Cybercrime
,
Fraud Management & Cybercrime
Conor Fitzgerald Allegedly Violated Computer Monitoring Requirement, VPN Ban
The administrator of data breach marketplace BreachForums, known as “Pompompurin,” is in jail following violations of his presentencing release.
See Also: OnDemand | Understanding Human Behavior: Tackling Retail’s ATO & Fraud Prevention Challenge
Two FBI agents arrested Conor Brian Fitzpatrick on Tuesday after his probation officer had alerted the court that the defendant violated his release conditions by using a computer that didn’t have court-required monitoring software installed and by accessing VPN services, according to a court filing.
Fitzpatrick appeared Friday in the U.S. District Court for the Eastern District of Virginia before Judge T.S. Ellis, who ordered that he be remanded to the custody of the U.S. Marshals Service until his sentencing hearing, scheduled for Jan. 19.
When he was first arrested in March 2023, Fitzpatrick – then 20 years old – admitted to running BreachForums, at the time considered the largest English-language data breach forum of its kind.
He pleaded guilty on July 13 to a three-count criminal indictment that charged him with conspiracy to commit access device fraud, solicitation for the purpose of offering access devices and possession of child pornography. The first two charges each carry a prison sentence of up to 10 years, a fine of up to $250,000 and three years of supervised released. The child pornography possession charge carries a maximum penalty of 20 years’ imprisonment, as well as a supervised release period comprising a minimum of five years and a maximum of life.
Under the terms of his plea deal, Fitzpatrick cannot be further charged in the Eastern District of Virginia, but he will have to register as a sex offender following his release from prison.
RaidForums’ Successor
Fitzgerald launched the now-defunct BreachForums, accessible via breached.co
, in March 2022 as a replacement for the notorious RaidForums site after it had been shut down by law enforcement the prior month.
Like its predecessor, BreachForums – aka Breached – offered dedicated “marketplace,” “cracking,” “leaks,” “tutorials” and other sections for the buying, selling and trading of stolen data and other illegal goods and services. The U.S. Department of Justice said the site had served as a clearinghouse for a range of stolen information, including identification documents, bank account and payment card details, Social Security numbers and other personal identifying information, as well as tools for network penetration and breaching databases, the contents of breached databases, network-penetrating services and credentials for remotely accessing victims’ networks as well as individuals’ online accounts.
Fitzpatrick ran BreachForums under the handle Pompompurin and earned nearly $700,000 in just under a year, largely via forum users who purchased credits for accessing stolen data. Prosecutors said that by the time BreachForums was shuttered, it sported over 333,000 members, and hosted more than 14 billion leaked records from 888 databases. “Fitzpatrick’s victims have included millions of United States citizens,” according to an affidavit in support of a criminal complaint submitted to the court.
High-profile data disseminated on BreachForums included personal information stolen from an online health insurance marketplace used by members of Congress, as well as details of individuals who had been members of the FBI public-private cybersecurity forum InfraGard.
BreachForums was rebooted just days following Fitzgerald’s arrest by a forum user named “Baphomet.” The user quickly pulled the plug again after spotting a suspicious server login and warned fellow users that “nothing can be assumed safe, whether its our configs, source code, or information about our users.”
Baphomet is the name of the administrator of a BreachForums clone operating at yet another URL accessible on the open web.
OPSEC Failures
The FBI said Fitzgerald had attempted to disguise his identity, in part by using “numerous” VPN services, but he also committed numerous operational security missteps (see: How BreachForums’ ‘Pompompurin’ Led the FBI to His Home).
In an affidavit, an FBI special agent reported confirming Fitzpatrick’s identity in part by using information seized during the RaidForums investigation. An SQL database of RaidForums forum activity included an exchange between the RaidForums administrator, who used the handle “Omnipotent,” and Pompompurin, including the latter’s IP address, which the bureau said it had traced to Fitzpatrick’s Verizon broadband account, registered to his address in Peekskill, New York.
RaidForums included data stolen from the virtual keyboard application ai.type, and Pompompurin messaged Omnipotent to say he had searched for one of his old email addresses as well as his name – listed as conorfitzpatrick02@gmail.com
and conorfitzpatrick – but did not find them in the stolen database. That was despite their being listed by the Have I Been Pwned free breach-notification service, which reported that the December 2017 breach had involved 20.6 million accounts, he said.
“Not messaging to ask for credits back or anything, because I wanted it anyways, I just wanted to let you know that it doesn’t seem to be the full amount of data,” Pompompurin messaged Omnipotent about the stolen ai.type database being offered via RaidForums, according to court documents.
The FBI said Pompompurin also had reported switching to a new email address, conorfitzpatrick2002@gmail.com
, which investigators tied to at least one cryptocurrency account that was used to ship physical goods to Fitzgerald’s home address. The bureau also said that in the same short time frames, it had found multiple unique IP addresses being used to log into both that Gmail account and Pompompurin’s RaidForums account and later into the pompompurin@riseup.net
account used by Breached’s administrator.