BreachForums Administrator Pompompurin, two Doxbin staff members identified
The FBI has arrested a Peekskill, New York man identified as Pompompurin, an administrator and owner of the cybercrime forum BreachForums on March 15, 2023. The person’s identity was revealed in court documents submitted by FBI agent John Longmore as Conor Brian Fitzpatrick. This arrest follows various exploits on the cybercrime forum directly targeting the US government, including Pompompurin‘s November 2021 stunt of using FBI email systems (LEEP – Law Enforcement Enterprise Portal) to send spam and the recent hack and sale of DC Health Link data by TA IntelBroker. Pompompurin has also leaked information to other targets, such as 7 million users of the cryptocurrency trading platform Robin Hood.
This follows news of the US Justice Department charging two Doxbin staff members with conspiracy to commit computer intrusions and wire fraud. Of the two accused, Sagar Steven Singh (Weep) was apprehended by authorities, while Nicholas Ceraolo (Convict / Anon / Ominous) remained at large.
BreachForums first emerged in March of 2022 as an alternative to RaidForums. It was seized in a collaborative effort by international law enforcement agencies following the arrest of its administrator, Diogo Santos Coelho, AKA Omnipotent. To smooth the transition from RaidForums to BreachForums, Pompompurin used a similar theme to RaidForums, and allowed previous members of RaidForums to retain their paid ranks. BreachForums hosts 336,800 members and has been host to many notable leaks and data breaches since its inception. Pompompurin has had a long-time feud with Vinny Troia, the owner of Nightlion Security. The conflict was borne out of Troia’s attribution of Pompompurin as Whitepacket, which was later proven false. The feud resulted in the defacements of websites falsely crediting Vinny Troia for the hacks, as well as the NightLion worm, previously covered by Cyble.
Troia was not the only party in conflict with Pompompurin and members of BreachForums, as Intelx founder Peter Kleissner had his and his family’s PII (Personally Identifiable Information) published on the forum. Intelx has also stated that Pompompurin boasted about registering on their platform, and has shared the metadata from this account with authorities.
The forum is currently under the forum’s leadership of the forum’s secondary administrator, Baphomet, who stated that Pompompurin‘s access to the forums had been restricted. The forum is currently undergoing maintenance to move its infrastructure to new hosts and is inaccessible as of March 20, 2023.
The fallout from this arrest could be law enforcement gaining access to information on illicit dealings on the forum. Pompompurin is also known as the forum’s primary middleman, acting as a trustworthy third party between sellers of stolen databases and unauthorized accesses and their buyers without receiving any fees. This seemingly charitable act gave Pompompurin users’ to databases, users’ wallet information, handles on Telegram, and various information which can be used to indict further or incriminate individuals involved in the forums. This possibility was discussed by forum members, with Baphomet stating that he is likely law enforcement’s next target.
Notably, immediately following the arrest, the website leaked Conor’s personal information and that of his family.
On the other spectrum, Pompompurin’s profile page on the cybercrime forum was flooded with messages from the forum’s members expressing sympathy and pledging financial support.
Conclusion
The legal outcome of this arrest remains to be seen. The impact of the arrests on the wider cybercrime ecosystem is likely to be more hypervigilance, a shift to End-to-End (E2E) encrypted messaging applications such as Keybase and Matrix, and more widespread usage of verification methods such as PGP keys for communication, as used by the forum’s current administrator in his messages to the community.
Cybercriminals are aware of cyber threat intelligence companies monitoring them, as evidenced by comments made after the arrests. Cyble will continue to monitor and report these activities and developments on cybercrime forums.
