Update and note: After this post appeared and was posted on Mastodon, some people complained about the original headline, characterizing it as “clickbait.” That was not my intention. I was just trying to accurately describe what I saw as the most noteworthy part of the situation without mentioning either CSAM or CP in the headline lest it trigger blocks. I have since edited the headline in light of their feedback, but I’m not sure if this will cause other problems.
When the arrest of Conor Fitzpatrick, aka “Pompompurin,” was made known on March 17, 2023, the members of Breached.vc (“BreachForums”) were shocked to learn from court filings how poor their forum owner’s OpSec was and that he had already admitted to law enforcement that he was known as “Pompompurin” and was the owner of BreachForums. It seemed very likely that with all the evidence law enforcement had and his own admissions, “Pom” would likely plead guilty in hopes of some reduced charges or sentencing.
At the time of his arrest, there was one charge against Fitzpatrick: conspiracy to commit access device fraud, but it seemed somewhat obvious that there would be other charges.
But some things didn’t go quite as some predicted. Fitzpatrick’s indictment, delayed by consent of both the prosecution and defense until May 15, wound up further delayed after Fitzpatrick reportedly attempted suicide and was hospitalized. It was difficult to tell from all the sealed documents on the court docket exactly what was happening after that, but then there was a sudden flurry of activity this week. Fitzpatrick’s case was ended and the docket was transferred to a new case, USA v. Fitzpatrick, 1:23-cr-00119-TSE-1, still in the Eastern District of Virginia.
On July 11, the new docket indicated that there would be a pre-indictment plea hearing on July 13.
Yesterday, an Information was docketed for the case. It showed that Fitzpatrick was now charged with three counts — one count each of:
18 U.S.C. § 1029(b)(2) and 3559(g)(1) Conspiracy to Commit Access Device Fraud;
18 U.S.C. § 1029(a)(6) and 2 Access Device Fraud – Unauthorized Solicitation; and
18 U.S.C. § 2252(a)(4)(B) and (b)(2) Possession of Child Pornography
Fitzpatrick waived indictment and pleaded guilty to all three counts. A Statement of Facts was also made public.
Shock and Anger
While people expected the first count two counts based on Fitzpatrick’s known activities on the forum and related to the forum, the possession of child pornography charge came as a total shock to those who DataBreaches has heard from already. The information had this explanation for the charge:
On or about March 15, 2023, in the Southern District of New York, the defendant, CONOR BRIAN FITZPATRICK (a/k/a “Pompompurin”), did knowingly possess and attempt to possess at least one matter containing one or more visual depictions that had been transported using a means and facility of interstate and foreign commerce, and in and affecting interstate and foreign commerce, and which visual depictions were produced using materials which had been mailed and so shipped and transported, by any means including by computer; and the production of such visual depictions involved the use of a minor engaging in sexually explicit conduct and such visual depictions were of such conduct, to wit: videos depicting prepubescent minors and minors who had not attained 12 years of age engaging in sexually explicit conduct, stored on a Dell Inspiron 5593 laptop computer (service tag number B2W9723) with a Samsung 870 QVO 4TB solid state drive (SN S5VYNJ0T405292K).
(In violation of Title 18, United States Code, Sections 2252(a)(4)(B) and (b)(2)).
Possible Maximum Penalties
According to the Plea Agreement:
The maximum penalties for conspiracy to commit access device fraud, as pleaded with 3559(g)(1), are 10 years of imprisonment, a fine of $250,000, full restitution, forfeiture of assets as outlined below, a $100 special assessment, and three years of supervised release. The maximum penalties for solicitation for the purpose of offering access devices are 10 years of imprisonment, a fine of $250,000, full restitution, forfeiture of assets as outlined below, a $100 special assessment, and three years of supervised release. The maximum penalty for possession of child pornography is 20 years of imprisonment, a fine of $250,000, full restitution, forfeiture of assets as outlined below, any special assessment pursuant to 18 U.S.C. §§ 3013, 3014, and 2259A, and a minimum supervised release term of 5 years and a maximum of Life. The defendant understands that any supervised release term is in addition to any prison term the defendant may receive, and that a violation of a term of supervised release could result in the defendant being retumed to prison for the full term of supervised release.
Most defendants do not get the maximum penalty, and the sentences do not all necessarily run consecutively. Part of the Plea Agreement goes through the base level and enhancements for each count and explains that the court can set a sentence that is higher or lower than the sentencing guidelines as long they would be upheld by a higher court as reasonable.
Part of what Fitzpatrick agreed to is to pay restitution, which will be at least almost $700,000 based on gross proceeds of his crimes with unnamed co-conspirators. He will also forfeit devices and the numerous domains he owned that are listed in the Plea Agreement.
Sentencing and Bond
Fitzpatrick is scheduled to be sentenced on November 17, 2023. In the interim, he remains free on the $300,000 bond as he has been since his arrest, but now with even more restrictions than before. As outlined in the docket:
- The defendant shall not access a computer and/or the internet unless a computer monitoring program has been installed by the pretrial services office. The defendant shall consent to the installation of computer monitoring software on any computer to which the defendant has access. Installation shall be performed by the pretrial services officer. The software may restrict and/or record any and all activity on the computer, including the capture of keystrokes, application information, internet use history, email correspondence, and chat conversations. The defendant shall not remove, tamper with, reverse engineer, or in any way circumvent the software. The cost of the monitoring will be paid by the defendant.
- No contact with minors under the age of 18 (with the exception of the defendant’s sibling) unless supervised by an adult who is aware of the defendant’s offense, at the discretion of the probation officer.
- The defendant shall not access any websites or accounts focused on breached, leaked or stolen data, computer hacking, security research, malware, computer programming, domains, cybercrime, online obfuscation, or computer networking, without prior approval of probation.
- The defendant shall not use any tools for obfuscating his identity, such as virtual private networks (VPNs), the onion router (Tor), or proxies.
- The defendant shall not create, register, or rent any new websites, domains, servers, or computer infrastructure associated with the operation of websites.
- Court further included at the discretion of the probation officer, defendant maintain or actively seek employment and/or enroll in an educational/vocational program.
Can There Be Other Charges?
DataBreaches was somewhat surprised to see only 3 counts, given how many things it seemed Fitzpatrick could have been charged with — including the FBI email hoax. Indeed, Count 2 of the Information seemed to relate to only one incident during a specified time period — a time period that correlates with the listing of the Shanghai Police Department data, where the listing indicated that Fitzpatrick would be the middleman for any transaction. By being a middleman, Fitzpatrick would have aided and abetted the solicitation etc etc.
So where were all the other charges or counts they could have levied? Is this plea deal the end of all possible prosecutions for Fitzpatrick?
No, it’s not necessarily the end. The Plea Agreement states:
The United States will not further criminally prosecute the defendant in the Eastern District of Virginia for the specific conduct described in the Information or Statement of Facts. This Plea Agreement and Statement of Facts does not confer on the defendant any immunity from prosecution by any state government in the United States.
But for now, however, those who knew Fitzpatrick and liked him are trying to understand how and why the nice kid they knew had child pornography on his device.
More about the nature of the CSAM charges from courtlistener for those who don’t want to click through it:
FITZPATRICK knowingly possessed approximately 26 files containing visual
depictions of minors engaged in sexually explicit conduct on his Samsung 870 QVO 4TB solid
state drive(SN S5VYNJ0T405292K)(“Samsung SSD”).
38. FITZPATRICK used his Samsung SSD with his Dell Inspiron 5593 laptop
computer(service tag number B2W9723). These devices were seized from FITZPATRICK’s
home in New York on March 15, 2023, pursuant to a federal search warrant.
39. Law enforcement performed a digital forensic examination ofFITZPATRICK’s
Samsung SSD, which revealed he had saved child pomography in two folders. Many ofthe files
had file names and phrases indicative of child pomography,such as “14yo,””15yo,” and
“Hebephilia.”
40. For example, FITZPATRICK possessed a video file with “13y-fully-nude” in the
title. This video depicts a minor female who exposes her genitals and masturbates.
FITZPATRICK saved this video file to his Samsung SSD on February 9, 2023. Forensic
artifacts show that FITZPATRICK opened this file after he saved it.
41. FITZPATRICK also possessed a video file with “Girl_Hebephilia” in the file title.
This video depicts two nude prepubescent females. During the video,the girls expose their
genitals to the camera and masturbate. FITZPATRICK saved this video file to his Samsung SSD
on Febmary 9,2023. Forensic artifacts show that FITZPATRICK opened this file after he saved
it.
gah damn
It’s disturbing how many people liked Pom after everything he did, not including the child pornography charges. If you aren’t a criminal, why would you like him? He stole data of innocent people, and profited from their misery. He created a space to make it easier for others to do the same. Where do you draw the line? How is that okay and CSAM isn’t?
mhmm, likable for me because whenever we spoke, he was a down to earth non-egotistical person to me. He was never racist like others in the community, happy to help out and he was very bright, I could honestly see a future for him in a sysadmin role.
I suppose when speaking with him, you don’t think.. wait a second this guy is the owner of all of this and it enables people to do very bad things. It’s hard to explain really, he was such a nice person you’d forget who he really was.
Happy to help??? How many victims did he help you extort and steal data from???
Maybe he can sysadmin for a pre-school. He can put his passion to work!
As someone else commented already, it is hard to explain, but your question is a fair one. For myself: I chatted with Pom a number of times over the past few years. Sometimes our chats were about the forum and things I might be researching or reporting on. Other times, he might just reach out to me to say hi and to see if I was okay. Pom was never racist in communications, and he was always polite and thoughtful with me. And as forum members knew, he was not tolerant of CP or anything like that on the forum, which is why that third charge came as such a shock to me and others.
You may understandably find it hard to believe, but he really came across as a nice kid who was also doing a lot of really bad things.
There are a lot of young people out there engaged in illegal activity. I think many more will be caught. Their families will be devastated, and their lives will be ruined or seriously affected. And for what? The addictive thrill and the challenge of hacking without getting caught? For bragging rights about how much money one can extort or sell data for? I’ve been blogging about hacking and hackers since about 2012. A number of the people I’ve reported on wound up being caught and doing time. Some of them have stayed in touch with me as they try to get their lives turned around after being released. It’s extremely difficult. Contrary to popular myths, getting caught does not show governments or potential employers that you’re good at hacking. You got caught, remember?
Anyway, I’m ranting a bit. But yes, I did — and still do — like Pom. And I am worried for him at this point.
Updating: There are a number of people who tell me that after looking at the forensics and filings, they no longer like or have any respect for Fitzpatrick. Personally, I am still having trouble believing there isn’t some explanation. Even psychologists can be in denial.
This shi crazy do NOT free pom breached mfs weird 😭💀