BreachForums was where some US lawmakers’ personal data were allegedly posted in early March
The FBI has arrested the alleged founder of BreachForums, a major hacker forum on which users post hacked and stolen data, including data alleged to have come from a breach that affected the personal information of U.S. lawmakers earlier this month.
Conor Brian Fitzpatrick, 20, of Peekskill, New York, was arrested on March 15 and made his initial appearance in court on Friday for a criminal charge—conspiracy to commit access device fraud, which carries a maximum penalty of five years in prison, the Department of Justice (DOJ) announced.
The charge is related to Fitzpatrick having allegedly created and administered BreachForums, which the DOJ describes as a “marketplace for cybercriminals” that as of last week, claimed to have more than 340,000 members.
At the same time as Fitzpatrick’s arrest, the FBI and the Department of Health and Human Services Office of Inspector General (HHS-OIG) carried out “a disruption operation that caused BreachForums to go offline,” according to the DOJ announcement.
‘Marketplace for Cybercriminals’
Fitzpatrick, who goes by the alias “Pompompurin” online, allegedly operated BreachForums since March 2022, the DOJ release stated, citing court documents unsealed Friday.
The website served as a “popular marketplace for cybercriminals to buy, sell, and trade hacked or stolen data and other contraband,” the complaint (pdf) against Fitzpatrick stated.
It adds: “BreachForums enables its members to post solicitations concerning the sale of hacked or stolen data, exchange direct private messages with prospective buyers and sellers, buy access to certain hacked or stolen data that the platform itself controls and distributes, and arrange other services related to the illicit transfer of stolen data and contraband.”
Fitzpatrick also allegedly managed a section where the website directly sold access to verified hacked databases that belong to various U.S. and foreign companies, organizations, and government agencies, the DOJ stated, adding that he “allegedly profited from the scheme by charging for forum credits and membership fees.”
The website also hosted other sections where users discussed ways to hack and exploit the hacked or stolen information, the DOJ stated.
Victims Include US Lawmakers: Report
The DOJ said that stolen data commonly sold on the website included “bank account information, social security numbers, other personally identifying information (PII), means of identification, hacking tools, breached databases, services for gaining unauthorized access to victim systems, and account login information for compromised online accounts with service providers and merchants.”
Alleged victims of the website include millions of U.S. citizens and hundreds of U.S. and foreign companies, organizations, and government agencies, the DOJ stated, adding that some of the stolen datasets posted on the website “contained the sensitive information of customers at telecommunication, social media, investment, health care services, and internet service providers.”
Earlier in March, a data breach at D.C. Health Link exposed the personal information of 17 House members and hundreds of congressional staffers. D.C. Health Link is the health insurance marketplace for residents of the district. CyberScoop reported that a hacker had posted what they said was the full dataset stolen from D.C. Health Link, a file that “contained more than 67,500 unique entries.” The cybersecurity news company said it “confirmed the authenticity of the data belonging to one individual in the data set.”
The DOJ cited other examples, including how 200 million users’ names and contact information of a major U.S.-based social networking platform were posted on BreachForums on Jan. 4.
Separately, on Dec. 18 last year, a BreachForums user shared information of over 87,500 members of InfraGard, which is a partnership between the FBI and the private sector that seeks to protect critical infrastructure.
Prior to appearing in court Friday, Fitzpatrick was released on a $300,000 bail with conditions.
His arrest comes about a year after U.S. authorities cracked down on RaidForums, described as the predecessor to BreachForums. RaidForums’ founder and chief administrator, Diogo Santos Coelho, was arrested on Jan. 31, 2022, by UK authorities at the request of the United States. Coelho is awaiting extradition.