On Friday, US prosecutors unsealed court documents describing the case they had built against Conor Brian Fitzpatrick, a 20 year old New Yorker who uses the online alias of ‘pompompurin’. Fitzpatrick is accused of operating BreachForums, a website used to sell data obtained from data breaches of telcos, social media networks, internet service providers, investment advisors and hospitals. BreachForums was launched only a year ago, but personal data made available via BreachForums included:
- Names and contact information for around 200 million users of a social networking site
- Names, Social Security numbers, dates of birth, health plan and enrollee information for 56,415 users of a health insurance exchange
- Personal information about the 87,760 members of InfraGard, a partnership between the FBI and private sector businesses that seeks to protect vital infrastructure
Prior to the creation of BreachForums, pompompurin had already established his reputation as an enemy of law enforcement by exploiting a software configuration flaw in an FBI portal to send thousands of bogus emails from the FBI’s own systems and internet addresses. The affidavit from the policeman who arrested Fitzpatrick on March 15 claims that Fitzpatrick admitted to being pompompurin.
Per a Department of Justice press release, Fitzpatrick…
…allegedly operated BreachForums as a marketplace for cybercriminals to buy, sell, and trade hacked or stolen data and other contraband since March 2022. Among the stolen items commonly sold on the platform were bank account information, social security numbers, other personally identifying information (PII), means of identification, hacking tools, breached databases, services for gaining unauthorized access to victim systems, and account login information for compromised online accounts with service providers and merchants.
BreachForums has now been taken offline. The forum administrators who remain at large seemingly decided it would be too dangerous to try to fight law enforcement who have already infiltrated BreachForums. A recent message to the Telegram channel associated with the forum (pictured above) suggests they will regroup and build a new criminal forum from scratch instead. BreachForums was a reincarnation of a previous hacker forum known as RaidForums, whose servers and domains were seized in April 2022.
Following the seizure of RaidForums last year, cybercriminals turned to BreachForums to buy and sell stolen data, including breached databases, hacking tools, and the personal and financial information of millions of U.S. citizens and businesses
Fitzpatrick made money in several ways, including charging membership fees to users of the forum. He also acted as a trusted middleman, providing an escrow service between the hackers who sold data and the criminals who purchased it. Other customers purchased data directly from Fitzpatrick using the forum’s own form of currency.
…BreachForums directly sold access to verified hacked databases through a “credits” system administered by the platform. As of Jan. 11, the Official database section purported to contain 888 datasets, consisting of over 14 billion individual records. These databases belong to a wide variety of both U.S. and foreign companies, organizations, and government agencies.
Fitzpatrick faces up to five years in prison for conspiring to commit access device fraud.
The facts of this story speak for themselves and confirm what we have already known for a long time. An enormous amount of personal data is breached because of inadequate security. This sustains an underworld economy where hackers who compromise the data then seek customers who will pay for it because the stolen information will fuel many other forms of organized crime. But I cannot stop myself reflecting on the difference between the youthful entrepreneurial vigor of the criminals who exchange data compared to the tired, staid and stagnant inertia of the businesses they steal from. Fitzpatrick is just 20 years old but he was able to set up a marketplace for billions of personal records in less time than it takes the telecoms industry to schedule the agenda of the next conference call to discuss all the excuses for not exchanging intelligence any time soon. His marketplace had its own currency to facilitate the exchange of information, much like the RAG Fraud Blockchain, but whilst 340,000 criminals will rapidly sign up to an information exchange that charges them membership fees, many well-paid risk managers will shrug their shoulders and insist they cannot share intelligence even when they can access RAG’s exchange without charge!
Telcos and other big businesses seek praise for even the most trivial forms of intelligence sharing, before asserting they lack the budget to do any more and that they need more support from governments and regulators. Meanwhile, those authorities are increasingly likely to complain that telcos do not exchange enough criminal intelligence. How can an immature but enterprising kid accomplish in months what the entire telecoms industry keeps failing to do, year after year? This cannot be explained away by claiming telcos obey data protection laws because there would be far fewer breaches if those laws were fully respected. The ultimate cost is reflected in sky-high estimates of the economic harm done by fraud and the need to send police to a 20 year old’s house to arrest him. If only we could incentivize businesses to spend an appropriate amount on preventing and detecting crime then the whole of society would benefit.