The Rise and Fall of Pompompurin: How a 19-Year-Old Built the World's Largest Cybercrime Marketplace

Breached Company

Breached Company

13 min read
The Rise and Fall of Pompompurin: How a 19-Year-Old Built the World's Largest Cybercrime Marketplace

From FBI hacker to forum founder: The extraordinary story of Conor Fitzpatrick and the controversial case that's reshaping cybercrime sentencing

In the pantheon of cybercriminal legends, few figures have captured the imagination quite like "Pompompurin"—a 19-year-old from Peekskill, New York, who built what became the largest English-language cybercrime marketplace in history. The story of Conor Brian Fitzpatrick is one of technical brilliance, operational security failures, legal controversy, and a criminal justice system grappling with how to handle young cybercriminals with mental health conditions.

Understanding the Impact of Ransomware Attacks: Three Prison Cases
Case of Conor Brian Fitzpatrick and BreachForums Russian TrickBot Malware Developer Sentenced to Prison in US The Case of Matthew Philbert Ransomware attacks pose significant threats to businesses and government entities, disrupting operations and compromising sensitive data. The recent sentencing of Matthew Philbert highlights the severity of such cybercrimes. Despite
Breached CompanyBreached Company

As appeals courts prepare to resentence Fitzpatrick following a shocking 17-day jail term that prosecutors called "substantively unreasonable," his case has become a defining moment in cybercrime law enforcement—raising fundamental questions about deterrence, mental health, and the true cost of digital crime.

Origins of a Digital Criminal: The Making of Pompompurin

Conor Brian Fitzpatrick's journey into cybercrime began not with grand ambitions of building a criminal empire, but as an active participant in the already-established RaidForums ecosystem. First observed in the underground in October 2020, the teenager quickly gained notoriety for consistently sharing high-profile databases and data leaks under the whimsical moniker "Pompompurin"—named after the Japanese Sanrio character.

Early Criminal Activities:

What separated Fitzpatrick from typical script kiddies was the audacity and scale of his operations. His breakthrough moment came in November 2021 with an attack that would cement his reputation in cybercriminal circles: the compromise of the FBI's email system.

The FBI Email Hack That Changed Everything

On November 13, 2021, Fitzpatrick exploited a vulnerability in the FBI's public-facing email system to send thousands of fake cybersecurity warnings to addresses from the American Registry for Internet Numbers database. The emails falsely claimed that cybersecurity researcher Vinny Troia had been identified as part of "The Dark Overlord" hacking group by the Department of Homeland Security.

This wasn't just a technical achievement—it was a master class in psychological warfare and public relations. By successfully sending emails from legitimate FBI addresses, Fitzpatrick demonstrated that even the nation's premier law enforcement agency wasn't immune to cyber intrusion. The FBI later confirmed the attack and remediated the software vulnerability, but the damage to their reputation was significant.

The Rise and Fall of USDoD: The Brazilian Hacker Who Shook the World
In the ever-evolving world of cybersecurity, few stories capture the imagination like that of USDoD, a notorious hacker who, until recently, operated in the shadows, evading law enforcement and wreaking havoc across global networks. Known for their audacious cyberattacks, USDoD, also associated with the infamous Equation Group, managed to steal
My Privacy BlogMy Privacy Blog

The hack served multiple purposes: it defamed a cybersecurity researcher, demonstrated Fitzpatrick's technical capabilities to the criminal underground, and established Pompompurin as a force to be reckoned with in the cybercrime ecosystem.

0:00
/0:37

Building an Empire: The Birth of BreachForums

When U.S. law enforcement seized RaidForums in April 2022, arresting its founder Diogo Santos Coelho (aka "Omnipotent"), the English-language cybercrime community faced a power vacuum. Multiple forums competed to fill the void, but Fitzpatrick had a crucial advantage: reputation, technical skill, and timing.

Strategic Positioning:

On March 16, 2022, just weeks after RaidForums' seizure, Fitzpatrick launched BreachForums with a clear value proposition: "If RaidForums does ever return in any official capacity, this forum will be closed and this domain will redirect to it." This statement demonstrated both confidence in his offering and respect for the legacy he was inheriting.

The forum's design was deliberately familiar—nearly identical to RaidForums in appearance and functionality. This wasn't accidental; Fitzpatrick understood that displaced users needed continuity, not innovation. The familiar interface reduced friction for migrating users while establishing BreachForums as the legitimate successor.

Technical Infrastructure and Operations:

BreachForums operated through multiple domains (.co, .cx, .is, .vc) with both clearnet and darknet access. The platform featured several key sections:

  • Leaks Market: Dedicated to buying and selling hacked or stolen data
  • Official Databases: Verified databases sold through a credits system
  • Escrow Services: Fitzpatrick personally facilitated high-value transactions
  • Community Sections: Non-criminal discussions to build user engagement

The Credits Economy:

Central to BreachForums' success was its credit system. Users could earn credits by contributing valuable data or purchase them directly ($0.25 per credit as of October 2022). This dual approach incentivized both active contribution and monetary investment, creating a self-sustaining economy around stolen data.

0:00
/0:49

Scale of the Criminal Enterprise

The numbers surrounding BreachForums are staggering and reflect the industrialization of cybercrime:

Volume and Impact:

  • Over 14 billion individual records hosted in the Official databases section
  • 888 verified datasets as of January 2023
  • 340,000+ registered members at the time of Fitzpatrick's arrest
  • From 1,500 to 192,000 members in just eight months (March-November 2022)

Notable Data Breaches Facilitated:

  • 200 million users from a major U.S. social networking site (January 2023)
  • 87,760 FBI InfraGard members compromised and sold (December 2022)
  • DC Health Link breach affecting congressional members and staff
  • Robinhood Markets customer data (5 million email addresses, 2 million names)
  • Twitter data breach involving millions of accounts (2022)
The IntelBroker Unmasking: Inside the $25 Million Cybercrime Empire That Shook the Dark Web
How the arrest of Kai West revealed the scope of modern cybercrime and the resilience of underground forums https://www.justice.gov/usao-sdny/media/1404616/dl?inline The cybersecurity world was shaken this week when federal prosecutors in New York unveiled criminal charges against Kai West, the 25-year-old British national
Breached CompanyBreached Company

Operational Security Failures: How Digital Footprints Led to Real-World Consequences

Despite running one of the world's most sophisticated cybercrime platforms, Fitzpatrick's operational security contained critical flaws that ultimately led to his downfall. The FBI's investigation revealed a comprehensive pattern of digital breadcrumbs connecting Pompompurin to Conor Fitzpatrick.

Critical OPSEC Failures:

  1. Real IP Address Exposure: On June 27, 2022, Fitzpatrick logged into BreachForums without using VPN or Tor, exposing his real IP address (69.115.201.194). This same address was used to access his personal iCloud account 97 times.
  2. Email Reuse Patterns: The same email address (conorfitzpatrick2002@gmail.com) was linked to multiple accounts including Purse.io cryptocurrency transactions and personal communications.
  3. Behavioral Correlations: FBI analysis revealed that Fitzpatrick's personal YouTube viewing patterns directly corresponded with Pompompurin's Forum-1 posts, creating a behavioral fingerprint.
  4. Geographic Tracking: Cell phone GPS data showed Fitzpatrick was at his home address when BreachForums administrative activities occurred.
  5. Financial Trails: Bitcoin transactions linked Pompompurin's criminal proceeds to accounts registered under Fitzpatrick's real identity.

The Investigation Techniques:

The FBI's investigation showcased sophisticated digital forensics:

  • Undercover Operations: FBI agents purchased stolen data directly from BreachForums
  • Blockchain Analysis: Tracing cryptocurrency transactions across multiple wallets
  • Digital Correlation Analysis: Matching behavioral patterns across platforms
  • Traditional Surveillance: Cell phone location tracking and physical surveillance

On March 15, 2023, at approximately 4:30 PM, FBI Special Agent John Longmire led a team that arrested Fitzpatrick at his family home in Peekskill, New York. The arrest was notably straightforward—Fitzpatrick immediately admitted his identity and role as BreachForums' administrator.

Immediate Admission: According to the FBI affidavit, when arrested, Fitzpatrick stated: "a) his name was Conor Brian Fitzpatrick; b) he used the alias 'pompompurin/' and c) he was the owner and administrator of 'BreachForums.'"

This immediate confession eliminated any ambiguity about identity and set the stage for the legal proceedings that would follow.

Charges Filed:

  • Conspiracy to commit access device fraud (18 U.S.C. § 1029)
  • Solicitation for the purpose of offering access devices
  • Possession of child pornography (over 600 images and videos)
United States v. Conor Brian Fitzpatrick
DOJ USAO Logo Eastern District of Virginia

The Controversial Sentencing: Mental Health vs. Criminal Justice

Fitzpatrick's sentencing proceedings became one of the most controversial cybercrime cases in recent memory, highlighting tensions between mental health considerations and criminal deterrence.

Prosecution's Position: Federal prosecutors sought 188-235 months imprisonment (approximately 15-19 years), arguing that:

  • BreachForums was the largest English-language cybercrime marketplace ever
  • The platform facilitated exponentially more crimes than individuals could commit alone
  • Deterrence was essential to prevent similar future crimes
  • Fitzpatrick's post-arrest behavior showed lack of remorse

Defense Strategy: Fitzpatrick's attorneys filed sealed medical records citing "confidential and medical information," focusing on:

  • Autism spectrum disorder diagnosis
  • Young age at the time of crimes (19-20 years old)
  • Alleged inability of Bureau of Prisons to provide adequate treatment
  • Risk of victimization in prison environment

District Court Decision: In January 2024, Judge Leonie M. Brinkema sentenced Fitzpatrick to just 17 days time served plus 20 years of supervised release, with the first two years as home confinement. The judge's reasoning included:

  • Autism diagnosis as mitigating factor
  • Concerns about prison's ability to handle his mental health needs
  • Belief that he would be "ravaged" in prison
  • Parental supervision as adequate alternative

https://www.justice.gov/usao-edva/file/1300536/dl?inline

Post-Sentencing Violations and Appellate Review

Even while awaiting sentencing, Fitzpatrick violated his pretrial release conditions multiple times, undermining arguments about his rehabilitation potential.

Documented Violations:

  • Used unauthorized devices to access the internet
  • Downloaded and used VPN services without permission
  • Participated in Discord chatrooms where he:
    • Called his plea deal "so BS"
    • Joked about selling government secrets
    • Encouraged others to "become a foreign asset to China or Russia"
    • Denied viewing child pornography despite his guilty plea

The Appeals Court Response:

The Fourth Circuit Court of Appeals delivered a scathing rebuke of the district court's sentencing decision in January 2025. Judge Paul V. Niemeyer wrote that the sentence was "substantively unreasonable" and represented an "abuse of discretion."

Key Appellate Findings:

  • The district court failed to adequately consider the seriousness of the offenses
  • Mental health diagnosis was given excessive weight compared to other factors
  • The sentence failed to serve deterrence or public protection purposes
  • Violations of pretrial release showed the ineffectiveness of home supervision
  • The extreme variance from guidelines (17 days vs. 188-235 months) lacked justification

Technical Legacy: The BreachForums Ecosystem

BreachForums' technical and operational innovations created lasting changes in how cybercrime marketplaces operate:

Platform Innovations:

  • Integrated Escrow System: Reduced transaction friction and built trust
  • Credit-Based Economy: Incentivized both contribution and monetary investment
  • Official Database Verification: Quality control that attracted serious buyers
  • Multi-Domain Strategy: Improved resilience against takedowns
  • Community Features: Non-criminal sections that improved user retention

Data Handling Sophistication: The platform's ability to process and categorize 14 billion records represented unprecedented scale in cybercrime. The "Official" section's verification process meant buyers could trust data authenticity—a crucial factor in building a sustainable criminal marketplace.

The Successor Problem: BreachForums After Pompompurin

Fitzpatrick's arrest created immediate succession challenges that illustrate the importance of leadership in cybercrime organizations.

Immediate Aftermath: Following the arrest, forum administrator "Baphomet" initially attempted to maintain operations but quickly shut down the forum on March 21, 2023, writing: "This will be my final update on Breached, as I've decided to shut it down... now that I've confirmed that the glowies likely have access to Pom's machine."

Revival Attempts: The forum was eventually resurrected in June 2023 under joint leadership of ShinyHunters and Baphomet, demonstrating both the demand for such platforms and the challenges of replacing charismatic leadership.

Continued Evolution:

  • Multiple seizures and revivals showed platform resilience
  • Leadership transferred to IntelBroker (later arrested as Kai West)
  • Current status remains in flux with various successor attempts

Broader Implications: Lessons for Cybersecurity and Law Enforcement

Fitzpatrick's case offers multiple lessons for different stakeholders in the cybersecurity ecosystem:

For Law Enforcement:

Investigative Techniques:

  • Digital forensics correlation across platforms proves highly effective
  • Behavioral analysis can create unique identification signatures
  • Financial trail analysis remains crucial despite cryptocurrency adoption
  • Undercover operations provide direct evidence of criminal activity

Sentencing Considerations:

  • Mental health factors must be balanced against deterrence needs
  • Supervision effectiveness depends on defendant cooperation
  • Public messaging about consequences affects future criminal behavior
  • International cooperation essential for global cybercrime

For Cybersecurity Professionals:

Platform Security:

  • OPSEC failures often involve basic security hygiene mistakes
  • Criminal sophistication doesn't guarantee operational security
  • Multiple attack vectors require comprehensive defensive strategies
  • User behavior analysis can reveal hidden connections

Threat Intelligence:

  • Forum leadership changes create intelligence opportunities
  • Data breach marketplaces follow predictable evolutionary patterns
  • Community dynamics affect platform longevity and reach
  • Economic factors drive criminal innovation and platform features

Sentencing Framework:

  • Mental health considerations vs. deterrence balance remains unresolved
  • Cybercrime scale requires updated sentencing guideline considerations
  • Supervision effectiveness varies significantly by defendant characteristics
  • Public perception of justice affects legal system credibility

The Mental Health Debate: Autism and Criminal Responsibility

Fitzpatrick's case has sparked broader discussions about how the criminal justice system should handle defendants with autism spectrum disorders.

Arguments for Consideration:

  • Autism can affect social understanding and impulse control
  • Prison environments may be particularly harmful for individuals with ASD
  • Treatment-focused approaches may be more effective than punishment
  • Young age combined with ASD suggests potential for rehabilitation

Arguments for Standard Sentencing:

  • Criminal sophistication demonstrates understanding of wrongdoing
  • Deterrence requires consistent consequences regardless of condition
  • Victims deserve justice independent of perpetrator's mental health
  • Special considerations could create unfair sentencing disparities

Precedential Concerns: The appeals court referenced United States v. Zuk, where excessive focus on autism diagnosis led to sentence vacation, suggesting courts are developing more nuanced approaches to balancing mental health factors with other sentencing considerations.

Economic Impact: The True Cost of BreachForums

While precise victim impact calculations remain sealed, available evidence suggests massive economic consequences:

Direct Financial Impact:

  • Millions of individuals' personal data exposed
  • Identity theft and fraud enabled by data sales
  • Corporate breach response costs
  • Credit monitoring and identity protection services
  • Law enforcement investigation resources

Indirect Consequences:

  • Reduced trust in digital systems
  • Increased cybersecurity spending requirements
  • Privacy law and regulation development
  • International cooperation resource allocation

Technical Evolution: How BreachForums Changed Cybercrime

BreachForums represented several innovations in cybercrime marketplace design:

User Experience Improvements:

  • Streamlined registration process lowered entry barriers
  • Professional-looking interface reduced stigma of participation
  • Credit system gamified illegal activity
  • Community sections normalized criminal behavior

Operational Efficiency:

  • Automated systems reduced manual administration
  • Escrow services increased transaction success rates
  • Database verification improved product quality
  • Multi-platform presence enhanced availability

International Implications: A Global Crime with Local Consequences

While BreachForums was operated from New York, its impact was truly global:

International Victim Impact:

  • Data from companies worldwide appeared on the platform
  • International law enforcement cooperation in investigation
  • Cross-border financial flows through cryptocurrency
  • Global customer base for stolen data

Diplomatic Consequences:

  • Strained relationships with countries whose citizens were victims
  • Questions about U.S. enforcement of international cybercrime
  • Debates over extradition and jurisdiction in digital crimes
  • Pressure for international cybercrime treaty development

The Resentencing: What's Next for Fitzpatrick

As Fitzpatrick awaits resentencing following the appellate court's vacation of his original sentence, several factors will likely influence the new outcome:

Likely Considerations:

  • Appeals court guidance about balancing factors
  • Post-conviction behavior and violations
  • Victim impact evidence previously minimized
  • Deterrence needs in current cybercrime environment
  • Updated mental health evaluations

Potential Outcomes:

  • Significantly longer prison sentence (closer to guidelines)
  • Enhanced supervision terms and conditions
  • Technology restrictions and monitoring
  • Restitution requirements for verified victims
  • Sex offender registration requirements

Legacy and Lessons: The Pompompurin Era's Lasting Impact

Fitzpatrick's brief but impactful criminal career offers multiple lessons for understanding modern cybercrime:

Criminal Innovation:

  • Technical skill alone insufficient for long-term operational security
  • Platform design affects user adoption and retention
  • Community building essential for sustainable criminal enterprises
  • Economic incentives drive participation more than ideology

Law Enforcement Evolution:

  • Digital forensics techniques continue advancing rapidly
  • International cooperation crucial for global cybercrime
  • Undercover operations remain highly effective
  • Financial analysis provides unique identification opportunities
  • Traditional sentencing frameworks struggle with digital crime scale
  • Mental health considerations require careful balancing
  • Deterrence messaging affects future criminal behavior
  • Public confidence in justice depends on proportionate sentences

Cybersecurity Implications:

  • Individual criminals can cause massive systemic damage
  • Platform resilience requires addressing human factors
  • Economic incentives shape criminal marketplace evolution
  • Community dynamics affect threat persistence

Conclusion: The Continuing Evolution of Cybercrime

The story of Conor Fitzpatrick—the teenager who became Pompompurin and built the world's largest cybercrime marketplace—represents both the democratization of digital crime and the evolving challenge of cybersecurity in the 21st century.

Key Takeaways:

  1. Individual Impact at Scale: A single motivated individual with technical skills can cause tens of millions of dollars in damage and affect millions of victims worldwide.
  2. Mental Health and Criminal Justice: The legal system continues grappling with how to balance mental health considerations against the need for deterrence and public protection.
  3. Operational Security Paradox: Even sophisticated criminal operations often fail due to basic security mistakes, highlighting the importance of comprehensive OPSEC training and implementation.
  4. Platform Resilience: Criminal marketplaces demonstrate remarkable resilience, with new iterations emerging rapidly after law enforcement actions.
  5. International Cooperation: Effective cybercrime enforcement requires unprecedented levels of international cooperation and resource sharing.

The Road Ahead:

As Fitzpatrick awaits resentencing and the cybercrime ecosystem continues evolving, several trends seem clear:

  • Enhanced Prosecution: Law enforcement agencies are developing more sophisticated techniques for investigating and prosecuting cybercrime
  • Legal Framework Evolution: Courts are developing more nuanced approaches to balancing various sentencing factors in cybercrime cases
  • Technical Arms Race: Both criminals and defenders continue innovating, driving rapid technological change
  • Global Governance: International bodies are working toward better coordination in combating transnational cybercrime

Final Reflection:

The Pompompurin case serves as a stark reminder that in our interconnected digital world, the actions of a single individual can have global consequences. As we continue building digital infrastructure and online communities, we must remain vigilant about both the technical and human factors that enable cybercrime.

The story isn't over. As new platforms emerge and new actors take the stage, the lessons learned from Fitzpatrick's rise and fall will inform both our defensive strategies and our understanding of the evolving threat landscape. In the end, cybersecurity isn't just about technology—it's about understanding human behavior, motivation, and the complex interplay between individual actions and systemic consequences.

Whether Fitzpatrick's eventual resentencing will serve as the deterrent that prosecutors hope remains to be seen. What's certain is that his case has already changed how we think about cybercrime, mental health in criminal justice, and the true cost of digital platforms built on stolen data. The legacy of Pompompurin will continue influencing cybersecurity and criminal justice for years to come.

Read more

2025: The Year Law Enforcement Struck Back - A Comprehensive Review of Major Cybercriminal Takedowns

How international cooperation and sophisticated investigative techniques delivered unprecedented blows to global cybercrime networks The year 2025 has emerged as a watershed moment in the fight against cybercrime, with law enforcement agencies worldwide delivering a series of devastating blows to criminal networks that had previously operated with near impunity. From

By Breached Company