Four months after the FBI raided his home on Union Avenue, Conor Fitzpatrick, mastermind of an online host forum that contained nearly 900 stolen databases with over 14 billion individual records, has pled guilty to federal charges.
According to court documents filed in the federal district court in Virginia on July 13, Fitzpatrick has admitted guilt to three criminal counts that could put in him in federal prison for up to 20 years or more, and involve fines and restitution of over $1 million.
Fitzpatrick, who is out on custody secured by $300,000 bond, is scheduled to appear in the Alexandria, Virginia courthouse on Nov. 17 to learn his fate. Federal Judge T.S. Ellis III wrote in the court papers that any deal struck between Fitzpatrick’s attorneys and the government is not binding but rather “… a prediction, not a promise.”
The three federal charges are conspiracy to commit access device fraud, solicitation for the purpose of offering access devices and possession of child pornography. The first two carry maximum sentences of 10 years and fines up to $250,000 each while the third could involve a sentence of 20 years along with the fine. All three require full restitution.
Fitzpatrick, a 2021 graduate of Peekskill High School, was arrested during the March 15, 2023 raid at his home.
From March 2022 through March 15, 2023, BreachForums acted as an illegal marketplace where members could sell hacked or stolen data to commit cybercrimes and gain unauthorized access to victims systems, according to the court papers detailing the guilty pleas.
Fitzpatrick, who used the screen name “Pompompurin,” sold memberships including a “God” membership offering almost unlimited access to hacked websites he listed on his BreachForums site. He sold bank account information, social security numbers, login information for compromised online accounts and usernames and passwords to access accounts with service providers and merchants.
On Dec. 18, 2022 the BreachForums site contained details of approximately 87,760 members of InfraGard, a partnership between the FBI and private sector companies focused on protection of critical infrastructure.
On Jan. 4, 2023 information obtained from a major U.S.-based social networking site was posted including names and contract information for 200 million users.
And on March 9, 2023 a message was posted including a link to a file containing the names, birth dates, social security numbers, employment information and health insurance information for tens of thousands of U.S. citizens from a health insurance exchange.
Fitzpatrick served as middleman between buyers and sellers of stolen data on the BreachForums site. As of March 7, 2023 the site had 888 datasets with over 14 billion individual records including U.S. and foreign companies, organizations and government agencies, according to the court papers.
On March 14, 2023, the day before Fitzpatrick’s arrest, there were approximately 333,412 BreachForums members. According to the government it was the largest English-language database when it went offline.
As part of the plea agreement, Fitzpatrick agreed to make restitution for $698,714 he and his staff and co-conspirators gained through the buying and selling of stolen information on the BreachForums site.
He also accepted further restrictions on his access to computers and the internet. According to court papers “The defendant shall not access a computer and/or the internet unless a computer monitoring program has been installed by the pretrial services office. The defendant shall consent to the installation of computer monitoring software on any computer to which the defendant has access. Installation shall be performed by the pretrial services officer. The software may restrict and/or record any and all activity on the computer, including the capture of keystrokes, application information, internet use […]”
Conditions of his release that were set in March at his court appearance included that he receive a mental health evaluation and treatment and that he maintain and actively seek employment and or enroll in an educational/vocational program.
In an email to the Peekskill Herald shortly after Fitzpatrick’s March arrest, Brian Krebs, of Krebs on Security, an in-depth security news and investigation site, explained the significance of the case.
“BreachForums has been the source of many high-profile data breaches involving major corporations for the past year, and frequently a new sales thread there is the first we learn about a big new breach,” Krebs wrote.
Peter Katz, an attorney representing Fitzpatrick, declined to comment.
Anyone who believes they were a victim of hacking in this case can file a notice.
“If a person or entity believes that their data has been posted, trafficked, or otherwise used without authorization, that person or entity may have been victimized by the alleged activities of the named defendant and his co-conspirators on BreachForums. This court-ordered notice is to help identify any potential victims of the criminal conduct alleged in the Complaint, to provide these victims with information about the government’s investigation, to help victims confer with the prosecution team, and generally to protect victim rights,” the government website states.
Requests for comment from the U.S. Attorney’s office in Virginia were not returned.