Conor Brian Fitzpatrick, better known by his online alias Pompompurin, has admitted guilt to charges of hacking and possession of child pornography. Fitzpatrick, the mastermind behind the infamous BreachForums, now faces a potential 40-year prison sentence, a $750,000 fine, and a supervised release period that could last from five years to life.
Court documents unsealed on July 13th reveal that BreachForums served as a marketplace for various illegal activities. The site had sections dedicated to buying and selling hacked data, cybercrime tools, and other illicit materials. The “Marketplace” and “Leaks Market” sections were hubs where members could trade stolen data, access devices, and services for unauthorized system access.
Fitzpatrick, a 20-year-old resident of Peekskill, New York, was arrested on March 15th. During his arrest, he confirmed his identity as Pompompurin and admitted to running BreachForums. His arrest led to the site’s shutdown by the remaining administrator, Baphomet, who suspected federal agents had infiltrated the servers. These suspicions were confirmed when the FBI disclosed their access to the forum’s database in newly released court documents.
On June 23rd, U.S. law enforcement seized the domain names associated with BreachForums, including breached[.]vc and Fitzpatrick’s personal domain, pompur[.]in. This marked a significant step in the FBI’s ongoing efforts to dismantle cybercriminal operations linked to Fitzpatrick.
Pompompurin
Pompompurin was a notorious figure in the cybercriminal world, known for leaking and selling data stolen from various companies. After the takedown of RaidForums in 2022, Fitzpatrick launched BreachForums, quickly establishing it as a leading platform for data leaks. At its peak, the forum had over 340,000 members and was frequented by ransomware groups and other cybercriminals looking to distribute stolen data.
Prior to Fitzpatrick’s arrest, an unknown individual tried to sell personal data of U.S. politicians on BreachForums, data that had been stolen in a breach of D.C. Health Link, the healthcare provider for members of the U.S. House of Representatives.
Pompompurin’s activities also included exploiting a security flaw to send fake cyberattack alerts through the FBI’s Law Enforcement Enterprise Portal (LEEP) and using a bug in Twitter’s system to obtain email addresses of approximately 5.4 million users. He was also connected to the theft of Robinhood customer data in November 2021.
Fitzpatrick’s guilty plea represents a major win for law enforcement in the fight against cybercrime. The takedown of BreachForums and the heavy penalties Fitzpatrick faces highlight the severe consequences of engaging in cybercriminal activities. As cyber threats continue to evolve, authorities are intensifying their efforts to safeguard sensitive information and bring cybercriminals to justice.