Conor Brian Fitzpatrick, the 20-year-old founder and the administrator of the now-defunct BreachForums has been formally charged in the U.S. with conspiracy to commit access device fraud.
If proven guilty, Fitzpatrick, who went by the online moniker "pompompurin," faces a maximum penalty of up to five years in prison. He was arrested on March 15, 2023.
"Cybercrime victimizes and steals financial and personal information from millions of innocent people," said U.S. Attorney Jessica D. Aber for the Eastern District of Virginia. "This arrest sends a direct message to cybercriminals: your exploitative and illegal conduct will be discovered, and you will be brought to justice."
The development comes days after Baphomet, the individual who had taken over the responsibilities of BreachForums, shut down the website, citing concerns that law enforcement may have obtained access to its backend. The Department of Justice (DoJ) has since confirmed that it conducted a disruption operation that caused the illicit criminal platform to go offline.
BreachForums, per Fitzpatrick, was created in March 2022 to fill the void left by RaidForums, which was taken down a month before as part of an international law enforcement operation.
It served as a marketplace for trading hacked or stolen data, including bank account information, Social Security numbers, hacking tools, and databases containing personally identifying information (PII).
In new court documents released on March 24, 2023, it has come to light that undercover agents working for the U.S. Federal Bureau of Investigation (FBI) purchased five sets of data offered for sale, with Fitzpatrick acting as a middleman to complete the transactions.
Fitzpatrick's links to pompompurin came from nine IP addresses associated with telecom service provider Verizon that he used to access the account on RaidForums and a major OPSEC failure on the defendant's part.
"The RaidForums records also contained [...] communication between pompompurin and omnipotent [the RaidForums administrator] on or about November 28, 2020, in which pompompurin specifically mentions to omnipotent that he had searched for the email address firstname.lastname@example.org and name 'conorfitzpatrick' within a database of breached data from 'Ai.type,'" according to the affidavit.
It's worth noting that the Android keyboard app Ai.type suffered a data breach in December 2017, leading to the accidental leak of emails, phone numbers, and locations pertaining to 31 million users.
Further data obtained from Google showed that Fitzpatrick registered a new Google account with the email address email@example.com in May 2019 to replace firstname.lastname@example.org, which was closed around April 2020.
What's more, a search for email@example.com on the data breach notification service Have I Been Pwned (HIBP) corroborates the fact the old email address was indeed exposed in the Ai.type breach.
"The recovery email address for firstname.lastname@example.org was email@example.com," the affidavit reads. "Subscriber records for this account reveal that the account was registered under the name 'a a,' and created on or about December 28, 2018 from the IP address 22.214.171.124."
"Records received from Verizon, in turn, revealed that IP address 126.96.36.199 was registered to a customer with the last name Fitzpatrick at [a residence located on Union Avenue in Peekskill, New York]."
The investigation also turned up evidence of Fitzpatrick logging into various virtual private network (VPN) providers from September 2021 to May 2022 to obscure his true location and connect to different accounts, including the Google Account linked to firstname.lastname@example.org.
One of those masked IP addresses was further used to sign in to a Zoom account under the name of "pompompurin" with an e-mail address of email@example.com, records obtained by the FBI from Zoom reveal. Interestingly, Fitzpatrick is said to have used the firstname.lastname@example.org email address to register on RaidForums.
Also unearthed by the agency is a Purse.io cryptocurrency account that was registered with the email address email@example.com and "was funded exclusively by a Bitcoin address that pompompurin had discussed in posts on RaidForums." Records from Purse.io showed that the account was used to purchase "several items" and ship them to his address in Peekskill.
On top of that, the FBI secured a warrant to get his real-time cell phone GPS location from Verizon, allowing the authorities to determine that he was logged in to BreachForums while his phone's physical location showed he was at his home.
But that's not all. In yet another OPSEC error, Fitzpatrick made the mistake of logging into BreachForums on June 27, 2022, without using a VPN service or the TOR browser, thereby exposing the real IP address (188.8.131.52).
Based on data received from Apple, the same IP address was used to access the iCloud account about 97 times between May 19, 2022, and June 2, 2022.
"Fitzpatrick has used the same VPNs and IP addresses to log into the email account firstname.lastname@example.org, the Conor Fitzpatrick Purse.io account, the pompompurin account on RaidForums, and the pompompurin account on BreachForums, among other accounts," FBI's John Longmire said.
In the aftermath of the release of the affidavit, Baphomet said "you shouldn't trust anyone to handle your own OPSEC," adding "I never made this assumption as an admin, and no one else should have either."