Teenager Conor Fitzpatrick was arrested during a daytime raid at his home on Union Avenue on March 15, 2023. Federal officials seized the computers he used to operate one of the world’s largest online forums that sold stolen databases containing the personal information of millions of people.

He faced up to 20 years in federal prison if convicted.

Just over two years later, Fitzpatrick pleaded guilty to three felony counts. In a decision by federal Judge Leonie M. Brinkema in July of 2024, he received a sentence of time served (17 days) and two years of home arrest, followed by 18 years of supervised release, along with restitution.

Now it appears Fitzpatrick will be going to prison after the federal government won an appeal to overturn that light sentence. His attorneys would have to appeal the case to the United States Supreme Court. Sentencing is scheduled for early June.

Virginia prosecutors get sentence thrown out

The U.S. Attorney’s office in the Eastern District of Virginia went to a federal appellate court in October 2024 and argued Judge Brinkema was wrong to drastically downgrade the sentence Fitzpatrick received compared to what federal guidelines called for. The appellate court agreed with the government in its ruling this past January.

“On appeal, the government contends that the district court abused its discretion by imposing a substantively unreasonable sentence. We agree. Accordingly, we vacate the sentence and remand for resentencing,” the appellate court ruled. 

“If anything, a 17-day sentence for the commission of three serious felonies signals to would-be criminals that they might get one free pass before facing any serious penalties,” the appellate judges wrote. 

In her original sentencing, Judge Brinkema said, “This is among the most difficult cases I’ve seen in quite a while in terms of sentencing, because the interplay between the criminal justice system and the obvious extremely significant mental health issues that this young man has are really very concerning. . . . 

“My concern is [imprisoning in the general prison population] a 21-year-old young man who is probably closer to a 16 or 17-year-old in terms of actual maturity, I think the mental health records clearly would show that, and someone with the very clear documented mental health history that we have — this is not somebody who, you know, post criminal conduct all of a sudden develops mental health issues. I mean, this young man has had them for years. . . . It’s a very, very sad case.” 

She further stated, “I think this gives us the best opportunity to try to protect the community as well as to not see this young man just ravaged in a prison setting where he would never get the mental health treatment that he needs, and he would, again, be, I think, exposed to all kinds of problems. He would clearly be a potential victim. So that is why I’m imposing such an extensively variant sentence.”


Fitzpatrick urged others to ‘sell government secrets’

At the original sentencing, the district court calculated Fitzpatrick’s advisory guidelines sentencing range to be 1.5 years to 20 years imprisonment. Prosecutors asked for a sentence of 15 years.

But based on Fitzpatrick’s autism spectrum disorder and youth (21 years old at the time of sentencing), Judge Brinkema gave Fitzpatrick a 17-days time-served term, concluding that the Federal Bureau of Prisons would not be able to treat Fitzpatrick’s autism spectrum disorder and that he would be “ravaged” in prison. 

Prosecutors laid out their case in court papers why that sentence was wrong.

“Beginning immediately after his plea hearing and release and continuing thereafter for approximately three months, Fitzpatrick violated the conditions of his release by participating in various ‘Discord’ chatrooms,” they argued in the court filings. “He accessed these chatrooms by acquiring a new iPhone and using a VPN to connect to the Internet to evade detection. 

“During his chatroom conversations, Fitzpatrick professed innocence to the very crimes to which he had pleaded guilty, stating that his plea deal was ‘so BS’ and that he had ‘wanted to fight it.’ He also joked with his friends about selling data to foreign governments, exhorting one user to ‘become a foreign asset to china or russia’ and to ‘sell government secrets.’ The chatroom participants also discussed hacking various targets.”

Government attorneys claim that Fitzpatrick can receive treatment for mental health issues in federal prison.

Fitzpatrick’s site contained 14 billion stolen records

In court papers, prosecutors said that from October 2020 through 2022, Fitzpatrick used the online moniker “Pompompurin” to make posts on Raidforums, an existing online forum, offering to sell valuable stolen databases. They described his site as “…one of the world’s largest forums … as a marketplace for cybercriminals to buy, sell and trade hacked or stolen contraband.”

“Then, starting in or around March 2022, the defendant leveraged the reputation he built on Raidforums to create and administer BreachForums with the assistance of co-conspirators, including an evolving staff of moderators,” prosecutors state.

Prosecutors say Fitzpatrick designed and administered the website’s software and computer infrastructure; registered domains to host or provide access to the BreachForums website while hiding his identity; established and enforced the website’s rules; created and managed sections of the website dedicated to promoting the buying and selling of stolen data; operated a middleman service; approved and uploaded breached databases to the BreachForums’ “Official” network for delivering content; and provided other assistance to BreachForums members seeking to buy and sell illicit material on the website, including by investigating and sometimes vouching for the authenticity of stolen data.

As of March 7, 2023, approximately 888 databases containing over 14 billion individual records were available for purchase on BreachForums’ Official “content distribution network” (CDN) through a “credits” system that the website administered, according to prosecutors. Fitzpatrick and his aides profited by nearly $700,000 through the transactions, according to prosecutors. In his plea deal he agreed to turn those assets back to the government.

Victims win case in California federal court

The damage done by Fitzpatrick’s sale of personal information to hackers who use stolen ID information to extort money from companies is ongoing, with many new lawsuits possible in civil courts.

In one recent landmark case, attorneys for Nonstop Administration and Insurance Services won a settlement that allows the people who suffered identity theft, caused by Fitzpatrick selling Nonstop’s database illegally, to make a claim against the assets he forfeited.

The victims sued Nonstop in a class-action case claiming damages when Fitzpatrick sold their names, date of birth, addresses, Social Security numbers and annual salaries on his BreachForum site. [In court papers attorneys claim that on average a company whose data is hacked incurs $4.5 million in costs.]

This past January, Fitzpatrick settled the claims against him by agreeing to let Nonstop’s victims go after money he forfeited to the federal government in his criminal case. [According to the court papers, Fitzpatrick agreed to make restitution of at least $3,000 to all of his victims and forfeit $698,714 to the federal government.]

Jill Fertel, an attorney with Cipriani & Werner in Blue Bell, Penn., represented Nonstop. Fertel said more and more companies are being targeted by both cybercriminals and the identity-theft victims. An average of 129 class-action lawsuits are filed each month against the victimized companies.

Having Fitzpatrick agree to let individuals apply to the court to get back some of the money he forfeited is a big step in redirecting accountability where it belongs, Fertel told the Herald.

“We changed the game by adding one of the threat actors as an additional defendant. I have clients that are small businesses and non-profits targeted incessantly by cybercriminals. Everyone is a target.”