How the FBI caught the BreachForums admin
On Friday, the U.S. Justice Division introduced that the now-arrested alleged administrator of the notorious hacking discussion board BreachForums facilitated the sale and buy of personal info that belonged to “thousands and thousands of U.S. residents and a whole bunch of U.S. and international corporations, organizations, and authorities businesses.”
In a press release, prosecutors confirmed the arrest of Conor Fitzpatrick, 20, aka Pompompurin, of Peekskill, New York. Fitzpatrick is charged with one rely of conspiracy to commit entry gadget fraud, topic to a most of 5 years in jail if convicted.
In an effort to show that BreachForums facilitated the sale and buy of stolen or hacked information, FBI undercover brokers bought 5 units of knowledge: one among information stolen from an unnamed U.S. web internet hosting and safety providers firm, which contained names, addresses, cellphone numbers, usernames, password hashes, and e-mail addresses for about 8,000 clients, in addition to cost card info for 1,900 clients; one other dataset stolen from an unnamed U.S.-based funding firm, containing at the very least 5 million e-mail addresses; one containing the personal info of “giant numbers of U.S. individuals,” together with full names, e-mail addresses, cellphone numbers, residence addresses, birthdates, Social Safety numbers, driver’s license numbers, financial institution names, routing numbers, and account numbers; one other from the identical vendor, which contained personal info and checking account info of round 15 million U.S. individuals; and one different set of knowledge taken from a U.S. healthcare firm.
The feds collected a number of items of proof to nab Pompompurin. First they obtained the IP addresses that Pompompurin used to entry RaidForums, the predecessor of BreachForums, which was seized by the FBI in April 2022. 9 of these IP addresses have been related to Fitzpatrick, based on his web service supplier Verizon, as FBI Particular Agent John Longmire wrote within the affidavit dated March 15, two days earlier than Fitzpatrick’s arrest.
In a spectacular snafu on the hacker’s half, Longmire wrote that the second piece of proof got here from Pompompurin himself. In a chat with the RaidForums admin, Pompompurin mentioned he seen an information breach posted on the location didn’t embrace “one among my outdated emails,” which he appeared up on the authentic information breach notification web site Have I Been Pwned.
Though Pompompurin then mentioned “(I don’t need to share my precise e-mail for apparent causes, however this e-mail appears to have the identical case as mine): email@example.com,” the agent wrote within the affidavit that that e-mail deal with was certainly Pompompurin as a result of the FBI obtained data from Google displaying that Fitzpatrick registered that deal with months earlier than that chat. The alleged hacker additionally had Google Pay accounts linked to each that e-mail deal with in addition to a more recent one, “firstname.lastname@example.org,” each linked to a quantity owned by Fitzpatrick, based on the affidavit.
Moreover, the agent wrote that he obtained extra data from Google, which confirmed email@example.com had a restoration e-mail deal with firstname.lastname@example.org linked to an IP deal with registered to somebody with the final identify Fitzpatrick and a unique cellphone quantity, which the agent mentioned he believed belonged to Fitzpatrick’s father.
Then, based on the affidavit, Pompompurin used a number of VPNs to connect with his Gmail account, a few of which overlap along with his exercise elsewhere on the web.
The agent additionally mentioned that the FBI obtained data from cryptocurrency change Purse.io. The corporate’s data revealed that 4 of the IP addresses used to connect with the change have been additionally used to connect with the email@example.com Gmail account and Pompompurin’s RaidForums account. Furthermore, that Purse.io account was registered with the identify Conor Fitzpatrick and the e-mail deal with “firstname.lastname@example.org,” the affidavit mentioned.
These 4 IP addresses, based on the agent, have been owned by VPN suppliers, which Pompompurin additionally used to connect with the “email@example.com” account.
One other VPN IP deal with was additionally used to log right into a Zoom account underneath the identify “pompompurin” related to a Riseup e-mail deal with additionally used to register his RaidForums account, based on the affidavit.
Information from Purse.io additionally confirmed that Fitzpatrick’s account bought “a number of objects” and shipped them to his deal with with the cellphone quantity the feds had already established was his. Additionally seven out of 9 IP addresses used to connect with Purse.io have been additionally used to connect with Pompompurin’s account on RaidForums. And, lastly, the Purse.io account “was funded completely by a Bitcoin deal with that Pompompurin had mentioned in posts on RaidForums,” per the affidavit.
The proof doesn’t cease there. In a database of RaidForums discussion board exercise, the feds noticed that Pompompurin accessed his account from an IP deal with registered to Fitzpatrick’s father on the identical residence deal with beforehand recognized by the authorities, based on the affidavit.
That very same IP deal with was used to entry an iCloud account related to Fitzpatrick, Longmire wrote within the affidavit.
Furthermore, Longmire famous that the accounts with the deal with Pompompurin on RaidForums and BreachForums have been possible owned by the identical individual, as Pompompurin wrote in a publish on BreachForums: “in the event you used RaidForums you probably bear in mind me, I used to be one of many extra energetic customers on there,” and the brand new Pompompurin account on BreachForums “alluded to previous exercise by the pompompurin account on RaidForums.”
Lastly, Longmire wrote that the FBI obtained a warrant to get Fitzpatrick’s real-time cellphone GPS location from Verizon, permitting brokers to watch that Pompompurin was logged in to BreachForums whereas his cellphone’s location confirmed he was at his residence.”
The feds additionally surveilled Fitzpatrick at his residence whereas brokers famous Pompompurin’s account was energetic on the discussion board.
This trove of proof allowed regulation enforcement to acquire a warrant to look Fitzpatrick’s home, the place he agreed to talk to the brokers and “admitted that he’s the consumer of the pompompurin account,” and that “he owns and administers BreachForums and beforehand operated the pompompurin account on RaidForums.”
The FBI didn’t instantly reply to a request for remark. Fitzpatrick’s lawyer additionally didn’t reply to a request for remark.
Paradoxically, Fitzpatrick might have thought this present day would come when he launched BreachForums. In an interview on the Information Knight web site, the interviewer requested him, “Don’t you suppose that there’s a purpose that the FBI took down RaidForums? Why would you need to carry it again up realizing that you could be face that very same destiny no matter it [may be]?”
Pompompurin responded: “It doesn’t actually hassle me. If I get arrested at some point it additionally wouldn’t shock me, however as I mentioned I’ve a trusted one who may have full entry to every thing wanted to relaunch it with out me.”
The Justice Division mentioned in its Friday assertion that it had additionally “performed a disruption operation that brought about BreachForums to go offline.” When reached for remark, DOJ spokesperson Joshua Stueve declined to elaborate. On the time of publication, BreachForums was inaccessible, displaying an error saying “dangerous gateway,” however the area nonetheless gave the impression to be within the management of the location’s present administrator.
Following the Justice Division’s announcement of Fitzpatrick’s arrest, the one that took over from him, often called Baphomet, introduced they might shut down the discussion board.
On Friday, after the affidavit was circulated on-line, Baphomet wrote a message on a Telegram channel, saying “an important factor proper now of our group is to bear in mind that the FBI is now confirmed to have entry to the Breached database,” and “at this level your entire doc will clearly present what I’ve mentioned for everything of my time on Breached, and that you just shouldn’t belief anybody to deal with your personal OPSEC. I by no means made this assumption as an admin, and nobody else ought to have both.”
That’s why, Baphomet added, “Merely piling everybody again into the identical group with none considered how we correctly transfer ahead safely is mainly a dying entice.”
Do you’ve got details about BreachForums? We’d love to listen to from you. From a non-work gadget, you may contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, or through Wickr, Telegram and Wire @lorenzofb, or e-mail firstname.lastname@example.org. You can too contact robotechcompany.com through SecureDrop.