FBI arrests alleged cybercriminal in Peekskill
20-year-old Conor Fitzpatrick accused of running high-profile dark web site
March 19, 2023
When the white Lexus SUV and other cars and pickup trucks with Virginia and Maryland plates pulled up to the quiet neighborhood bordering Depew Park early Wednesday afternoon and blocked the driveways along the 500 block of Union Avenue, the neighbors took notice. They saw people wearing jackets emblazoned with FBI and Homeland Security insignias, and a black Labrador Retriever coming and going out of the yellow two-story Colonial. Detectives from the Peekskill police department were also seen. Soon a News 12 camera truck was on the scene, filming footage of the raid.
The federal agents went into the home of Mark and MaryAnn McCarra Fitzpatrick and found Conor Brian Fitzpatrick, a 2021 graduate of Peekskill High School. The 20-year-old was arrested by FBI Special Agent John Longmire and charged with a computer crime in connection with the so-called dark web.
He was presented in United States Federal Court in White Plains and was released on a $300,000 unsecured bond, signed by his parents. He’s due to appear this Friday, March 24th in federal court in Alexandria, Virgina. An unsecured bond is the promise that if the precise condition of bail is not met, the money will be paid. Fitzpatrick was instructed to have no dealings with co-conspirators, co-defendants and witnesses in the case.
Longmire led the team of FBI investigators from the Eastern District of Virginia. From documents filed in court, Longmire, who’s been with the FBI for 16 years stated: “When I arrested the defendant on March 15, 2023, he stated to me a) his name was Conor Brian Fitzpatrick’ b) he used the alias “pompompurin,” and c) he was the owner and administrator of “BreachForums,” the data breach website referenced in the Complaint.”
The Complaint states that Conor Fitzpatrick violated Title 18 of the US Code, Section 1029, described as conspiracy to commit access device fraud.
Brian Krebs, of Krebs on Security, an in-depth security news and investigation site, explained that ‘Pompompurin’, the alias Fitzpatrick used, has been “something of an nemesis to the FBI for several years.” Krebs broke the story in November of 2021 that thousands of fake emails about a cybercrime investigation were blasted out from the FBI’s email systems and internet addresses.
Krebs went on to explain how Pompompurin took credit for that stunt, and said he was able to send the FBI email blast by exploiting a flaw in an FBI portal designed to share information with state and local law enforcement authorities. The FBI later acknowledged that a software misconfiguration allowed someone to send the fake emails.
Earlier this month, BreachForums, the dark website that the government alleges Fitzpatrick is the owner and operator of, was the sales forum for data stolen from DC Health Link, a health insurance exchange based in Washington, DC. The data breach included names, Social Security numbers, dates of birth, and health plan enrollment information of thousands of DC residents including 21 members of Congress.
A classmate of Fitzpatrick from Peekskill High School who shared the same lunch period with him described their classmate as “a nice kid who was quiet and reserved and pretty smart,” adding, “He was in a few AP classes.” He recalled that Fitzpatrick didn’t come to school for a period of about two months. “We thought he moved or was sick or something. He just kind of disappeared, and when he showed up, he acted as if nothing happened. You could tell he had some sort of stuff going on,” he remembered.
Brian Krebs reported in November of 2021 about exchanges he had with Pompompurin regarding his hacking of the FBI database that showed poor coding. “Needless to say, this is a horrible thing to be seeing on any website,” Pompompurin said, “I’ve seen it a few times before, but never on a government website, let alone one managed by the FBI.”
In an email to the Herald Saturday evening, Krebs provided additional context in the case: “BreachForums has been the source of many high-profile data breaches involving major corporations for the past year, and frequently a new sales thread there is the first we learn about a big new breach.
“It’s not hard to see why they may have waited to go after Pompompurin; he only recently came of age when he could be prosecuted as an adult. It’s hard to say what finally brought the feds to his door. Maybe it was all the data from the Optus, FBI or T-Mobile breaches that first went up for sale on BreachForums. But I suspect the most recent hit involving data taken from DC Health Link may have rekindled interest in taking him off the board.”