Calling this a very, very sad case for an entire family, a federal judge in Virginia ruled on Jan. 19 that the Peekskill cyber mastermind who made hundreds of thousands of dollars by enabling the sale of stolen databases should not serve any more time in prison.

Instead, federal Judge Leonie M. Brinkema sentenced Conor Fitzpatrick, 21, to two years of supervised release on home arrest at the hearing in the federal courthouse in Alexandria, Va. Fitzpatrick will then continue to remain out of jail but on supervised release for 18 more years, until he turns 41 years old.

The terms of Fitzpatrick’s sentence for the first two years include GPS location monitoring, with travel for therapy sessions, meetings with the probation officer, medical appointments and religious observances that are approved in advance. No access to the internet is allowed for the first year.

Federal prosecutors asked the court to send Fitzpatrick to prison for just over 15 years for his crimes, in part to deter others who might want to commit similar crimes in the future.

A spokesman for the U.S. Justice Department declined to comment on the sentence.

Fitzpatrick, who violated the terms of his pre-sentencing release on bond by using a computer and Virtual Private Network services without the required monitoring software, was re-arrested on Jan. 2 and was taken into federal custody until his sentencing on Friday, Jan. 19.  He appeared before Judge Brinkema in dark green prison clothes and read a statement to the court. He was held in the mental health unit of the Alexandria jail for 17 days prior to his  sentencing hearing.

Feds raid Peekskill home

Fitzpatrick was arrested at his Peekskill home on March 15, 2023 and faced the possibility of 20 or more years in federal prison and fines and restitution of $1 million or more. On July 13, he pleaded guilty to three counts and awaited sentencing.

In court papers, prosecutors said that from October 2020 through 2022, Fitzpatrick used the online moniker “Pompompurin” to make posts on Raidforums, an existing online forum, offering to sell valuable stolen databases.

“Then, starting in or around March 2022, the defendant leveraged the reputation he built on Raidforums to create and administer BreachForums with the assistance of co-conspirators, including an evolving staff of moderators,” prosecutors state.

Prosecutors say Fitzpatrick designed and administered the website’s software and computer infrastructure; registered domains to host or provide access to the BreachForums website while hiding his identity; established and enforced the website’s rules; created and managed sections of the website dedicated to promoting the buying and selling of stolen data; operated a middleman service; approved and uploaded breached databases to the BreachForums’ “Official” network for delivering content; and provided other assistance to BreachForums members seeking to buy and sell illicit material on the website, including by investigating and sometimes vouching for the authenticity of stolen data.

As of March 7, 2023, approximately 888 databases containing over 14 billion individual records were available for purchase on BreachForums’ Official “content distribution network” (CDN) through a “credits” system that the website administered, according to prosecutors. Fitzpatrick and his aides profited by nearly $700,000 through the transactions.

Further court hearings will be held to determine the amount of restitution Fitzpatrick must pay.

Government sought long prison term, cites damage done

Arguing for the 15-year sentence, Lauren Halper, an
Assistant United States Attorney, wrote “Accordingly, although the defendant has no formal criminal history, the government believes the defendant’s history of willful defiance of the law and malicious online activity suggests a likelihood of recidivism if left undeterred by a significant term of incarceration.”

Defense lawyers argued for leniency, citing mental health challenges, and told the judge that Fitzpatrick can become a productive member of society with effective treatment of those issues. In his address to the court, Fitzpatrick expressed remorse for his actions, asked for leniency, and explained that the attention he won through BreachForums clouded his judgment.

Prosecutors charge that millions of individuals were potentially damaged by having their personal information stolen and sold through Fitzpatrick’s BreachForums website.

Corporations had to spend hundreds of thousands of dollars to investigate the breaches, face investigations by the Federal Trade Commission, must defend against class action lawsuits and suffered reputational damage and business harm.

“This case sends a clear message that illicitly stealing, selling, and trading the personal information of innocent members of the public will not be tolerated, and that malicious cyber actors will be held accountable,” said Special Agent in Charge Stephen Niemczak of the federal Health and Human Services Department, Office of Inspector General.

“HHS-OIG and our law enforcement partners remain dedicated to protecting the American public and the integrity of government networks and data from these egregious cyberattacks.”