Conor Brian Fitzpatrick, the owner of the now-defunct BreachForums website, has pleaded guilty to charges related to his operation of the cybercrime forum as well as having child pornography images.
The development, first reported by DataBreaches.net last week, comes nearly four months after Fitzpatrick (aka pompompurin) was formally charged in the U.S. with conspiracy to commit access device fraud and possession of child pornography.
BreachForums, launched in March 2022, operated as an illegal marketplace that allowed its members to trade hacked or stolen databases, enabling other criminal actors to gain unauthorized access to target systems. It was shut down in March 2023 shortly after Fitzpatrick's arrest in New York.
As many as 888 databases consisting of 14 billion individual records are estimated to have been found in total. The forum had over 333,000 members prior to its takedown.
"The purpose of BreachForums, and Fitzpatrick's intent in operating the forum, was to commit and aid and abet the trafficking of stolen or hacked databases containing, among other things, access devices, and the posting of solicitations to offer databases containing access devices," according to court documents.
The 20-year-old faces a maximum jail term of up to 40 years, with fines totaling $750,000. He is scheduled to be sentenced on November 17, 2023.
News of Fitzpatrick's plea agreement comes as the Spanish National Police apprehended a Ukrainian national wanted internationally for his involvement in a fraudulent scareware operation spanning from 2006 to 2011 and eluded capture for over a decade.
It also follows the sentencing of Ashley Liles, a 28-year-old former IT security analyst, to three years and seven months in prison for attempting to extort his employer during a ransomware attack in 2018.
Liles, from Hertfordshire, is said to have altered the original ransom email and changed the payment address provided by the original attacker in an attempt to divert any ransom payments to himself. He had previously pleaded guilty in April 2023.
"Liles, along with other colleagues, worked with police to investigate the incident," the South East Regional Organised Crime Unit (SEROCU) said in a press release.
"Using the information he learned from this, Liles commenced a secondary attack on the company. He accessed senior board members' emails over 300 times and altered the attackers original email address to an almost identical one."