Federal agents have arrested a Peekskill, New York, man they say ran the notorious dark web data-breach site “BreachForums” under the name “Pompompurin.”
(Bloomberg) — Federal agents have arrested a Peekskill, New York, man they say ran the notorious dark web data-breach site “BreachForums” under the name “Pompompurin.”
Conor Brian Fitzpatrick was arrested by a team of investigators at his home around 4:30 p.m. Wednesday, an FBI agent said in a sworn statement filed in court the next day. Fitzpatrick is charged with a single count of conspiracy to commit access device fraud.
BreachForums hosted the stolen databases of almost 1,000 companies and websites. The databases often includes personal information, such as names, emails and passwords. The information is offered for sale by users of the site and can be used for fraud. Pompompurin’s profile on BreachForums describes him as “Bossman” and pictures the Sanrio Co. cartoon dog whose name he used as an online alias.
The profile shows Fitzpatrick’s most recent visit to the site was Wednesday at 3:53 p.m., shortly before his arrest.
The FBI agent, who led the other agents in the arrest, said Fitzpatrick admitted he had used the alias “Pompompurin” and was the owner and operator of BreachForums.
Fitzpatrick, who was released on bond, didn’t immediately respond to a request for comment. Benjamin Gold, a lawyer who represented him in his court appearance, declined to comment.
A local newspaper listed Fitzpatrick among the 2021 graduates of Peekskill High School. He was born in 2002, according to court records. A local news station posted video of FBI and Homeland Security agents, working with local police, raiding a home in Peekskill on Wednesday and carrying bags of possible evidence from the house. The report didn’t identify Fitzpatrick as the target, but the address is the one listed in online records as the house where he lived with his parents.
Cybersecurity Investigators
Fitzpatrick had been closely scrutinized by cybersecurity investigators for more than a year, and was considered a significant player in the cybercrime ecosystem, according to multiple people familiar with the situation who asked not to be identified because the information isn’t public.
RaidForums, the spiritual precursor to BreachForums, was sized by the Federal Bureau of Investigation in April 2022.
“Breach Forums is one of, if not the most active, hacker forums out there,” said Allan Liska, a senior intelligence analyst at cybersecurity firm Recorded Future. “They are well-known for leaking sensitive information stolen from major organizations around the world including the Robinhood trading platform and Acer Computers.”
BreachForums was founded after the shutdown of RaidForums, “specifically with the goal of carrying on the work started at Raid,” Liska said. “Pompompurin ran the forum and actively encouraged the hack and leak activities that occurred there.”
In November 2021, Pompompurin claimed responsibility for sending out fake emails that originated from an “fbi.gov” email address. Pompompurin claimed responsibility for the breach in an interview with Brian Krebs.
Details of the charges, filed in federal court in Alexandria, Virginia, have not been made public. A spokeswoman for the US Attorney in Alexandria didn’t return phone and email messages seeking comment.
Fitzpatrick was presented in federal court in White Plains, New York, and released on a $300,000 unsecured bond, signed by his parents. Fitzpatrick is required to avoid any contact with co-defendant, co-conspirators and witnesses in the case. He’s due to appear in court in Alexandria on March 24.
The case is US v. Fitzpatrick, 23-cr-2171, US District Court, Southern District of New York (Manhattan).
(Updates with information from BreachForums site in fourth paragraph.)
More stories like this are available on bloomberg.com
©2023 Bloomberg L.P.