BreachForums administrator given three-year prison stint after resentencing

BreachForums founder and lead administrator Conor Fitzpatrick was given a new three-year prison sentence on Tuesday after a three-judge panel in January vacated a controversial district court decision that set him free after just 17 days in prison.

In a Department of Justice announcement of the resentencing, U.S. Attorney Erik Siebert said Fitzpatrick “personally profited from the sale of vast quantities of stolen information, ranging from private personal information to commercial data.” 

“These crimes were so extensive that the damage is difficult to quantify, and the human cost of his collection of child sexual abuse material is incalculable,” he said. “We will not allow criminals to hide in the darkest corners of the internet and will use all legal means to bring them to justice.”

Fitzpatrick pleaded guilty last year to a range of charges that included possession of child pornography and conspiracy to traffic in stolen personally identifying information. He received a sentence of 20 years of supervised release, with a judge arguing that his age and autism spectrum disorder diagnosis would leave him vulnerable to violence in prison. 

Fitzpatrick was initially arrested in 2023 at his parents’ Peekskill, New York, home and admitted to being “pompompurin” — BreachForums’ leading administrator — in interviews with the FBI. 

The Justice Department said BreachForums facilitated access to the sensitive personal information of millions of U.S. citizens, and Fitzpatrick was party to multiple cybercrime cases involving the theft of information from the FBI as well as Washington, D.C.’s healthcare marketplace. 

Prosecutors were incensed by the decision to free Fitzpatrick in light of the charges he pleaded guilty to and because he repeatedly violated the court’s conditions for his release before his trial by accessing the internet and participating in Discord chatrooms. 

In recent court documents, prosecutors argued that Fitzpatrick’s crimes were too severe to allow him to serve almost no prison time — recommending a sentence of 15 years. 

“The known scope, breadth, and brazenness of the defendant’s scheme to enable and fuel widespread cybercrime warrants a substantial period of incarceration,” prosecutors said. 

“For his crimes, the defendant has demonstrated little remorse; he violated the conditions of his pretrial release; he broke his cooperation agreement; and he denied responsibility for his child pornography offense. In his letter to the Court and at his first sentencing, the defendant nominally took responsibility for his crimes, but then blamed the people around him for his offenses.”

The Justice Department noted that BreachForums, founded in 2022, held more than 14 billion individual records at its peak and had more than 300,000 members that bought and sold stolen information from thousands of companies. 

The platform drew increased law enforcement scrutiny due to its involvement with the cyberattack on Washington, D.C.’s health insurance marketplace that exposed the sensitive information of federal lawmakers, staff members and thousands of city residents.

According to prosecutors, Fitzpatrick was an enthusiastic leader, rallying hackers to the forum and profiting from his role as an administrator — often serving as a middleman between cybercriminals. 

They added that his autism spectrum disorder diagnosis is “mild” and that there is no evidence Fitzpatrick “cannot cope in a prison setting.” They cited an evaluation from a licensed psychologist that said Fitzpatrick’s “degree of impairment due to his [Autism Spectrum Disorder] is low.”

The doctor noted that Fitzpatrick “completed his schooling successfully without accommodation for any impairment and attended a community college for a time, also without accommodation.”

The sentencing document added that Fitzpatrick needed to be sentenced harshly “to deter a future wave of leaders of the cybercrime ecosystem.”

“The defendant’s conduct — namely, his years-long use and subsequent administration of online cybercrime forums, his attempts to evade law enforcement detection, and his pretrial violation and associated failure to clearly demonstrate acceptance of responsibility for his crimes — underscores the need for a substantial term of supervised release to ensure the defendant is properly monitored and can access rehabilitation services,” prosecutors wrote. 

Fitzpatrick’s lawyers submitted letters from his parents and doctors arguing he has been fully compliant with court rules since he was originally sentenced 20 months ago. He has been confined to his home and has not used an electronic device since then. 

They added that a prison sentence “would serve no interest of society” and would place him in danger considering his two alleged suicide attempts. 

Acting Assistant Attorney General Matthew Galeotti lauded the resentencing of Fitzpatrick, writing in a statement that he intentionally led the creation of BreachForums after a law enforcement operation took down its predecessor, RaidForums.

“The FBI is working tirelessly to dismantle criminal marketplaces like BreachForums, and we are pursuing the full range of actors who run these platforms,” said FBI Assistant Director Brett Leatherman.