Report "The arrest of breachforums admin"

Introduction

In this post, I’ll share my findings about BreachForums and its administrator, ‘pompompurin.’ This case reveals some fascinating legal angles and the resilience of cybercriminal networks.

What is breachforums

breach forums or breached, was an English-language hacking/crime forum on the clear web. It offered stolen databases, hack tools, adult content, and various sub forums related to programming news and more.

Unlike some forums that require an invite or a paid membership, BreachForums let anyone walk in and register. No gatekeeping. It ran on a credit system, users could either buy credits with real money or earn them by dumping stolen data. Simple, dirty economics.

The site was launched on March 4, 2022, following the seizure of a similar forum, RaidForums. It is safe to assume that law enforcement acted quickly and began efforts to take the forum down. The forum was hosted on DDoS-Guard, a Russian provider known for turning a blind eye to the kind of sites most hosts would shut down. Any takedown requests were ignored.

When the hosting company refused to take the forum down, the agents began collecting information about the website, its users, the command structure, and more. From what I gathered, the forum software was MyBB . The agents identified pompompurin as the owner and started gathering evidence on him.

Pompompurin was known to the agents from the previous forum that was taken down RaidFroums. He was selling stolen data from global organizations while saying he acted alone. Here are some of his actions:

• * WeLeakInfo - was seized by the FBI. It operated as a leak search engine, allowing users to enter an email address and view any associated breaches or leaked information. The site used Stripe as its online payment processor. While the FBI renewed most of its domains, they forgot one infrastructure domain ‘wli[.]design.’ When this domain expired, pompompurin noticed it was available and decided to purchase it. After acquiring the domain, he could recreate email addresses like email@wli.design . If that address was linked to the Stripe account, he could reset the password and gain access to the payment data. Eventually, he succeeded and obtained the transaction data. It’s unclear how he discovered that this infrastructure domain was linked to Stripe, but it’s likely he was a customer who noticed the domain in payment confirmation emails.

• * Law Enforcement Enterprise Portal (LEEP) - Around November 2021, in the Law Enforcement Enterprise Portal (LEEP), he found a security flaw in the registration form. The application sent an OTP code to the user. He intercepted that POST request and modified parameters like, the email address, message, and subject of the email. replacing them with his own. By doing this, he was able to send emails from an FBI email address to any company or individual.

Pompompurin hacker real name

The law seized RaidForums in 2022, and gained complete access to its database. In other words, they had all the information about its users. When inspecting his account, they found 9 IP addresses with a connection to a person named ‘Conor Fitzpatrick’. When inspecting his private messages, they found a message related to a data leak of ‘AI.Type Keyboard apparently, he mentioned to RaidForums admin in a direct message that it seems like some data is missing. Implying for example the email address conorfitzpatrick02@gmail.com. When inspecting that email the agent found it’s associated with phone number of ‘Conor Fitzpatrick’. The recovery email for that address was funmc59tm@gmail.com where the IP of that recovery email is linked to a person with last name ‘Fitzpatrick’. conorfitzpatrick02 email had several VPNs logins that made a match with the IP of his other online accounts. For example they found a connection between the IP used for conorfitzpatrick02@gmail.com and his RaidForums account and a bitcoin walled purse(.)io, also one IP was linked to Zoom account with a Riseup email address that he used to register into RaidForums.

When inspecting the purse(.)io bitcoin wallet, the agent found he made a purchase to his address, also this account had the name ‘Conor Fitzpatrick’ and his phone number. And also found an IP link between his purse(.)io bitcoin wallet and his RaidForums account. His bitcoin wallet on purse was also receiving a lot of funds from a Bitcoin address he mentioned in his RaidForums posts. Also they found he logged into RaidForums with an IP address linked to his father, this same IP address was also linked the an iCloud account related to Conor.

And finally, pompompurin mentioned in his breachforums posts that he is the same person from RaidForums “if you used RaidForums you most likely remember me, I was one of the more active users on there”

With such evidence a warrant to search his house came, the agents caught him and he admitted being pompompurin and being the admin of breach forums.

Verdict

After the seizure of RaidForums pompompurin was already caught even before he started his breachforums operation. The agents were collecting the data and command structure of the forum. Some people claim he miscalculated his privacy, however in my opinion you can’t evade the law forever. Most of these sorts of crimes are ego trips, ego starts them and eventually breaks them like a double-edged sword.