FBI arrests suspected BreachForums owner in New York
The BreachForums arrest occurred days after DC Health Link's data went up for sale on the dark web message board, though the affidavit did not cite the breach in the arrest.
The FBI arrested a New York man suspected to be BreachForums owner and administrator "Pompompurin" earlier this month.
BreachForums is a hacker forum known primarily for facilitating the sale of data sold during a data breach. The dark web marketplace is particularly notable because it facilitated the alleged sale of data obtained during the high-profile DC Health Link breach earlier this month. DC Health Link is a public-private health insurance exchange that facilitates the health insurance of over 100,000 Washington, D.C., residents as well as members of Congress, their staff and their families.
DC Health Link said 56,415 customers were affected at the time. But according to the poster on BreachForums attempting to sell the alleged data, 170,000 individuals had some amount of personal information stolen.
First reported by Bloomberg, FBI agent John Longmire led a team of law enforcement agents on March 15 to make a probable cause arrest of defendant Conor Brian Fitzpatrick in Peekskill, N.Y. Longmire, who is part of the FBI's Washington Field Office Cyber Task Force, said in the arrest affadavit that when Fitzpatrick was arrested, he told the agent "in substance and in part" his name, that he went by the alias "Pompompurin," and that he was the owner and administrator of BreachForums.
The affidavit did not mention DC Health Link or information regarding any other specific breaches.
According to a screenshot posted by Twitter account Daily Dark Web, a BreachForums administrator using the alias "Baphomet" said they suspected Pompompurin (referred to in the post as "Pom") had been arrested and that they will be taking over the forum. Baphomet then said they had revoked Pompompurin's admin privileges and was monitoring logs and infrastructure for signs of law enforcement compromise.
"My only response to [law enforcement], or any media outlet is that I have no concerns for myself at the moment," the post read. "OPSEC has been my focus from day one, and thankfully I don't think any mountain lions will be attacking me in my little fishing boat."
BreachForums went offline Sunday evening or Monday morning, with clear and dark web versions of the site returning error messages. According to a tweet by threat intelligence vendor SOS Intelligence that includes an apparent screenshot from the forum, Baphomet wrote on Sunday that the server would be going offline shortly for server migration. Baphomet wrote that they didn't anticipate the site facing issues such as "fancy little logos," likely referring to a law enforcement takedown notice.
The FBI declined TechTarget Editorial's request for comment.
UPDATE 3/21: In an update posted to Telegram Tuesday, Baphomet wrote that BreachForums was permanently closed because of concerns that the site's infrastructure had been compromised by law enforcement agents. Baphomet expressed interest in working with the administrators of competing forums to start a new marketplace.
Prior to BreachForums going offline an post was made by Baphomet indicating that the site was going offline for a migration and that there would be no fancy little logos or a login page that doesn't work (Likely referring to the FBI takeover of RaidForums) pic.twitter.com/JDTQK5XLiM— SOS Intelligence (@SOSIntel) March 20, 2023
BreachForums is considered the successor to RaidForums, a dark web message board that similarly sold stolen breach data and was shut down following law enforcement action last April. Its suspected founder, Portuguese national Diogo Santos Coelho, was arrested in the U.K. that January.
According to a blog post last spring by threat intelligence vendor Flashpoint, Pompompurin was a "highly active" threat actor on RaidForums who launched BreachForums shortly after the former's takedown. At the time of the post, Flashpoint noted BreachForums had approximately 1,500 members and was still growing.
Pompompurin became a "household name within the cybercriminal underground," according to Flashpoint, thanks to notable attacks such as the 2021 hack of the FBI's email system.
It's unclear what effect Fitzpatrick's arrest will have on BreachForums. But it's unlikely to provide much if any relief to victim organizations. Cybercriminals typically retain copies of stolen data and can migrate to alternative forums and marketplaces on the dark web to sell such data.
Alexander Culafi is a writer, journalist and podcaster based in Boston.