virginia. Why would International Affairs be handling any extradition? DataBreaches will update when a reply is received. DataBreaches also has questions about whether the federal law applies to data that was leaked, not hacked. But more on that another time.

Update: No reply from DOJ was received. Maybe they meant that International Affairs was handling the extradition of Coelho, but that is a separate case.