- March 29, 2023
- Posted by: BJ Hudson
- Categories: Data, Privacy, Security, Technology
The dramatic fall of one of the preeminent cybercrime communities on the web will have major implications for the cybercrime markets.
MARCH 24, 2023
On March 16, 2022, about a month after the FBI took down a popular online forum for buying and selling stolen data known as RaidForums, another criminal marketplace quickly sprung up to take its place. The title of first post on the new forum known as BreachForums simply said “Welcome.”
Over the next year, the forum administered by “pompompurin” would post hacked data related to approximately 14 billion people globally, according to the FBI, and become one of the most prolific cybercrime forums in the world. It hosted breaches that included data related to 7 million Robinhood customers in November 2021, 23 terabytes of Shanghai National Police data in June 2022 and, more recently, roughly 60,000 records from the D.C. Health Link insurance exchange, exposing the personal details of members of Congress, their families and staffs and tens of thousands of other Washington area residents.
All of that came to an end last week after the FBI arrested a 20-year-old named Conor Fitzpatrick, who the bureau believes operated BreachForums from his parents’ house in a small town about 40 miles from New York City. Fitzpatrick admitted to being pompompurin and owning and operating the forum and claimed to earn roughly $1,000 per day trading in stolen information, according to a detailed affidavit published Friday when he was scheduled to appear in federal court in the Eastern District of Virginia.
Additionally, the Justice Department said on Friday that the FBI and the U.S. Department of Health and Human Services Office of Inspector general “conducted a disruption operation that caused BreachForums to go offline.”
The dramatic fall of one of the preeminent cybercrime communities on the internet will have major implications for the cybercrime underground, experts say. Not only will hackers looking to sell data have to find a new venue, threat researchers who track illicit activity by cross-referencing posts and monikers across sites will have to find new ways in, too.
“In the short-term, we will see chaos in the cybercrime underground due to many looking for a new place to call home,” said Will Thomas, a CTI Researcher at Equinix. “It takes time and effort to build up a reputation on a cybercrime forum and losing it overnight will affect the illicit incomes of many. This ‘new home’ could come in the form of another new forum started from scratch by some of the old members of BreachForums or we may see users flock to a new site.”
Some users may go to other established forums, Thomas said, and he’s also seen Telegram channels already popping up “in the meantime while the underground community decides what to do.”
Fitzpatrick, who was living in Peekskill, New York, had already established himself within the cybercrime community before he started BreachForums. In November 2021, for instance, pompompurin was linked to tens of thousands of phony emails purportedly from the FBI. He later claimed to cybersecurity journalist Brian Krebs that he did it to show the vulnerability of the system.
He was arrested on March 15 and has so far been accused of just one crime: conspiracy to commit access device fraud. Fitzpatrick initially appeared in a federal court in New York on March 16 and was released on a $300,000 bond, according to court records, and ordered to appear in federal court in Virginia on Friday. If convicted he faces a maximum penalty of five years in prison, the U.S. Department of Justice said in a statement Friday.
According to a two-page statement the FBI filed with the federal courts, Fitzpatrick admitted to using the nickname “pompompurin,” online, and said he was the owner and administrator of BreachForums.
BreachForums was one of several sites to emerge in the wake of RaidForums’ demise, but clearly the most successful, said Alexander Leslie, an associate threat intelligence analyst with Recorded Future. Over a period of several months BreachForums — known widely as “Breached” — started to establish itself, Leslie said, after a period of relatively low-level activity.
But after about six months, the forum built a vibrant community, and posters developed known personalities and brands, Leslie said. It established itself as a “mid-tier” source of stolen data in the wider international cybercrime ecosystem, which is dominated by the Russian-speaking forums and other sites based in countries where law enforcement either turns a blind eye or is not as stringent about enforcing cybercrime laws.
Thomas said that Breached was initially met with “skepticism from the cybercrime underground,” but “persisted and became the largest English-speaking data broker forum anywhere across the deep or darkweb.”
By January 2023, BreachForums’ “Official” section — which contained databases that had been vetted to a certain degree by Fitzpatrick — contained 879 datasets consisting of more than 14 billion individual records, according to the FBI affidavit.