How the FBI caught the BreachForums admin
On Friday, the U.S. Justice Division announced that the now-arrested alleged administrator of the notorious hacking discussion board BreachForums facilitated the sale and buy of personal info that belonged to “tens of millions of U.S. residents and lots of of U.S. and international firms, organizations, and authorities businesses.”
In a press release, prosecutors confirmed the arrest of Conor Fitzpatrick, 20, aka Pompompurin, of Peekskill, New York. Fitzpatrick is charged with one depend of conspiracy to commit entry system fraud, topic to a most of 5 years in jail if convicted.
As a way to show that BreachForums facilitated the sale and buy of stolen or hacked knowledge, FBI undercover brokers bought 5 units of information: certainly one of knowledge stolen from an unnamed U.S. web internet hosting and safety providers firm, which contained names, addresses, cellphone numbers, usernames, password hashes, and e-mail addresses for roughly 8,000 clients, in addition to cost card info for 1,900 clients; one other dataset stolen from an unnamed U.S.-based funding firm, containing at the least 5 million e-mail addresses; one containing the non-public info of “giant numbers of U.S. individuals,” together with full names, e-mail addresses, cellphone numbers, house addresses, birthdates, Social Safety numbers, driver’s license numbers, financial institution names, routing numbers, and account numbers; one other from the identical vendor, which contained non-public info and checking account info of round 15 million U.S. individuals; and one different set of information taken from a U.S. healthcare firm.
The feds collected a number of items of proof to nab Pompompurin. First they bought the IP addresses that Pompompurin used to entry RaidForums, the predecessor of BreachForums, which was seized by the FBI in April 2022. 9 of these IP addresses had been related to Fitzpatrick, based on his web service supplier Verizon, as FBI Particular Agent John Longmire wrote within the affidavit dated March 15, two days before Fitzpatrick’s arrest.
In a spectacular snafu on the hacker’s half, Longmire wrote that the second piece of proof got here from Pompompurin himself. In a chat with the RaidForums admin, Pompompurin mentioned he observed an information breach posted on the location didn’t embody “certainly one of my previous emails,” which he seemed up on the respectable knowledge breach notification web site Have I Been Pwned.
Though Pompompurin then mentioned “(I don’t need to share my precise e-mail for apparent causes, however this e-mail appears to have the identical case as mine): conorfitzpatrick02@gmail.com,” the agent wrote within the affidavit that that e-mail deal with was certainly Pompompurin as a result of the FBI obtained data from Google displaying that Fitzpatrick registered that deal with months earlier than that chat. The alleged hacker additionally had Google Pay accounts linked to each that e-mail deal with in addition to a more moderen one, “conorfitzpatrick2002@gmail.com,” each linked to a quantity owned by Fitzpatrick, based on the affidavit.
Moreover, the agent wrote that he obtained extra data from Google, which confirmed conorfitzpatrick2002@gmail.com had a restoration e-mail deal with funmc59tm@gmail.com linked to an IP deal with registered to somebody with the final title Fitzpatrick and a unique cellphone quantity, which the agent mentioned he believed belonged to Fitzpatrick’s father.
Then, based on the affidavit, Pompompurin used a number of VPNs to connect with his Gmail account, a few of which overlap along with his exercise elsewhere on the web.
The agent additionally mentioned that the FBI obtained data from cryptocurrency alternate Purse.io. The corporate’s data revealed that 4 of the IP addresses used to connect with the alternate had been additionally used to connect with the conorfitzpatrick2002@gmail.com Gmail account and Pompompurin’s RaidForums account. Furthermore, that Purse.io account was registered with the title Conor Fitzpatrick and the e-mail deal with “conorfitzpatrick2002@gmail.com,” the affidavit mentioned.
These 4 IP addresses, based on the agent, had been owned by VPN suppliers, which Pompompurin additionally used to connect with the “conorfitzpatrick2002@gmail.com” account.
One other VPN IP deal with was additionally used to log right into a Zoom account underneath the title “pompompurin” related to a Riseup e-mail deal with additionally used to register his RaidForums account, based on the affidavit.
Information from Purse.io additionally confirmed that Fitzpatrick’s account bought “a number of objects” and shipped them to his deal with with the cellphone quantity the feds had already established was his. Additionally seven out of 9 IP addresses used to connect with Purse.io had been additionally used to connect with Pompompurin’s account on RaidForums. And, lastly, the Purse.io account “was funded solely by a Bitcoin deal with that Pompompurin had mentioned in posts on RaidForums,” per the affidavit.
The proof doesn’t cease there. In a database of RaidForums discussion board exercise, the feds noticed that Pompompurin accessed his account from an IP deal with registered to Fitzpatrick’s father on the similar house deal with beforehand recognized by the authorities, based on the affidavit.
That very same IP deal with was used to entry an iCloud account related to Fitzpatrick, Longmire wrote within the affidavit.
Furthermore, Longmire famous that the accounts with the deal with Pompompurin on RaidForums and BreachForums had been probably owned by the identical particular person, as Pompompurin wrote in a publish on BreachForums: “in the event you used RaidForums you almost certainly keep in mind me, I used to be one of many extra lively customers on there,” and the brand new Pompompurin account on BreachForums “alluded to previous exercise by the pompompurin account on RaidForums.”
Lastly, Longmire wrote that the FBI obtained a warrant to get Fitzpatrick’s real-time cellular phone GPS location from Verizon, permitting brokers to watch that Pompompurin was logged in to BreachForums whereas his cellphone’s location confirmed he was at his house.”
The feds additionally surveilled Fitzpatrick at his house whereas brokers famous Pompompurin’s account was lively on the discussion board.
This trove of proof allowed legislation enforcement to acquire a warrant to go looking Fitzpatrick’s home, the place he agreed to talk to the brokers and “admitted that he’s the person of the pompompurin account,” and that “he owns and administers BreachForums and beforehand operated the pompompurin account on RaidForums.”
The FBI didn’t instantly reply to a request for remark. Fitzpatrick’s lawyer additionally didn’t reply to a request for remark.
Paradoxically, Fitzpatrick could have thought today would come when he launched BreachForums. In an interview on the Data Knight website, the interviewer requested him, “Don’t you suppose that there’s a cause that the FBI took down RaidForums? Why would you need to deliver it again up understanding that you could be face that very same destiny no matter it [may be]?”
Pompompurin responded: “It doesn’t actually trouble me. If I get arrested in the future it additionally wouldn’t shock me, however as I mentioned I’ve a trusted one that can have full entry to every little thing wanted to relaunch it with out me.”
The Justice Division mentioned in its Friday assertion that it had additionally “carried out a disruption operation that prompted BreachForums to go offline.” When reached for remark, DOJ spokesperson Joshua Stueve declined to elaborate. On the time of publication, BreachForums was inaccessible, displaying an error saying “dangerous gateway,” however the area nonetheless seemed to be within the management of the location’s present administrator.
Following the Justice Division’s announcement of Fitzpatrick’s arrest, the one that took over from him, often known as Baphomet, announced they would shut down the forum.
On Friday, after the affidavit was circulated on-line, Baphomet wrote a message on a Telegram channel, saying “an important factor proper now of our neighborhood is to bear in mind that the FBI is now confirmed to have entry to the Breached database,” and “at this level all the doc will clearly present what I’ve mentioned for the whole lot of my time on Breached, and that you just shouldn’t belief anybody to deal with your individual OPSEC. I by no means made this assumption as an admin, and nobody else ought to have both.”
That’s why, Baphomet added, “Merely piling everybody again into the identical neighborhood with none considered how we correctly transfer ahead safely is mainly a demise lure.”
Do you’ve got details about BreachForums? We’d love to listen to from you. From a non-work system, you’ll be able to contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, or by way of Wickr, Telegram and Wire @lorenzofb, or e-mail lorenzo@techcrunch.com. You can too contact TechCrunch by way of SecureDrop.