The founder of global hacking website BreachForums will serve three years in prison after judges challenged an initial sentence of just 17 days.
New York man Conor Brian Fitzpatrick, known as ‘Pompompurin’ online, received the sentence for crimes related to his founding and administrative role at BreachForums – a long-running and prolific hacking site where cybercriminals exchanged techniques, shared illicit materials and leaked data from some of the world’s most significant data breaches.
US attorney Erik Siebert said Fitzpatrick “personally profited” from the sale of “vast quantities of stolen information” which ranged from “private personal information to commercial data”.
“These crimes were so extensive that the damage is difficult to quantify,” Siebert said Wednesday.
Last year, 22-year-old Fitzpatrick pleaded guilty to fraudulent solicitation of personal information, conspiracy to traffic stolen personal information with intent to defraud, and possession of child abuse material (CSAM).
According to documents in the US Fourth Circuit Court of Appeals, Fitzpatrick’s sentencing was initially calculated between roughly 15 and 20 years imprisonment – though this was drastically reduced on account of his youth and an autism spectrum disorder diagnosis.
After concluding he would be “ravaged” if sentenced to prison, the US District Court for the Eastern District of Virginia instead sentenced Fitzpatrick to 20 years supervised release following a measly 17-day imprisonment which had already been served in custody at a local jail.
After the US government appealed in January that the court had “abused its discretion”, a three-judge panel remanded the case for resentencing.
On Wednesday, Fitzpatrick was handed a new three-year sentence.
Conor Brian Fitzpatrick is heading back to jail. Source: Alexandria Sheriff's Office
“We will not allow criminals to hide in the darkest corners of the internet and will use all legal means to bring them to justice,” said Siebert.
Fitzpatrick founded criminal underground as a teen
In March 2022, a then 19-year-old Fitzpatrick launched BreachForums as a means for hackers and fraudsters to peddle stolen data following a US crackdown on hacking bazaar RaidForums.
He was first arrested in 2023 and shortly after confirmed to be BreachForums user Pompompurin – a lead administrator who personally reviewed all databases sold on the platform.
Though takedown efforts from law enforcement routinely disrupted BreachForums, the website accrued over 330,000 members and was linked to some of the most notable cyberattacks of the decade – including Optus’ 2022 data breach and this year’s alleged incident at cloud giant Oracle.
The US Department of Justice said the platform offered access to at least 888 datasets of stolen information, containing over 14 billion individual records of personally identifiable data.
Recent court documents confirmed Fitzpatrick played an enthusiastic escrow role for members who needed a middleman for their illicit transactions, while Siebert said the human cost of Fitzpatrick’s personal CSAM collection was “incalculable”.
As part of a plea agreement, the 22-year-old agreed to forfeit over 100 domain names, more than a dozen electronic devices, and cryptocurrency tied to the operation.
Is BreachForums finally dead?
In April this year, BreachForums was taken offline after what appeared to be a fatal distributed denial of service (DDoS) attack.
Though multiple mirrors of the website re-appeared in the weeks to follow, Information Age understands no clear-web links for the platform are operational at the time of writing.
The BreachForums website was taken offline by the FBI. Photo: FBI
Some sources indicated BreachForums has since been resurrected on the dark web, though users on social media and messaging app Telegram have widely accused such dark web links of being federal ‘honeypots’ – traps made to lure cybercriminals into the hands of authorities.
“Today’s sentencing demonstrates that anyone who helps others profit from theft, fraud, and other cybercrimes is not out of reach,” said Brett Leatherman, assistant director of the Federal Bureau of Investigation’s Cyber Division.
Although continued law enforcement disruptions have diminished user trust for the criminal forum, Evan Vougdis, cyber director at Sydney-based cybersecurity firm NSB Cyber, said it was unlikely Fitzpatrick’s sentence would deter another restoration of the BreachForums brand.
“As for other forums, cybercrime ecosystems are quite resilient, with platforms like these often migrating to new domains, [dark web] sites, or entirely fresh brands following disruptions,” he said.
“The repeated revivals of BreachForums itself despite FBI seizures and international cooperation indicate that sentences like this, whilst always a net positive result, rarely halt the broader proliferation of similar sites.”
