Breachforums Boss to Pay $700k in Healthcare Breach – Krebs on Safety


Thank you for reading this post, don't forget to subscribe!

In what consultants are calling a novel authorized final result, the 22-year-old former administrator of the cybercrime group Breachforums will forfeit practically $700,000 to settle a civil lawsuit from a medical health insurance firm whose buyer knowledge was posted on the market on the discussion board in 2023. Conor Brian Fitzpatrick, a.ok.a. “Pompompurin,” is slated for resentencing subsequent month after pleading responsible to entry gadget fraud and possession of kid sexual abuse materials (CSAM).

A redacted screenshot of the Breachforums gross sales thread. Picture: Ke-la.com.

On January 18, 2023, denizens of Breachforums posted on the market tens of 1000’s of information — together with Social Safety numbers, dates of delivery, addresses, and telephone numbers  — stolen from Nonstop Well being, an insurance coverage supplier based mostly in Harmony, Calif.

Class-action attorneys sued Nonstop Well being, which added Fitzpatrick as a third-party defendant to the civil litigation in November 2023, a number of months after he was arrested by the FBI and criminally charged with entry gadget fraud and CSAM possession. In January 2025, Nonstop agreed to pay $1.5 million to settle the category motion.

Jill Fertel is a former federal prosecutor who runs the cyber litigation apply at Cipriani & Warner, the legislation agency that represented Nonstop Well being. Fertel instructed KrebsOnSecurity that is the primary and solely case the place a cybercriminal or anybody associated to the safety incident was truly named in civil litigation.

“Civil plaintiffs are in no way prone to see cash seized from menace actors concerned within the incident to be made out there to individuals impacted by the breach,” Fertel mentioned. “The perfect we might do was make this cash out there to the category, nevertheless it’s nonetheless incumbent on the members of the category who’re impacted to make that declare.”

Mark Rasch is a former federal prosecutor who now represents Unit 221B, a cybersecurity agency based mostly in New York Metropolis. Rasch mentioned he doesn’t doubt that the civil settlement involving Fitzpatrick’s felony exercise is a novel authorized improvement.

“It’s uncommon in these civil instances that you realize the menace actor concerned within the breach, and it’s additionally uncommon that you just catch them with adequate sources to have the ability to pay a declare,” Rasch mentioned.

Regardless of admitting to possessing greater than 600 CSAM pictures and personally working Breachforums, Fitzpatrick was sentenced in January 2024 to time served and 20 years of supervised launch. Federal prosecutors objected, arguing that his punishment didn’t adequately mirror the seriousness of his crimes or function a deterrent.

An excerpt from a pre-sentencing report for Fitzpatrick signifies he had greater than 600 CSAM pictures on his units.

Certainly, the identical month he was sentenced Fitzpatrick was rearrested (PDF) for violating the phrases of his launch, which forbade him from utilizing a pc that didn’t have court-required monitoring software program put in.

Federal prosecutors mentioned Fitzpatrick went on Discord following his responsible plea and professed innocence to the very crimes to which he’d pleaded responsible, stating that his plea deal was “so BS” and that he had “needed to battle it.” The feds mentioned Fitzpatrick additionally joked along with his mates about promoting knowledge to overseas governments, exhorting one consumer to “change into a overseas asset to china or russia,” and to “promote authorities secrets and techniques.”

In January 2025, a federal appeals court docket agreed with the federal government’s evaluation, vacating Fitzpatrick’s sentence and ordering him to be resentenced on June 3, 2025.

Fitzpatrick launched BreachForums in March 2022 to interchange RaidForums, a equally widespread crime discussion board that was infiltrated and shut down by the FBI the earlier month. As administrator, his alter ego Pompompurin served because the intermediary, personally reviewing all databases on the market on the discussion board and providing an escrow service to these fascinated by shopping for stolen knowledge.

A yearbook picture of Fitzpatrick unearthed by the Yonkers Occasions.

The brand new web site shortly attracted greater than 300,000 customers, and facilitated the sale of databases stolen from a whole lot of hacking victims, together with a number of the largest client knowledge breaches in current historical past. In Could 2024, a reincarnation of Breachforums was seized by the FBI and worldwide companions. Nonetheless extra relaunches of the discussion board occurred after that, with the newest disruption final month.

As KrebsOnSecurity reported final 12 months in The Darkish Nexus Between Hurt Teams and The Com, it’s more and more widespread for federal investigators to seek out CSAM materials when looking units seized from cybercriminal suspects. Whereas the mere possession of CSAM is a severe federal crime, not all of these caught with CSAM are essentially creators or distributors of it. Fertel mentioned some cybercriminal communities have been identified to require new entrants to share CSAM materials as a method of proving that they don’t seem to be a federal investigator.

“In case you’re going to the darkest corners of Web, that’s the way you show you’re not legislation enforcement,” Fertel mentioned. “Regulation enforcement would by no means share that materials. It could be felony for me as a prosecutor, if I obtained and possessed these kinds of pictures.”

Additional studying: The settlement between Fitzpatrick and Nonstop (PDF).