Conor Brian Fitzpatrick, the 20-year-old founder and the administrator of the now-defunct BreachForums has been formally charged in the U.S. with conspiracy to commit access device fraud.
If proven guilty, Fitzpatrick, who went by the online moniker “pompompurin,” faces a maximum penalty of up to five years in prison. He was arrested on March 15, 2023.
“Cybercrime victimizes and steals financial and personal information from millions of innocent people,” said U.S. Attorney Jessica D. Aber for the Eastern District of Virginia. “This arrest sends a direct message to cybercriminals: your exploitative and illegal conduct will be discovered, and you will be brought to justice.”
The development comes days after Baphomet, the individual who had taken over the responsibilities of BreachForums, shut down the website, citing concerns that law enforcement may have obtained access to its backend. The Department of Justice (DoJ) has since confirmed that it conducted a disruption operation that caused the illicit criminal platform to go offline.
BreachForums, per Fitzpatrick, was created in March 2022 to fill the void left by RaidForums, which was taken down a month before as part of an international law enforcement operation.
It served as a marketplace for trading hacked or stolen data, including bank account information, Social Security numbers, hacking tools, and databases containing personally identifying information (PII).
In new court documents released on March 24, 2023, it has come to light that undercover agents working for the U.S. Federal Bureau of Investigation (FBI) purchased five sets of data offered for sale, with Fitzpatrick acting as a middleman to complete the transactions.
Fitzpatrick’s links to pompompurin came from nine IP addresses associated with service provider Verizon that Pompompurin used to access the pompompurin account on RaidForums and a major OPSEC failure on the defendant’s part.
“The RaidForums records also contained […] communication between pompompurin and omnipotent [the RaidForums administrator] on or about November 28, 2020, in which pompompurin specifically mentions to omnipotent that he had searched for the email address email@example.com and name ‘conorfitzpatrick’ within a database of breached data from ‘ai.type,'” according to the affidavit.
It’s worth noting that the Android keyboard app Ai.type suffered a data breach in December 2017, leading to the accidental leak of emails, phone numbers, and locations associated with 31 million users.
Further data obtained from Google reveal that Fitzpatrick registered a new Google account with the email address firstname.lastname@example.org in May 2019 to replace email@example.com, which was closed around April 2020.
What’s more, the “old” firstname.lastname@example.org email address is present in the breached Ai.type database legitimate data breach notification site Have I Been Pwned.
“The recovery email address for email@example.com was firstname.lastname@example.org,” the affidavit reads. “Subscriber records for this account reveal that the account was registered under the name ‘a a,’ and created on or about December 28, 2018 from the IP address 220.127.116.11.”
“Records received from Verizon, in turn, revealed that IP address 18.104.22.168 was registered to a customer with the last name Fitzpatrick at [a residence located on Union Avenue in Peekskill, New York].”
The investigation also turned up evidence of Fitzpatrick logging into various virtual private network (VPN) providers from September 2021 to May 2022 to obscure his true location and connect to different accounts, including the Google Account linked to email@example.com.
Discover the Hidden Dangers of Third-Party SaaS Apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.
One of those masked IP addresses was further used to sign in to a Zoom account under the name of “pompompurin” with an e-mail address of firstname.lastname@example.org, records obtained by the FBI from Zoom reveal. Interestingly, Fitzpatrick is said to have used the email@example.com email address to register on RaidForums.
Also unearthed by the agency is a Purse.io cryptocurrency account that was registered with the email address firstname.lastname@example.org and “was funded exclusively by a Bitcoin address that pompompurin had discussed in posts on RaidForums. Records from Purse.io showed that the account was used to purchase “several items” and ship them to his address in Peekskill.
On top of that, the FBI secured a warrant to get his real-time cell phone GPS location from Verizon, allowing the authorities to determine that he was logged in to BreachForums while his phone’s physical location showed he was at his home.
But that’s not all. In yet another OPSEC error, Fitzpatrick made the mistake of logging into BreachForums on June 27, 2022, without using a VPN service or the TOR browser, thereby exposing the real IP address (22.214.171.124).
Based on data received from Apple, the same IP address was used to access the iCloud account about 97 times between May 19, 2022, and June 2, 2022.
“Fitzpatrick has used the same VPNs and IP addresses to log into the email account email@example.com, the Conor Fitzpatrick Purse.io account, the pompompurin account on RaidForums, and the pompompurin account on BreachForums, among other accounts,” FBI’s John Longmire said.
In the aftermath of the release of the affidavit, Baphomet said “you shouldn’t trust anyone to handle your own OPSEC,” adding “I never made this assumption as an admin, and no one else should have either.”