Pompompurin and BreachForums

Something more than a year has passed since Pompompurin was detained by the FBI. I did this investigation on him when it happened, and now after some time, I’ve decided to make it public here.

The goal of the investigation was simple, I just wanted to find who pompompurin was, how he became the creator of BF (BreachForums) and how he ended up detained (bad OPSEC as usual :)). Keep in mind that everything you are about to see is Open Source.

---

The starting point of this investigation was his username “Pompompurin”, that if you search for it, you will see it’s a Japanese cartoon character, a golden retriever dog created by the company Sanrio in 1996.

As you may imagine, an initial scan of the nickname reveals a substantial number of results across various platforms and social media. Upon filtering through all these results, I found an inactive SoundCloud account with interesting links. Here is where the actual investigation starts.

Figure 1: Pompompurin SoundCloud account

The first link directs to a Twitter account (user: @xml), while the second link leads to a website accessible at the URL https://pompur[.]in/.

1. The pompur[.]in site

The website, located at the URL https://pompur[.]in/, provides an extensive range of information concerning the user known as "pompompurin”:

Figure 2: Pompur[.]in home page, 26/05/2023

We can confirm that the Twitter account (@xml) linked to the SoundCloud profile is the same as the one provided on the website. Additionally, other contact methods for reaching the user pompompurin are shown, including a Telegram account (@paste), a Mastodon account (@pom), and a Matrix Project account (@pom:pompur.in). The email address pom@pompur.in is prominently displayed, indicating a direct association with the user's personal domain.

Further research into the domain pompur[.]in revealed the following:

• Registered by Tucows Inc. on 2021-04-30.

• Associated emails:

  • pom@pompur.in

  • pompompurin@riseup.net

• An IPv4 address (198.251.84.20) associated with the domain pompur[.]in traced to the location of Bissen, Luxembourg. (It is noteworthy that this IP address is provided by the same Internet Service Provider (ISP) that is responsible for supplying internet connectivity to a significant portion of the BreachForums network.)

• Both the email and the domain have a direct connection with breached[.]vc

At the top section of the page (figure 2, pink), a link leads to his Keybase account.

Figure 3: pompompurin Keybase graph (snapshot from 10/12/2021)

A significant amount of critical information is available there, which will play a crucial role in the process of verifying the identities associated with this individual later. Such details include:

• Same PGP key as the one in his website.

• Three Windows devices and a Linux one.

• Two iOS devices.

• A GitHub account by the name “pompompurins”.

• The domain og[.]money, which was used by pompompurin to disclose the ActMobile/FreeVPN database breach. Figure 4 captures the instance when pompompurin published the breach on RaidForums.

Figure 4: Actmobile data being publish by pompompurim at RaidForums

• A Twitter account (@troia), which appears to be suspended as of the current date. This was a meme account about Vinny Troia, a cybersecurity researcher with whom Pom had some beef.

Figure 5: @troia twitter account (snapshot from 27/12/2021)

Upon examining a snapshot from December 2021 of the account (figure 5), the following can be observed:

• He had a previous Twitter account (@pompompur_in) that got suspended.

• His webpage is linked in the bio.

• The individual refers to an "old Riseup" email domain (riseup[.]net) in Figure 6, which we have previously identified as being connected to the pompur[.]in domain. This suggests that prior to acquiring the pompur[.]in domain and transitioning to the new email, the individual likely used pompompurin@riseup[.]net. This information holds significance in the investigation, particularly in relation to the individual's involvement with RaidForums (see figure 8).

Figure 6: A tweet of pompompurin, referring to his old riseup email.(15/12/2021)

Returning to the pompur website, two notable links (highlighted in yellow in Figure 2) direct to pompompurin's profiles on the Russian forums exploit[.]in and xss[.]is.

And finally, a link to his profile on BreachForums, where he not only holds membership but also is identified as the founder and administrator (Figure 7).

Figure 7: pompompurin’s profile at BreachForums

---

2. RaidForums

The first recorded appearance of pompompurin dates back to October 26, 2020, when he joined Raid Forums using the email address pompomurin@riseup[.]net. This information was later confirmed by the FBI in the Pompompurin Affidavit No. 1:23-mj-67.

Figure 8: riseup[.]net email confirmation

In Figure 9, the first available snapshot of pompompurin's profile (January 26, 2021) can be observed, thereby corroborating the previously mentioned registration date on the forum.

Figure 9: Pompompurin’s first profile snapshot, 26/01/2021

Pompompurin maintained a consistent daily presence on the forum, actively engaging in discussions with an average of 2-3 posts per day. He was responsible for orchestrating numerous data leaks, which were subsequently published on the forum. These significant data breaches contributed to pompompurin's growing reputation, and helped to establish BreachForums as the best alternative following the seizure of RaidForums. Let’s see some of the most important ones:

2.1. Leaking US PII

On April 22, 2021, pompompurin leaked a database containing personally identifiable information (PII) of 2.5 million Americans. The leak included full names, date of birth, email addresses, phone numbers, home addresses, marital status, political affiliation, salary, and other private details about US residents. This massive leak was approximately 263 GB and contained about 1255 CSV files and 59 million unique e-mails.

Figure 10: Pompompurin publish the leak data on RaidForums (22/04/2021)

2.2. Robin Hood

Also, in early November 2021, pompompurin hacked the investing company Robin Hood. The breach initiated with a social engineering attack directed at one of the company's customer support employees.

Through this attack, pompompurin successfully gained access to the customer support platforms used by Robin Hood, allowing him to collect the email addresses and full names of approximately 7 million customers.

Subsequently, pompompurin made attempts to sell the compromised data on RaidForums. Additionally, he claimed to have harvested customer IDs from Robin Hood, although these were not offered for sale at that time.

Figure 11: Pompompurin put up for sale Robinhood’s database on RaidForums

2.3. FBI email hack

On November 13, 2021, pompompurin compromised the FBI’s external email system, sending thousands of messages warning of a cyberattack by cybersecurity researcher Vinny Troia, who was falsely suggested to have been identified as part of The Dark Overlord hacking group by the US Department of Homeland Security.

Figure 12: Fake FBI email, sent by pompompurin

The emails were sent to addresses taken from the American Registry for Internet Numbers database and it was reported that the hacker used FBI’s public-facing email (eims@ic.fbi.gov), which made the emails appear legitimate.

By the same time, Brian Krebs from KrebsOnSecurity received a message from the same email address: “Hi its pompompurin, check headers of this email it’s actually coming from FBI server. I am contacting you today because we located a botnet being hosted on your forehead, please take immediate action thanks.”

This was one of the most infamous hacks of pompompurin, and the one that gave him the most recognition on the underground community. It is important to note that pompompurin was involved in numerous other security breaches that were posted on RaidForums, which have not been fully covered in this report.

---

3. BreachForums

3.1. The creation of BF

On the 25th of February 2022, users were no longer able to successfully log into the RaidForums domain. On the same day, a prominent moderator from the forum, Jaw, posted to the forum’s Telegram that the raidforums[.]com domain had been seized, and the current website domain was run by law enforcement as a honeypot.

Figure 13: Moderator from RaidForums, Jaw, announced the seize via Telegram.

Figure 14: RaidForums domain seized by the FBI

Another RaidForums moderator, moot, locked the chat and Jaw suggested rf[.]to would be the new domain for future RaidForums operations. It’s unclear how Jaw confirmed the seizure of the RaidForums domain. Some speculate Omnipotent was allowed to call from inside police custody and notified Jaw directly. As today, the rf[.]to domain is holding a message from Omnipotent, as seen in figure 15.

Figure 15: The rf[.]to buckup domain for RaidForums today (27/05/2023)

With the arrest of Diogo Santos Coelho, aka. Omnipotent; and with the announcement that raidforums[.]com domain had been seized and was now a honeypot, pompomurin intentionally DDoS attacked the domain to prevent users from exposing themselves and to limit the FBI’s success in obtaining the credentials they sought by keeping the domain alive.

Figure 16: Diogo Santos Coelho nacional document of identification.

After a month of anticipation and with the domain remaining inaccessible, pompompurin made the announcement of BreachForums (figure 17) as an alternative platform for all RaidForums users. In the announcement, pompompurin assured users that their ranks would be preserved, and promised to migrate all the official databases from RaidForums to the new platform, even adapting the frontend of the website almost identical to the one RaidForums had. This move aimed to provide continuity and a familiar environment for the RaidForums community, while also establishing BreachForums as a successor platform.

Figure 17: Welcome message from pompompurin to BreachForums

An interview on or about March 16, 2022, on the website dataknight[.]org, reaffirms the intentions pompompurin had with BreachForums, and quote “I have a trusted person who will have full access to everything needed to relaunch it without me” in case he was arrested. This person will probably be Baphomet, which will be introduce later in section 3.3.

Figure 18: Pompompurin’s interview, 16/03/2022

3.2. The structure

BreachForums had a fairly robust structure behind, with several backup domains and dedicated services.

Detailed information about pompompurins activity on BreachForums can be found at the FBI document: Case 1:23-mj-00067-JFA Document 2 Filed 03/15/23.

3.3. Shutdown of BreachForums

After one year of BreachForums being operational, boasting an approximate user base of 300,000 individuals, its founder, pompompurin, was arrested. In an affidavit filed with the District Court for the Southern District of New York, FBI Special Agent John Longmire said that at around 4:30 p.m. on March 15, 2023, he led a team of law enforcement agents that made a probable cause arrest of a Conor Brian Fitzpatrick in Peekskill, NY.

Figure 19: Case 7:23-cr-02171-UA Document 1 Filed 03/16/23 Page 2 of 2

Two days after the arrest, an admin of BreachForums called Baphomet, announce the highly probable arrest of pompompurin, and states that he will be the one taking the ownership of the forum, and suspend all pompompurin’s important access for safety.

Figure 20: Baphomet announce pompompurin’s arrest on BreachForums

Figure 21: Baphomet PGP message 1

Baphomet initially stated their intention to maintain the continuity of the forum and migrate BreachForums to a new infrastructure, as indicated in Figure 21. However, their plans took an unexpected turn on March 21, 2023, when Baphomet confirmed that the FBI had gained access to pompompurin's machine. Consequently, Baphomet made the decision to shut down the forum, as depicted in Figure 22.

Figure 22: Baphomet PGP message 2

Edit 05/2024: When redacting this report, no more updates were made since April 19, 2023 on his “BaphometOfficial” Telegram channel, neither in his website baph[.]is; but as you may know for now, BF is currently running under Baphomet administration.

After the seizure of BreachForums at that time, it was observed that certain data and user profiles from the platform were appearing in other popular forums like XXS and Exploit.

Figure 23: User publishing BreachForums data at XSS

---

4. Conor Brian Fitzpatrick

4.1. Attribution of Conor Fitzpatrick as “pompompurin”

After the seized of RaidForums, the FBI took control of the infrastructure, and access all the data it contained. Upon investigation of pompompurin’s activity inside the forum, a private conversation with the owner Omnipotent, on November 28, 2020, stands out.

Figure 24: Pompompurin private chat with Omnipotent, part 1

Figure 25: Pompompurin private chat with Omnipotent, part 2

On it, pompompurin specifically mentions to Omnipotent that he had searched for the e-mail address conorfitzpatrick02@gmail.com within a database of breached data from “ai.type” (company that was victim of a breach of its database around December 2017), but he wasn’t finding it, suggesting that the database was incomplete, because HIBP (Have I Been Pwned) did show the email.

Even though he tries to deceive Omnipotent to think that it’s not his actual email, it seems very clear that it looks like “my old email” that he’s referring to.

According to some Google records months previous to that private conversation with Omnipotent, the FBI saw that conorfitzpatrick02@gmail.com Google Pay account share the same details as another email: conorfitzpatrick2002@gmail.com .

Figure 26: Case 1:23-mj-00067-JFA Document 2 Filed 03/15/23 Page 23 of 31 PageID# 24

As shown above, the old email that replaced the new one, shared the same name, physical address and Visa card ending in 3068. This accounts also had two of his personal cell phones registered, an iPhone 11 Pro Max, and an iPhone 7 Plus. This information confirms that these devices were also registered in pompompurin’s Keybase account.

These two devices, at some point had used the same phone number, ended in 3144 (figure 27), and the RaidForums logs shows that at least 9 IP addresses registered with that same number, were used to access pompompurin’s account.

Figure 27: Case 1:23-mj-00067-JFA Document 2 Filed 03/15/23 Page 20 of 31 PageID# 21

The FBI also found that pompompurin’s new gmail account conorfitzpatrick02@gmail.com was accessed using the same IP address as his Zoom account, registered with his pompompurin@riseup.net email, the exact same one that he used to log into RaidForums.

Figure 28: Case 1:23-mj-00067-JFA Document 2 Filed 03/15/23 Page 25 of 31 PageID# 26

At last, the recovery email register with the conorfitzpatrick02@gmail.com account, funmc59tm@gmail.com was created using the IP: 74.101.151.4, which was register at the name of pompompurin’s father, at their physical address.

Figure 29: Case 1:23-mj-00067-JFA Document 2 Filed 03/15/23 Page 24 of 31 PageID# 25

4.2. Conor’s real identity

Limited information is openly available regarding the true identity of "pompompurin" and associated social accounts. However, conducting research using the individual's full name brought some findings, including an address, age, and a phone number. Notably, the phone number registered by the FBI concludes with the digits 3144, suggesting that the current phone number, (914) 699-9668 may be a different one used by Conor (figure 27).

The age of 20 is supported by both FBI records and the years referenced in the individual's Gmail accounts, providing some corroboration.

Figure 30: Information about Conor B Fitzpatrick at fastpeoplesearch[.]com

In order to verify the accuracy of the provided address, a reverse image search was conducted using images from two news channels that reported on the arrest of "pompompurin." The first news channel is News 12 Westchester, which covered the arrest on March 15, 2022. The second source is the local Peeksill Herald, which reported the news on March 19, 2022.

Figure 31: News 12 Westchester, March 15, 2023.

Figure 32: Peekskill Herald, March 19, 2023

Figure 33: Reverse image search on Google Maps.

Figure 34: Satellite 3D view of Conor’s home

No social media profiles owned by Conor B. Fitzpatrick featuring his appearance were found during the investigation. However, an interesting clip of images of Conor B. Fitzpatrick was found on a webpage, with no source confirmed.

Figure 35: Alleged Conor’s photos, posted at loaris[.]app

Additionally, a YouTube video of the 2021 Peekskill High School graduation ceremony featuring someone named Conor Brian Fitzpatrick was located. On the video, his name is mentioned at 8:37, and appears on camera at 9:19.

Figure 36: Conor’s graduation at Peekskill High School, Jun 2021

Comparing the Youtube video with some images taken from the official Peekskill High School graduation ceremony video, uploaded at their website, as well as the graduates list, confirms that Conor was present that day.

Figure 37: Official Peekskill High School graduation ceremony video.

Figure 38: Official Peekskill High School graduation ceremony video.

Figure 39: Official Peekskill High School graduation ceremony video.

Figure 40: Peekskill High School’s graduates list.

At a doxbin[.]com page, a lot of high valuable information it’s found (figure 41 - partially blur for privacy).

Figure 41: Doxbin webpage, containing detailed information about Conor.

As it is not a fully reliable source, we carry out detailed research on the displayed data to confirm its validity:

• The physical address matches all the registers already proportionated, and also the address on the mother’s webpage (figure 42).

• Two of the three phone numbers are corroborated: ended in 3144 from Verizon (FBI records), 9668 registered at fastpeoplesearch[.]com (figure 30), and a new one ended in 5399.

• All his social accounts and emails matches the ones already covered.

• The connection of Mary M. as the mother of Conor can be checked at his social media profiles (figure 43), website (figure 42 and 45) and the YouTube account where the graduation video was uploaded (figure 44):

Figure 42: Mary Mccarra Fitzpatrick’s website.

Figure 43: Mary Mccarra Fitzpatrick’s Instagram account

Figure 44: Mary Mccarra Fitzpatrick’s youtube profile.

Figure 45: Mary Mccarra Fitzpatrick’s website about page

• The connection of Mark E. as the father of Conor can be checked at his twitter account (figure 46), and also at his wife’s serveral Instagram family photos:

Figure 46: Mark E. Fitzpatrick reporting an altice outage at his address

Aditionally, on the 28^{th of} May, 2023, The U.S Postal Inspection Service (USPIS) posted a public notification, listing the multiples Conor Brian Fitzpatrick’s properties seized (figure47).

Figure 47: USPIS notification.

---

5. Conclusion

Conor was charged for his involvement in the theft and sale of sensitive personal information belonging to “millions of U.S. citizens and hundreds of U.S. and foreign companies, organizations, and government agencies” on the Breached cybercrime forum.

Fitzpatrick appeared in court in the Eastern District of Virginia after being arrested one week before at his home in Peekskill, New York, and released on a $300,000 bond.

As for today, the exact whereabouts of Conor are unknown, but BreachForums is up and running under the administration of Baphomet, although I have my suspicions that it could be an FBI honypot.

Comments

[Smaug]

Wow, as a beginner to OSINT, this was an amazing post on what is possible. Thank you so much.

[Kontol]

kontol