The FBI’s BreachForums bust is causing ‘chaos in the cybercrime underground’
On March 16, 2022, about a month after the FBI took down a popular online forum for buying and selling stolen data known as RaidForums, another criminal marketplace quickly sprung up to take its place. The title of first post on the new forum known as BreachForums simply said “Welcome.”
Over the next year, the forum administered by “pompompurin” would post hacked data related to approximately 14 billion people globally, according to the FBI, and become one of the most prolific cybercrime forums in the world. It hosted breaches that included data related to 7 million Robinhood customers in November 2021, 23 terabytes of Shanghai National Police data in June 2022 and, more recently, roughly 60,000 records from the D.C. Health Link insurance exchange, exposing the personal details of members of Congress, their families and staffs and tens of thousands of other Washington area residents.
All of that came to an end last week after the FBI arrested a 20-year-old named Conor Fitzpatrick, who the bureau believes operated BreachForums from his parents’ house in a small town about 40 miles from New York City. Fitzpatrick admitted to being pompompurin and owning and operating the forum and claimed to earn roughly $1,000 per day trading in stolen information, according to a detailed affidavit published Friday when he was scheduled to appear in federal court in the Eastern District of Virginia.
Additionally, the Justice Department said on Friday that the FBI and the U.S. Department of Health and Human Services Office of Inspector general “conducted a disruption operation that caused BreachForums to go offline.”
The dramatic fall of one of the preeminent cybercrime communities on the internet will have major implications for the cybercrime underground, experts say. Not only will hackers looking to sell data have to find a new venue, threat researchers who track illicit activity by cross-referencing posts and monikers across sites will have to find new ways in, too.
“In the short-term, we will see chaos in the cybercrime underground due to many looking for a new place to call home,” said Will Thomas, a CTI Researcher at Equinix. “It takes time and effort to build up a reputation on a cybercrime forum and losing it overnight will affect the illicit incomes of many. This ‘new home’ could come in the form of another new forum started from scratch by some of the old members of BreachForums or we may see users flock to a new site.”
Some users may go to other established forums, Thomas said, and he’s also seen Telegram channels already popping up “in the meantime while the underground community decides what to do.”
Fitzpatrick, who was living in Peekskill, New York, had already established himself within the cybercrime community before he started BreachForums. In November 2021, for instance, pompompurin was linked to tens of thousands of phony emails purportedly from the FBI. He later claimed to cybersecurity journalist Brian Krebs that he did it to show the vulnerability of the system.
He was arrested on March 15 and has so far been accused of just one crime: conspiracy to commit access device fraud. Fitzpatrick initially appeared in a federal court in New York on March 16 and was released on a $300,000 bond, according to court records, and ordered to appear in federal court in Virginia on Friday. If convicted he faces a maximum penalty of five years in prison, the U.S. Department of Justice said in a statement Friday.
According to a two-page statement the FBI filed with the federal courts, Fitzpatrick admitted to using the nickname “pompompurin,” online, and said he was the owner and administrator of BreachForums.
BreachForums was one of several sites to emerge in the wake of RaidForums’ demise, but clearly the most successful, said Alexander Leslie, an associate threat intelligence analyst with Recorded Future. Over a period of several months BreachForums — known widely as “Breached” — started to establish itself, Leslie said, after a period of relatively low-level activity.
But after about six months, the forum built a vibrant community, and posters developed known personalities and brands, Leslie said. It established itself as a “mid-tier” source of stolen data in the wider international cybercrime ecosystem, which is dominated by the Russian-speaking forums and other sites based in countries where law enforcement either turns a blind eye or is not as stringent about enforcing cybercrime laws.
Thomas said that Breached was initially met with “skepticism from the cybercrime underground,” but “persisted and became the largest English-speaking data broker forum anywhere across the deep or darkweb.”
By January 2023, BreachForums’ “Official” section — which contained databases that had been vetted to a certain degree by Fitzpatrick — contained 879 datasets consisting of more than 14 billion individual records, according to the FBI affidavit.
Among those datasets was one that has gotten the attention of Congress and sparked multiple investigations.
On March 6, a user by the name of “IntelBroker” posted a listing for what they said was 170,000 health insurance enrollment records for people in the Washington, D.C., area. Soon thereafter, the post was pulled down and a second user known as “Denfur” posted a sample and then the full set of the data March 9, which turned out to contain roughly 60,000 records for members of Congress, their staffs and families, and tens of thousands of people in the Washington area stolen from D.C. Health Link. Denfur told CyberScoop they were Russian and the attack was meant to target U.S. government officials.
It’s not clear that the D.C. Health Link breach brought down BreachedForums — it was not cited in the affidavit — but Leslie said the high-profile nature of the data could have been the final straw.
“It could have been D.C. Health Link … but I think it could have been a lot of things,” Leslie said. “It was this compounding, snowballing effect of constantly having very serious breaches of multi-national private corporations, of third-party government contractors, of government entities of critical infrastructure, that, like, reached a critical mass where law enforcement was probably like ‘we cannot let this go on any longer.”
The FBI affidavit cites Fitzpatrick’s alleged involvement in data leaks himself, but also his role as a middle man for transactions in the sale of data involving an undercover FBI employee in at lease one case. The affidavit also details apparent operational security failures that tied Fitzpatrick to running the site, including Fitzpatrick’s login data from the RaidForums takedown that included IP addresses associated with Fitzpatrick’s phone and his house, and a personal Gmail address.
The affidavit also references the fact that the FBI has obtained a SQL database of forum activity on BreachForums, which could potentially lead to problems for the site’s users down the road.
Fitzpatrick and his attorneys did not respond to a request for comment after his arrest.
In the days after his arrest, “Baphomet,” a user Fitzpatrick had referred to as a “staff member” in previous correspondence with CyberScoop, posted a series of statements urging calm and saying they were going to keep the site going. But on March 19, Baphomet said he’d seen indications of someone using Fitzpatrick’s admin accounts to log into a content delivery server after Fitzpatrick’s arrest, suggesting that “nothing can be assumed safe, whether its our configs, source code, or information about our users — the list is endless.” Therefore the site would be shut down for good.
“While the community of Breached will die, I’m going to continue conversations with some of the competitor forum admins and various service operators who reached out to me over the past few days. I’m hoping to work with some of those people to build a new community, that will have the best features of Breached, while reducing the attack surfaces we never properly addressed. As with things like this, I have no doubt our userbase may be absorbed by another community but if there is patience then I hope to bring something back that will rival any other community that can take our place,” Baphomet said in an online post.
The FBI and the U.S. Department of Health and Human Services Office of Inspector general “conducted a disruption operation that caused BreachForums to go offline,” the U.S. Department of Justice said in its statement.
What could happen, Leslie of Recorded Future speculated, is a “hydra-headed effect where threat actors who were popular on breached start to fill the void by launching their own forums, which is kind of what we saw with BreachForums. Threat actors will rebrand, or some might temporarily retire from their activities and lay low for a long time.”