On March 15th 2023, Conor Brian Fitzpatrick, the founder of Breach Forums, was arrested and charged with one count of conspiracy to commit access device fraud after running the data leak forum for eleven months. In that time the forum amassed a massive user base of over 336,800 and hosted 879 datasets that contained 14 billion records of stolen data. Breach Forums, also known as Breached, aimed to be a successor to the infamous data leak marketplace RaidForums but was only running for a fraction of the time of its predecessor. So, what led to the relatively quick seizure of Breached by law enforcement? And, what does it mean for the future of similar forums?
Breach Forums was established in March 2022, only a month after US law enforcement seized the popular hacking and data leak marketplace RaidForums. It aimed to be a direct replacement, even stating in its early days that if RaidForums came back, it would cease operation. Just like RaidForums, there were areas for general discussion about hacking, sections where one could download full data breaches and a marketplace where bad actors could buy and sell breaches. A key point in the timeline for Breached was when the Shanghai National Police (SHGA) database was posted for sale at $200,000. It gained the attention of those within and also outside the cybercrime sphere due to the overall magnitude of such a breach and ultimately cemented Breached as a serious forum in the data cybercrime world. Until its seizure earlier this year, Breached was the go-to forum for hackers, bad actors and those interested in data related crimes and will be infamously remembered in the cybercrime sphere.
The Demise of Breached
When Breached was initially created, it came as no surprise that the owner was user ‘pompompurin’. He was well known within the cybercriminal world for various reasons. One of those being his active presence on RaidForums, where he would publish his personally hacked breaches for sale and also comment and moderate sections of the forum. Another reason was his multi-year long prolific campaign of trolling the security researcher Vinny Troia who had attempted to unmask ‘pompompurin’ several times with no success. In retaliation, ‘pompompurin’ hacked into Troia’s twitter account, and also hacked into the National Center for Missing and Exploited Children’s website to post Troia’s picture and send out an alert claiming that he was a paedophile. If this wasn’t enough, his biggest attempt to troll Troia was when he successfully hacked into the FBI website to send thousands of emails from a legitimate FBI email address warning of fake cyberattacks performed by Troia. Needless to say, even before he started Breached, he was already on the radar of law enforcement and once RaidForums went down, the FBI found a trove of evidence that unveiled who ‘pompompurin’ really was.
Upon the seizure of RaidForums, the FBI gained access to a database that contained all the messages sent between users on the forum. This included messages sent between RaidForums owner ‘omnipotent’ and ‘pompompurin’ where he provided an email address that was not only his real email address but contained his full name, ‘conorfitzpatrick02@gmail.com’. To follow up this lead, the FBI served Google a warrant for further information on the email address and found that the account was linked to a Google pay account that another Gmail account shared the same details to. Upon further investigation, it was found that the secondary email account was accessed using the same IP address as a Zoom account that was registered under the email address ‘pompompurin@riseup.net’ which was the same email address linked to the user ‘pompompurin’ on RaidForums.
Furthermore, the FBI discovered that there were nine IP addresses that ‘pompompurin’ used to access RaidForums that were linked to a Verizon account in Fitzpatrick’s name. One of the IP addresses linked was Fitzpatrick’s home IP address after he failed to use a VPN to log into RaidForums. This mistake led the FBI right to Fitzpatrick’s door with a warrant to search his home and interview him where he quickly admitted to being ‘pompompurin’ and running Breach Forums.
Despite being highly respected in the cybercrime community, Conor Brian Fitzpatrick ultimately made critical mistakes that resulted in his downfall. His failure to keep his online and real-life identities separate, coupled with lax operational security, proved to be his undoing. Fitzpatrick became complacent and let his guard down, making avoidable errors that ultimately led to his arrest. His ego, once a driving force behind his success, ultimately became his downfall, providing the FBI with the opportunity to bring him to justice.
Following the apprehension of Conor Fitzpatrick, an administrator of Breach Forums known as 'Baphomet' made an announcement on Telegram, claiming that attempts were underway to keep the website functioning. However, within a day, 'Baphomet' declared that the forum would be closed for good, citing the reason that "nothing is safe anymore." This decision was reinforced by the Department of Justice's revelation in their case against Fitzpatrick, which disclosed how they had gained access to the databases of RaidForums, leading the Breach Forum administrators to believe that their forum could have been similarly compromised and as such, Breached was closed for good.
The Future for Data Leak Marketplaces
With the seizure of RaidForums in 2022 and the subsequent seizure of its successor Breach Forums just eleven months later, law enforcement is making their stance on data leak marketplaces very clear. Assistant Attorney General Kenneth A. Polite, Junior of the Criminal Division of the Department of Justice stated, “We must and will remain vigilant to the threat posed by those who attempt to undermine our digital security. We will continue to disrupt the forums that facilitate the theft and distribution of personal information and prosecute those responsible.” It seems therefore, that the fall of RaidForums was the beginning of a quest by law enforcement to quash these types of forums with increased speed and efficiency.
Despite this, the market for stolen data is vast and lucrative. There is a lot of money to be made not only through selling data on these types of forums but also by running them. Fitzpatrick claimed that he made an average of $1,000 per day by being a middleman for transactions between buyers and sellers of data. Although the repercussions are well evidenced for those who run data leak marketplaces, it seems that the economic pull of partaking in the buying or selling of stolen data is much bigger than the push of the potential repercussion. In addition, there is a level of notoriety that comes with being a top contributor or running a data leak marketplace which in itself can seem appealing to bad actors.
Since the downfall of Breached, bad actors have been scattering looking for a new place to continue selling stolen data. Smaller forums have seen an influx of new users, with some reacting by limiting those who can join to prevent large amounts of new posts that admins could not moderate. It has also been observed that many bad actors that were active on Breached have moved to Telegram, using data selling channels to promote their databases and make sales there instead. Even still, although there are other avenues and platforms to sell data, having a leading forum like Breached, that is run by an individual well-known and “respected” by bad actors ‘community, attracts users as there is a bigger pool of potential buyers of their data.
For these reasons, it is more than likely that a new forum is on the horizon. There are forums already claiming that they will be the next Breached but this is yet to be seen. Discussions on other forums about the fall of Breached suggested that the next forum should be hosted in a country like Russia where the laws against cybercriminals are much more relaxed on bad actors than in the West. Whether it is a Russian host or not, it will only be a matter of time until the next forum emerges for law enforcement to try and seize once again. The life cycle of data leak marketplaces continues.
Sources
https://intel471.com/blog/the-demise-of-the-breached-cybercrime-forum
https://techcrunch.com/2023/03/24/how-the-fbi-caught-the-breachforums-admin/
https://thehackernews.com/2023/03/breachforums-administrator-baphomet.html
https://flashpoint.io/blog/end-of-breach-forums/
The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free
On the 8 December 2020, prominent US-based cybersecurity company FireEye announced on its blog that they had been the victims of a cyber-attack. The nature of the attack has led to experts to theorise that it was carried out by a state-sponsored hacking group, currently believed to be Cozy Bear (also known as APT29).
Read moreA statement released by Juspay on 5th January 2021 confirms that the Indian-based company has been the target of a cyberattack resulting in a large-scale data breach.
Read moreIn February 2022, the popular hacking forum and data leak marketplace RaidForums (known simply as RF) was seized by the FBI, and the creator of the website was charged with various counts of fraud and identity theft after running the website for 7 years. A few weeks later Breach Forums, or Breached, popped up and started to gain traction in the hacking community This raises two questions; ‘Will there always be some form of data leak marketplace?’ and ‘For what reasons do they persist even when there are serious repercussions for those creating them?
Read morePlease fill in the form below (fields with * are mandatory) and we will respond to your request as soon as possible!