“I[‘]d try getting money out of them first, and if they refuse try selling it,” Conor Fitzpatrick, answering a members request about what to do with 16 million stolen records
By Dan Murphy
Brian Fitzpatrick, 20, of Peekskill, New York, pled guilty on July 13 to hacking and selling private information of millions of individuals and companies on his dark web site BreachForums. Fitzpatrick, a 2021 graduate of Peekskill High School, was arrested in March of this year.
Fitzpatrick admitted the offenses when he was arrested by the FBI at his Peekskill home earlier this year, and last month signed a statement in which he admitted to commiting access device fraud, solicitation for the purpose of offering access devices and possession of child pornography. He faces 40 years in prison when he is sentenced next year.
According to the criminal complaint filed in Virginia Federal Court, Fizpatrick, was charged with “conspiracy to commit access device fraud, in violation of 18 U.S.C. § 1029(b), related to his alleged creation and administration of BreachForums. At the time of his arrest, BreachForums was a major hacking forum and marketplace for cybercriminals that claimed to have more than 340,000 members.
Court documents state, “Conor Brian Fitzpatrick, allegedly operated BreachForums as a marketplace for cybercriminals to buy, sell, and trade hacked or stolen data and other contraband since March 2022. Among the stolen items commonly sold on the platform were bank account information, social security numbers, other personally identifying information (PII), means of identification, hacking tools, breached databases, services for gaining unauthorized access to victim systems, and account login information for compromised online accounts with service providers and merchants.
“Fitzpatrick’s alleged victims have included millions of U.S. citizens and hundreds of U.S. and foreign companies, organizations, and government agencies. Some of the stolen datasets contained the sensitive information of customers at telecommunication, social media, investment, health care services, and internet service providers. For instance, on Jan. 4, a BreachForums user posted the names and contact information for approximately 200 million users of a major U.S.-based social networking site. Further, on Dec. 18, 2022, another BreachForums user posted details of approximately 87,760 members of InfraGard, a partnership between the FBI and private sector companies focused on the protection of critical infrastructure. As part of the scheme, Fitzpatrick allegedly supported the activities of cybercriminals by creating and operating a “Leaks Market” subsection that was dedicated to buying and selling hacked or stolen data.”
Fitzpatrick went by the name of poppompurin onine, and drew the attention of the FBI when he hacked into their system in 2021.
BreachForums operated as an illegal marketplace where its members could solicit for sale, sell, and piurchase and trade hacked or stolen data and other contraband, including stolen access devices, tools for committing cybercrime, breached databases, and other services for gaining unauthorized access to victim systems.
An individual could access the BreachForums website without a membership. However, the website required an individual to sign up for a membership to solicit items for sale, with different tiers of membership. BreachForums included a “Marketplace” section that was dedicated to the buying
and selling of hacked or stolen data, tools for committing cybercrime, and other illicit material.
Fitzpatrick offered a “middleman” service in which he acted as a trusted middleman, or escrow, between individuals on the website who sought to buy and sell information. As of March 7,2023, the official section purported to contain 888 datasets, consisting of over 14 billion individual records. These databases included a wide variety of both U.S. and foreign companies, organizations, and government agencies.
BreachForums had approximately 333,412 members as of March 14,2023. It was the largest English-language data breach forum of its kind at the time it went offline. Fitzpatrick and his co-conspirators gained at least $698,714 through his now admitted criminal conduct.
In September 2022, a BreachForums user sought advice on how to monetize a breached e-commerce database that included approximately 16 million records. Fitzpatrick used BreachForums private message to reply that “I[‘]d try getting money out of them first, and if they refuse try selling it.” FITZPATRICK then explained that he would value the database at about “a few thousand” after the user sought pricing guidance.
Law enforcement performed a digital forensic examination of Fitzpatrick’s devices which revealed he had saved child pomography in two folders. Many of the files had file names and phrases indicative of child pomography, such as “14yo,” “15yo,” and “Hebephilia.”