BreachForums founder resentenced to 3 years prison, former freebie deal revoked by US courts

The 22-year-old mastermind behind the notorious BreachForums hacker market, Conor Fitzpatrick, is heading back to jail after a federal appeals court decided to revoke his original 17-day time served – instead handing down a three-year prison sentence.

BreachForums founder Colin Brian Fitzpatrick has just been sentenced to serve three years in a federal prison, according to a US Department of Justice announcement released on Tuesday.

The re-sentencing is still a far cry from federal prosecutors' original request for 15 years of jail time, but definitely a step up from the 17 days of “time served” for his miscreant behavior.

The feds first arrested Fitzpatrick, who was 20 years old at the time, in March 2023 over his involvement in curating the infamous cybercrime marketplace under his administrator alias Pompompurin.

The DoJ describes BreachForums as “a marketplace for cybercriminals to buy, sell, and trade hacked or stolen data and other contraband, and for possessing child sexual abuse material (CSAM).”

The teen hacker from Peekskill, New York, had been running the BreachForums site for nearly a year as a replacement for the now-defunct hacker site, Raidforums, before the FBI seizure.

In January 2024, Fitzpatrick was sentenced to 20 years under supervised release (two years home arrest) – meaning zero prison time – considered by many in the hacker community as a slap on the wrist.

Prosecutors, who had called the deal "substantively unreasonable," successfully won an appeal to resentence Fitzpatrick this past January, thus the new sentencing on September 16th.

“As part of the original plea agreement, Fitzpatrick agreed to forfeit over 100 domain names, more than a dozen electronic devices," according to the DoJ release, as well as $700,00 in restitution to one of its victims, healthcare provider Nonstop Health, and $3,000 to each victim impacted.

As part of Tuesday’s resentencing, Fitzpatrick will have to fork over exactly $1,016,786.51 in additional restitution.

The allegations

“Conor Fitzpatrick personally profited from the sale of vast quantities of stolen information, ranging from private personal information to commercial data,” said US Attorney Erik S. Siebert for the Eastern District of Virginia.

“These crimes were so extensive that the damage is difficult to quantify, and the human cost of his collection of child sexual abuse material is incalculable. We will not allow criminals to hide in the darkest corners of the internet and will use all legal means to bring them to justice,” Siebert said.

Launched in March 2022, BreachForums rapidly developed into one of the world’s largest English-language hacking forums with over 330,000 members, according to court documents.

Besides the plentitude of "bank account information, social security numbers, personal identifying information (PII), usernames, and associated passwords" put up for sale on the hacker forum, BreachForums became a cesspool for cybercriminals to trade hacking tools, know-how, and other illicit material.

Fitzpatrick directly sold memberships and "access to verified hacked databases through a ‘credits’ system administered by the platform,” the DoJ continued, offering up “at least 888 datasets of stolen information containing over 14 billion individual records of PII.”

These databases "belong to a wide variety of both US and foreign companies, organizations, critical infrastructure, and government agencies," officials noted, including companies such as AT&T, T-Mobile, ADT, the EPA, InfraGuard, Beeline, Acer, Activision, and WhatsApp, and more recently, TikTok, OpenAI, and Trump Hotels, among hundreds of others.

Rough ride

In between Fitzpatrick’s many court appearances, the hacker had been unable to keep his nose clean, possibly a catalyst for the court’s vacated sentence.

Days before his original sentencing, Fitzpatrick was caught violating his parole requirements by using a VPN service on his computer without the court-prescribed monitoring software enabled.

Before that, Fitzpatrick’s was found with over 600 images and videos depicting children under the age of 12 “engaging in sexually explicit conduct,” adding no contact with minors to his already heavily restricted computer use.

Diagnosed with autism spectrum disorder, Fitzpatrick had even attempted suicide at one point, leading to questions about his mental health and his capacity to stand trial and serve time – all contributing factors leading to the judge's lenient sentence.

In the end, Fitzpatrick – charged with conspiracy to commit access device fraud, access device fraud leading to unauthorized solicitation, and possession of child pornography in July 2023 – pleaded guilty to all three counts, avoiding a trial altogether.

Get out of jail free

Fitzpatrick had been released on $300,000 bail following his March arrest until his court-appointed “get out of jail free” card.

The light sentence had spurred rumors that Fitzpatrick had made a deal to help the FBI with the inside workings of the hacker marketplace, which at the time was resurrected by his second in command, Baphomet, also arrested by the FBI months later.

The now Salesforce-linked hacker gang, Shiny Hunters, took over as BreachForums administrator after Baphomet’s arrest, relaunching the site through several iterations, URLs, hacking attempts, and a revolving door of administrators, over the years.

Breached, a shortened moniker for the cybercriminal forum, which has continued to evade law enforcement attempts to shutter the site, allegedly met its final demise with the arrest of several members of the Shiny Hunters group in June, and is reportedly back under the control of the FBI, with any BreachForums site considered a possible honeypot.

Unlock more exclusive Cybernews content on YouTube.