In what specialists are calling a novel authorized end result, the 22-year-old former administrator of the cybercrime neighborhood Breachforums will forfeit practically $700,000 to settle a civil lawsuit from a medical health insurance firm whose buyer knowledge was posted on the market on the discussion board in 2023. Conor Brian Fitzpatrick, a.ok.a. “Pompompurin,” is slated for resentencing subsequent month after pleading responsible to entry gadget fraud and possession of kid sexual abuse materials (CSAM).
A redacted screenshot of the Breachforums gross sales thread. Image: Ke-la.com.
On January 18, 2023, denizens of Breachforums posted on the market tens of hundreds of information — together with Social Security numbers, dates of beginning, addresses, and cellphone numbers — stolen from Nonstop Health, an insurance coverage supplier based mostly in Concord, Calif.
Class-action attorneys sued Nonstop Health, which added Fitzpatrick as a third-party defendant to the civil litigation in November 2023, a number of months after he was arrested by the FBI and criminally charged with entry gadget fraud and CSAM possession. In January 2025, Nonstop agreed to pay $1.5 million to settle the category motion.
Jill Fertel is a former prosecutor who runs the cyber litigation apply at Cipriani & Werner, the legislation agency that represented Nonstop Health. Fertel advised KrebsOnSecurity that is the primary and solely case the place a cybercriminal or anybody associated to the safety incident was truly named in civil litigation.
“Civil plaintiffs are not at all likely to see money seized from threat actors involved in the incident to be made available to people impacted by the breach,” Fertel stated. “The best we could do was make this money available to the class, but it’s still incumbent on the members of the class who are impacted to make that claim.”
Mark Rasch is a former federal prosecutor who now represents Unit 221B, a cybersecurity agency based mostly in New York City. Rasch stated he doesn’t doubt that the civil settlement involving Fitzpatrick’s legal exercise is a novel authorized improvement.
“It is rare in these civil cases that you know the threat actor involved in the breach, and it’s also rare that you catch them with sufficient resources to be able to pay a claim,” Rasch stated.
Despite admitting to possessing greater than 600 CSAM photos and personally working Breachforums, Fitzpatrick was sentenced in January 2024 to time served and 20 years of supervised launch. Federal prosecutors objected, arguing that his punishment didn’t adequately mirror the seriousness of his crimes or function a deterrent.
An excerpt from a pre-sentencing report for Fitzpatrick signifies he had greater than 600 CSAM photos on his units.
Indeed, the identical month he was sentenced Fitzpatrick was rearrested (PDF) for violating the phrases of his launch, which forbade him from utilizing a pc that didn’t have court-required monitoring software program put in.
Federal prosecutors stated Fitzpatrick went on Discord following his responsible plea and professed innocence to the very crimes to which he’d pleaded responsible, stating that his plea deal was “so BS” and that he had “wanted to fight it.” The feds stated Fitzpatrick additionally joked together with his buddies about promoting knowledge to overseas governments, exhorting one person to “become a foreign asset to china or russia,” and to “sell government secrets.”
In January 2025, a federal appeals courtroom agreed with the federal government’s evaluation, vacating Fitzpatrick’s sentence and ordering him to be resentenced on June 3, 2025.
Fitzpatrick launched BreachBoards in March 2022 to exchange RaidForums, a equally well-liked crime discussion board that was infiltrated and shut down by the FBI the earlier month. As administrator, his alter ego Pompompurin served because the intermediary, personally reviewing all databases on the market on the discussion board and providing an escrow service to these fascinated by shopping for stolen knowledge.
A yearbook picture of Fitzpatrick unearthed by the Yonkers Times.
The new website shortly attracted greater than 300,000 customers, and facilitated the sale of databases stolen from lots of of hacking victims, together with among the largest shopper knowledge breaches in current historical past. In May 2024, a reincarnation of Breachforums was seized by the FBI and worldwide companions. Still extra relaunches of the discussion board occurred after that, with the latest disruption final month.
As KrebsOnSecurity reported final 12 months in The Dark Nexus Between Harm Groups and The Com, it’s more and more frequent for federal investigators to search out CSAM materials when looking units seized from cybercriminal suspects. While the mere possession of CSAM is a critical federal crime, not all of these caught with CSAM are essentially creators or distributors of it. Fertel stated some cybercriminal communities have been recognized to require new entrants to share CSAM materials as a approach of proving that they don’t seem to be a federal investigator.
“If you’re going to the darkest corners of Internet, that’s how you prove you’re not law enforcement,” Fertel stated. “Law enforcement would never share that material. It would be criminal for me as a prosecutor, if I obtained and possessed those types of images.”
Further studying: The settlement between Fitzpatrick and Nonstop (PDF).