FBI

Today, the FBI confirmed they have access to the database of the notorious BreachForums (aka Breached) hacking forum after the U.S. Justice Department also officially announced the arrest of its owner.

20-year-old Conor Brian Fitzpatrick (also known as Pompompurin) was charged for his involvement in the theft and sale of sensitive personal information belonging to “millions of U.S. citizens and hundreds of U.S. and foreign companies, organizations, and government agencies” on the Breached cybercrime forum.

Fitzpatrick appeared today in court in the Eastern District of Virginia after being arrested one week ago at home in Peekskill, New York, and released on a $300,000 bond.

FBI now has access to the BreachForums database

In new court documents published this Friday, FBI Special Agent John Longmire revealed that the FBI has the Breached database, which helped establish that Fitzpatrick is indeed Pompompurin as charged, the forum’s main admin, based on activity logs and the Optimum Online Internet connection he used (registered using the conorfitz@optimum.net email address).

Fitzpatrick also made it easier for law enforcement to link him to the Pompompurin online handle after he told the RaidForums owner in a private conversation that a leaked, stolen database for ai.type didn’t contain his older email address (conorfitzpatrick02@gmail.com), which was shown as leaked on Have I Been Pwned.

The FBI was able to see this private conversation after they seized RaidForums’ servers, and its databases, in February 2022

As Longmire added in his March 15 affidavit, the FBI also found Fitzpatrick’s Optimum Online IP address (69.115.201.194) logged in the BreachForums database after using it once to sign in on the forum, either after forgetting to use Tor or to enable the VPN he usually used, or after the VPN service failed.

Fitzpatrick used the same IP address to access his iCloud account dozens of times from his iPhone over fewer than two weeks.

“While the FBI’s examination of the BreachForums database reveals that the pompompurin account was typically accessed through VPN services or Tor, I believe it is notable that IP address 69.115.201.194 was once used to login to the pompompurin account on or about June 27, 2022,” Longmire said.

“Further, records received from Apple Inc. concerning an iCloud account associated with FITZPATRICK reveals that the account was accessed approximately 97 times from IP address 69.115.201.194 between on or about May 19, 2022 and on or about June 2, 2022, from an iPhone mobile device.”

On his arrest, the defendant also openly admitted to law enforcement without a lawyer present and after waiving his constitutional rights that he was behind the BreachForums Pompompurin account.

“He also admitted that he owns and administers BreachForums and previously operated the pompompurin account on RaidForums,” Longmire added.

“He estimated that he earned approximately $1,000 a day from BreachForums, and that he uses this money to administer BreachForums and purchase other domains.”

Who is Pompompurin?

Pompompurin has been a high-profile RaidForums member and part of a cybercriminal underground dedicated to breaching companies and selling or leaking their stolen data online.

After the RaidForums’ seizure in 2022, Pompourin created a new forum known as BreachForums or Breached to fill the void.

Breached quickly became the largest data leak forum, commonly used by ransomware gangs and other threat actors to leak stolen data.

Just prior to Fitzpatrick’s arrest, a threat actor attempted to sell the personal data of U.S. politicians stolen after breaching D.C. Health Link, the healthcare provider for U.S. House members, their families, and their staff.

Pompompurin has also been involved in high-profile company breaches, including using a flaw in the FBI’s Law Enforcement Enterprise Portal (LEEP) to send fake cyberattack alert emails, stealing Robinhood customer data, and allegedly using a Twitter bug to confirm the email addresses of roughly 5.4 million users.

Since Fitzpatrick’s arrest, court documents have not revealed any charges brought by Pompompurin’s own breaches and malicious activity outside the data leak forum.

Breached shut down after Pompompurin’s arrest

Following Fitzpatrick’s arrest, the Breached hacking forum was shut down by Baphomet, the remaining administrator, after saying that they believed law enforcement had access to the servers.

The announcement followed an initial decision to migrate the website to new infrastructure to allow users to continue using the platform.

“Throughout the migration I checked to see if anything was going on that would cause concern during the migration. One of the servers checked, was the old CDN server described above. It seems someone logged in on Mar 19, 1:34 EST prior to me logging into the server,” Baphomet said earlier this week.

“Unfortunately this likely leads to the conclusion that someone has access to Poms machine. This will be final my final update on Breached, as I’ve decided to shut it down. I’m aware this new will not please anyone, but it’s the only safe decision now that I’ve confirmed that the glowies likely have access to Poms machine,” with ‘glowies’ meaning Federal agents.

In a new update shared today, Baphomet commented on the FBI’s confirmation that they had access to Breached servers and added that every user should’ve been handling their own OPSEC.

“The most important thing right now of our community is to be aware that the FBI is now confirmed to have access to the Breached database. They clearly say so in their most recent documents,” Baphomet said.

“At this point the entire document will clearly show what I’ve said for the entirety of my time on Breached, and that you shouldn’t trust anyone to handle your own OPSEC. I never made this assumption as an admin, and no one else should have either.”

Source: www.bleepingcomputer.com