On March 16, 2022, a few month after the FBI took down a preferred on-line discussion board for purchasing and promoting stolen knowledge generally known as RaidForums, one other prison market shortly sprung as much as take its place. The title of first put up on the brand new discussion board generally known as BreachForums merely stated “Welcome.”
Over the following yr, the discussion board administered by “pompompurin” would put up hacked knowledge associated to roughly 14 billion folks globally, in line with the FBI, and turn out to be probably the most prolific cybercrime boards on this planet. It hosted breaches that included knowledge associated to 7 million Robinhood prospects in November 2021, 23 terabytes of Shanghai Nationwide Police knowledge in June 2022 and, extra not too long ago, roughly 60,000 data from the D.C. Well being Hyperlink insurance coverage change, exposing the private particulars of members of Congress, their households and staffs and tens of 1000’s of different Washington space residents.
All of that got here to an finish final week after the FBI arrested a 20-year-old named Conor Fitzpatrick, who the bureau believes operated BreachForums from his mother and father’ home in a small city about 40 miles from New York Metropolis. Fitzpatrick admitted to being pompompurin and proudly owning and working the discussion board and claimed to earn roughly $1,000 per day buying and selling in stolen data, in line with an in depth affidavit printed Friday when he was scheduled to seem in federal court docket within the Japanese District of Virginia.
The dramatic fall of one of many preeminent cybercrime communities on the web could have main implications for the cybercrime underground, specialists say. Not solely will hackers seeking to promote knowledge should discover a new venue, risk researchers who monitor illicit exercise by cross-referencing posts and monikers throughout websites should discover new methods in, too.
“Within the short-term, we’ll see chaos within the cybercrime underground as a result of many on the lookout for a brand new place to name house,” stated William Thomas, a UK-based cybersecurity researcher. “It takes effort and time to construct up a repute on a cybercrime discussion board and dropping it over night time will have an effect on the illicit incomes of many. This ‘new house’ may come within the type of one other new discussion board began from scratch by a number of the previous members of BreachForums or we might even see customers flock to a brand new website.”
Some customers might go to different established boards, Thomas stated, and he’s additionally seen Telegram channels already popping up “within the meantime whereas the underground neighborhood decides what to do.”
Fitzpatrick, who was residing in Peekskill, New York, had already established himself inside the cybercrime neighborhood earlier than he began BreachForums. In November 2021, as an illustration, pompompurin was linked to tens of 1000’s of phony emails purportedly from the FBI. He later claimed to cybersecurity journalist Brian Krebs that he did it to point out the vulnerability of the system.
He was arrested on March 15 and has to this point been accused of only one crime: conspiracy to commit entry machine fraud. Fitzpatrick initially appeared in a federal court docket in New York on March 16 and was launched on a $300,000 bond, in line with court docket data, and ordered to seem in federal court docket in Virginia on Friday. In line with a two-page assertion the FBI filed with the federal courts, Fitzpatrick admitted to utilizing the nickname “pompompurin,” on-line, and stated he was the proprietor and administrator of BreachForums.
BreachForums was one in every of a number of websites to emerge within the wake of RaidForums’ demise, however clearly probably the most profitable, stated Alexander Leslie, an affiliate risk intelligence analyst with Recorded Future. Over a interval of a number of months BreachForums — recognized extensively as “Breached” — began to determine itself, Leslie stated, after a interval of comparatively low-level exercise.
However after about six months, the discussion board constructed a vibrant neighborhood, and posters developed recognized personalities and types, Leslie stated. It established itself as a “mid-tier” supply of stolen knowledge within the wider worldwide cybercrime ecosystem, which is dominated by the Russian-speaking boards and different websites based mostly in international locations the place regulation enforcement both turns a blind eye or just isn’t as stringent about imposing cybercrime legal guidelines.
Thomas stated that Breached was initially met with “skepticism from the cybercrime underground,” however “endured and have become the most important English-speaking knowledge dealer discussion board wherever throughout the deep or darkweb.”
By January 2023, BreachForums’ “Official” part — which contained databases that had been vetted to a sure diploma by Fitzpatrick — contained 879 datasets consisting of greater than 14 billion particular person data, in line with the FBI affidavit.
Amongst these datasets was one which has gotten the eye of Congress and sparked a number of investigations.
On March 6, a consumer by the identify of “IntelBroker” posted an inventory for what they stated was 170,000 medical insurance enrollment data for folks within the Washington, D.C., space. Quickly thereafter, the put up was pulled down and a second consumer generally known as “Denfur” posted a pattern after which the total set of the info March 9, which turned out to include roughly 60,000 data for members of Congress, their staffs and households, and tens of 1000’s of individuals within the Washington space stolen from D.C. Well being Hyperlink. Denfur advised CyberScoop they have been Russian and the assault was meant to focus on U.S. authorities officers.
It’s not clear that the D.C. Well being Hyperlink breach introduced down BreachedForums — it was not cited within the affidavit — however Leslie stated the high-profile nature of the info may have been the ultimate straw.
“It may have been D.C. Well being Hyperlink … however I believe it may have been a whole lot of issues,” Leslie stated. “It was this compounding, snowballing impact of regularly having very critical breaches of multi-national non-public firms, of third-party authorities contractors, of presidency entities of vital infrastructure, that, like, reached a vital mass the place regulation enforcement was in all probability like ‘we can’t let this go on any longer.”
The FBI affidavit cites Fitzpatrick’s alleged involvement in knowledge leaks himself, but additionally his function as a center man for transactions within the sale of knowledge involving an undercover FBI worker in at lease one case. The affidavit additionally particulars apparent operational security failures that tied Fitzpatrick to working the location, together with Fitzpatrick’s login knowledge from the RaidForums takedown that included IP addresses related to Fitzpatrick’s telephone and his home, and a private Gmail handle.
The affidavit additionally references the truth that the FBI has obtained a SQL database of forum activity on BreachForums, which may doubtlessly result in issues for the location’s customers down the street.
Fitzpatrick and his attorneys didn’t reply to a request for remark after his arrest.
Within the days after his arrest, “Baphomet,” a consumer Fitzpatrick had known as a “employees member” in earlier correspondence with CyberScoop, posted a sequence of statements urging calm and saying they have been going to maintain the location going. However on March 19, Baphomet stated he’d seen indications of somebody utilizing Fitzpatrick’s admin accounts to log right into a content material supply server after Fitzpatrick’s arrest, suggesting that “nothing might be assumed protected, whether or not its our configs, supply code, or details about our customers — the record is countless.” Subsequently the location could be shut down for good.
“Whereas the neighborhood of Breached will die, I’m going to proceed conversations with a number of the competitor discussion board admins and numerous service operators who reached out to me over the previous few days. I’m hoping to work with a few of these folks to construct a brand new neighborhood, that may have the most effective options of Breached, whereas decreasing the assault surfaces we by no means correctly addressed. As with issues like this, I’ve little question our userbase could also be absorbed by one other neighborhood but when there may be endurance then I hope to convey one thing again that may rival some other neighborhood that may take our place,” Baphomet stated in a web-based put up.
What may occur, Leslie of Recorded Future speculated, is a “hydra-headed impact the place risk actors who have been fashionable on breached begin to fill the void by launching their very own boards, which is form of what we noticed with BreachForums. Menace actors will rebrand, or some may quickly retire from their actions and lay low for a very long time.”