BreachForums kingpin goes from walk-free deal to 3-year stretch
(2025/09/17)
- Reference: 1758112815
- News link: https://www.theregister.co.uk/2025/09/17/breachforums_founder_prison/
- Source link:
The founder of the popular cybercrime website BreachForums will spend three years in prison after previously being let off with a slap on the wrist.
After pleading guilty to a range of offenses related to his administration of BreachForums and possession of child sex abuse material, Conor Brian Fitzpatrick, 22, was handed by the District Court for the Eastern District of Virginia what a US appeals court later called a "substantively unreasonable sentence."
After his original [1]2023 arrest at his parents' home in Peekskill, New York, Fitzpatrick violated his [2]pretrial conditions – namely, the use of a [3]VPN – and was jailed as a result. However, he was released less than a month later following the lenient sentence given to him in 2024.
[4]
Fitzpatrick's [5]time-served sentence of just 17 days, plus 20 years of supervised release, was deemed insufficient by appellate court judge Paul Niemeyer, who ordered a resentencing.
[6]
[7]
Prosecutors in Virginia won their appeal on September 16 – a three-year prison stint for the New York man, who was first arrested in 2023, although they fell well short of the 15 years they set out to secure.
They argued that Fitzpatrick's crimes, which involved facilitating the vast collection and sale of stolen data, in addition to the child sexual abuse material, were too severe to be met with the lenient punishment he initially received.
[8]
Fitzpatrick, known to forum users as Pompompurin, was originally handed a sentence that involved no prison time, citing his autism diagnosis. His defense lawyer successfully argued that prison would offer no correctional value.
However, Niemeyer said in his [9]opinion [PDF] given in January that the court failed to acknowledge the severity of Fitzpatrick's offenses, to which he pleaded guilty.
Niemeyer noted that, under Fitzpatrick's watch, BreachForums "became the largest English-language data-breach forum ever, featuring over 14 billion individual records consisting of names, dates of birth, Social Security numbers, employment information, and health insurance information."
[10]
"During the site's year-long operation, Fitzpatrick acted as a middleman and facilitated the purchase and sale of the illegal information, earning $698,714 and causing many victims monetary and reputational injury."
Fitzpatrick's collection of child sex abuse files also spanned "at least 600 images," and authorities discovered that he had previously "viewed videos that depicted prepubescent children engaging in sex acts."
[11]Crypto thief earns additional prison time for assaulting witness
[12]Developer jailed for taking down employer's network with kill switch malware
[13]Laptop farmer behind $17M North Korean IT worker scam locked up for 8.5 years
[14]Ex-US soldier who Googled 'can hacking be treason' pleads guilty to extortion
Niemeyer said that instead of time served, per sentencing guidelines, the [15]BreachForums admin should have received a sentence in the region of 188 to 235 months behind bars.
Fitzpatrick again pleaded guilty to three charges this week: one count of access device conspiracy, one count of access device solicitation, and one count of possession of child sexual abuse material.
He also agreed to surrender more than 100 domain names used to operate the forum, more than a dozen devices used to administer the site, and [16]cryptocurrency he earned while in charge.
"Conor Fitzpatrick personally profited from the sale of vast quantities of stolen information, ranging from private personal information to commercial data," [17]said Erik S. Siebert, US Attorney for the Eastern District of Virginia, in response to the resentencing.
"These crimes were so extensive that the damage is difficult to quantify, and the human cost of his collection of child sexual abuse material is incalculable. We will not allow criminals to hide in the darkest corners of the internet and will use all legal means to bring them to justice."
Brett Leatherman, assistant director of the FBI's Cyber Division, said: "The FBI is working tirelessly to dismantle criminal marketplaces like BreachForums, and we are pursuing the full range of actors who run these platforms. Today's sentencing demonstrates that anyone who helps others profit from theft, fraud, and other cybercrimes is not out of reach." ®
Get our [18]Tech Resources
[1] https://www.theregister.com/2023/03/20/in_brief_security/
[2] https://www.theregister.com/2024/01/05/breachforums_admin_arrested_again/
[3] https://www.theregister.com/2025/07/31/banning_vpns_to_protect_kids/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aMrbGkGFku1qjbWRs1f-FQAAAk0&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://www.theregister.com/2024/01/22/infosec_news_roundup/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMrbGkGFku1qjbWRs1f-FQAAAk0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aMrbGkGFku1qjbWRs1f-FQAAAk0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMrbGkGFku1qjbWRs1f-FQAAAk0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://www.govinfo.gov/content/pkg/USCOURTS-ca4-24-04102/pdf/USCOURTS-ca4-24-04102-0.pdf
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aMrbGkGFku1qjbWRs1f-FQAAAk0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://www.theregister.com/2025/08/26/crypto_thief_witness_assault/
[12] https://www.theregister.com/2025/08/22/worlds_dumbest_it_admin_gets/
[13] https://www.theregister.com/2025/07/24/laptop_farmer_north_korean_it_scam_sentenced/
[14] https://www.theregister.com/2025/07/15/solider_hacking_guilty/
[15] https://www.theregister.com/2025/06/25/paris_police_claim_arrests_of/
[16] https://www.theregister.com/2025/04/29/crypto_pioneers/
[17] https://www.justice.gov/opa/pr/founder-one-worlds-largest-hacker-forums-resentenced-three-years-prison
[18] https://whitepapers.theregister.com/
After pleading guilty to a range of offenses related to his administration of BreachForums and possession of child sex abuse material, Conor Brian Fitzpatrick, 22, was handed by the District Court for the Eastern District of Virginia what a US appeals court later called a "substantively unreasonable sentence."
After his original [1]2023 arrest at his parents' home in Peekskill, New York, Fitzpatrick violated his [2]pretrial conditions – namely, the use of a [3]VPN – and was jailed as a result. However, he was released less than a month later following the lenient sentence given to him in 2024.
[4]
Fitzpatrick's [5]time-served sentence of just 17 days, plus 20 years of supervised release, was deemed insufficient by appellate court judge Paul Niemeyer, who ordered a resentencing.
[6]
[7]
Prosecutors in Virginia won their appeal on September 16 – a three-year prison stint for the New York man, who was first arrested in 2023, although they fell well short of the 15 years they set out to secure.
They argued that Fitzpatrick's crimes, which involved facilitating the vast collection and sale of stolen data, in addition to the child sexual abuse material, were too severe to be met with the lenient punishment he initially received.
[8]
Fitzpatrick, known to forum users as Pompompurin, was originally handed a sentence that involved no prison time, citing his autism diagnosis. His defense lawyer successfully argued that prison would offer no correctional value.
However, Niemeyer said in his [9]opinion [PDF] given in January that the court failed to acknowledge the severity of Fitzpatrick's offenses, to which he pleaded guilty.
Niemeyer noted that, under Fitzpatrick's watch, BreachForums "became the largest English-language data-breach forum ever, featuring over 14 billion individual records consisting of names, dates of birth, Social Security numbers, employment information, and health insurance information."
[10]
"During the site's year-long operation, Fitzpatrick acted as a middleman and facilitated the purchase and sale of the illegal information, earning $698,714 and causing many victims monetary and reputational injury."
Fitzpatrick's collection of child sex abuse files also spanned "at least 600 images," and authorities discovered that he had previously "viewed videos that depicted prepubescent children engaging in sex acts."
[11]Crypto thief earns additional prison time for assaulting witness
[12]Developer jailed for taking down employer's network with kill switch malware
[13]Laptop farmer behind $17M North Korean IT worker scam locked up for 8.5 years
[14]Ex-US soldier who Googled 'can hacking be treason' pleads guilty to extortion
Niemeyer said that instead of time served, per sentencing guidelines, the [15]BreachForums admin should have received a sentence in the region of 188 to 235 months behind bars.
Fitzpatrick again pleaded guilty to three charges this week: one count of access device conspiracy, one count of access device solicitation, and one count of possession of child sexual abuse material.
He also agreed to surrender more than 100 domain names used to operate the forum, more than a dozen devices used to administer the site, and [16]cryptocurrency he earned while in charge.
"Conor Fitzpatrick personally profited from the sale of vast quantities of stolen information, ranging from private personal information to commercial data," [17]said Erik S. Siebert, US Attorney for the Eastern District of Virginia, in response to the resentencing.
"These crimes were so extensive that the damage is difficult to quantify, and the human cost of his collection of child sexual abuse material is incalculable. We will not allow criminals to hide in the darkest corners of the internet and will use all legal means to bring them to justice."
Brett Leatherman, assistant director of the FBI's Cyber Division, said: "The FBI is working tirelessly to dismantle criminal marketplaces like BreachForums, and we are pursuing the full range of actors who run these platforms. Today's sentencing demonstrates that anyone who helps others profit from theft, fraud, and other cybercrimes is not out of reach." ®
Get our [18]Tech Resources
[1] https://www.theregister.com/2023/03/20/in_brief_security/
[2] https://www.theregister.com/2024/01/05/breachforums_admin_arrested_again/
[3] https://www.theregister.com/2025/07/31/banning_vpns_to_protect_kids/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aMrbGkGFku1qjbWRs1f-FQAAAk0&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://www.theregister.com/2024/01/22/infosec_news_roundup/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMrbGkGFku1qjbWRs1f-FQAAAk0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aMrbGkGFku1qjbWRs1f-FQAAAk0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMrbGkGFku1qjbWRs1f-FQAAAk0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://www.govinfo.gov/content/pkg/USCOURTS-ca4-24-04102/pdf/USCOURTS-ca4-24-04102-0.pdf
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aMrbGkGFku1qjbWRs1f-FQAAAk0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://www.theregister.com/2025/08/26/crypto_thief_witness_assault/
[12] https://www.theregister.com/2025/08/22/worlds_dumbest_it_admin_gets/
[13] https://www.theregister.com/2025/07/24/laptop_farmer_north_korean_it_scam_sentenced/
[14] https://www.theregister.com/2025/07/15/solider_hacking_guilty/
[15] https://www.theregister.com/2025/06/25/paris_police_claim_arrests_of/
[16] https://www.theregister.com/2025/04/29/crypto_pioneers/
[17] https://www.justice.gov/opa/pr/founder-one-worlds-largest-hacker-forums-resentenced-three-years-prison
[18] https://whitepapers.theregister.com/
"no correctional value"
Pascal Monett
Since when does the US penal instution bother with "correctional values" ?
Jail the fucker for 25 years.
Re: "no correctional value"
NoneSuch
The US Gov tends to not fix the underlying issue and just makes breaching poor cyber security illegal instead of actually fixing the weaknesses. After all, the NSA needs those weaknesses out there.
US Gov will classify their own embarrassing mistakes so if they are ever revealed, the whistleblower goes to jail rather than the government being held responsible. They are never to blame. A system that is perfectly balanced in their favour. Snowden reveals multiple illegal monitoring programs of American citizens and global eavesdropping after James Clapper lies to Congress under oath. Guess who gets charged with espionage? Guess who does not get charged with Lying to Congress.
Does nothing for nation state actors, of course, but as soon as we acknowledge the USA is in charge of everything, everywhere, the better. If you disagree, Seal Team Six or a convenient Hellfire missile will be there momentarily.
Justice for some,,,
Steve Hersey
"Today's sentencing demonstrates that anyone who helps others profit from theft, fraud, and other cybercrimes is not out of reach."
Unless you're a GOP supporter or a member of the Trump administration.
I look forward to another appeal on the grounds that it is still too light to offer deterrence to others.