Conor Fitzpatrick, the creator and administrator of the BreachForums cybercrime website, was sentenced to 20 years of supervised release Friday.
A federal judge deemed that the first two years of the 20-year sentence will be served as home confinement, according to a sentencing document posted Friday. Fitzpatrick will have no access to the internet for the first year of his home confinement and must register with state sex offender registries.
Fitzpatrick, 21, was originally arrested March 15, 2023, at his family’s hope in Peekskill, N.Y., and admitted to owning and operating BreachForums under the “pompompurin” moniker, according to court records. He was released on a $300,000 bond, but was arrested again on Jan. 2 of this year for violating the conditions of his pretrial release by using a computer without the required monitoring software and using virtual private network (VPN) services.
Fitzpatrick launched BreachForums in March 2022 in the wake of the law enforcement takedown of RaidForums, another popular cybercrime marketplace.
Prosecutors in the Eastern District of Virginia sought to imprison Fitzpatrick for 188 months — nearly 16 years — based on the nearly 900 stolen databases, comprising over 14 billion individual records, that were made available to members of the BreachForums website, according to court documents filed earlier this month. Additionally, prosecutors said, at the time of his arrest “he knowingly possessed approximately 26 video files containing visual depictions of minors engaged in sexually explicit conduct, including videos depicting prepubescent minors.”
Fitzpatrick’s attorneys filed their own sentencing recommendation memo under seal, citing “confidential and medical information that the public would not, under any other circumstances, be entitled to see.”
Fitzpatrick pleaded guilty on July 13, 2023, to conspiracy to commit access device fraud, solicitation for the purpose of offering access devices, and possession of child pornography, according to court records.
“By creating a platform for hackers and fraudsters to connect and conduct business, the defendant made it possible for BreachForums members to commit exponentially more crimes and more sophisticated crimes than any could have done alone,” prosecutors wrote in the memo, adding that the “criminal activity on BreachForums touched nearly ever sector of U.S. society.”
Notable incidents cited by prosecutors in the sentencing recommendation memo included a leak in December 2022 of data pertaining to some 87,760 members of InfraGuard, records related to 200 million users of a U.S.-based social media company and 20 million user records for a company that controls background check services in January 2023, and the posting of tens of thousands of users’s private health insurance information, including members of Congress, in March 2023.
The sentencing recommendation memo also noted multiple instances in which Fitzpatrick served as a middle man for transactions involving stolen data and, in at least one case, advised a BreachForums member on how to monetize stolen data. In another instance, according to prosecutors, Fitzpatrick told a forum user that he would provide falsified information to law enforcement, but said he doubted that “law enforcement would even bother making legal requests to a hacking forum lmao.”
Although inactive for a period of several months, BreachForums was resurrected in June 2023 by a former administrator who worked under Fitzpatrick, and the site quickly reestablished itself as a top English-language cybercrime marketplace. That version of the site remains active.