Another One Bites the Dust: The (Apparent) End of Breach Forums
On March 15, 2023, Breach Forums administrator Conor Brian Fitzpatrick (aka “pompompurin”) was arrested and charged with conspiracy to commit access device fraud
The arrest of pompompurin
The cycle of fraud venue shutdowns continued on Wednesday, March 15, 2023, when Breach Forums administrator Conor Brian Fitzpatrick (aka “pompompurin”), was arrested and charged with a single count of conspiracy to commit access device fraud. Following their arrest, Breach administrators have determined to close the forum.
Coincidentally, the one-year anniversary of Breach Forums occurred around the same time these events unfolded. Let’s examine the rise and fall of Breach Forums, its impact on the cybercrime underground, and what it means moving forward.
Connection to Raid Forums
“pompompurin” is an English-language threat actor who has been active on English- and Russian-language forums since at least October 2020. pompompurin gained notoriety following an FBI email exploit in October 2021, in which they sent tens of thousands of emails from an FBI domain. pompompurin became a highly reputable threat actor on the now-defunct top-tier hacking forum Raid Forums.
On February 25, 2022, the US Department of Justice (DOJ) seized Raid Forums as part of a US federal interagency and international cooperative law enforcement effort to take down the site. This seizure was not publicly confirmed to have been a US-led law enforcement operation until April 12, 2022, when the DOJ released a public statement detailing the seizure, replaced the Raid Forums landing page with a seizure notice, and unsealed an indictment against the former owner, founder, and head admin of the site.
Following the Raid Forums seizure, threat actors actively sought alternatives to Raid Forums on the site’s official Telegram channel, “RaidForums.” Other cybercrime venues were recommended, including Russian language venues. Following the invasion of Ukraine on February 24, a Raid Forums administrator announced that the site would ban all users found to be connecting from Russia.
Due to the large amount of anti-Russian sentiment from the Raid Forums user base, Breach Forums became a more appealing alternative to Raid’s displaced users. Breach Forums was nearly identical to Raid Forums in appearance and layout. Breach Forums offered incentives for former Raid Forums users to migrate to the platform, including the ability to retain the paid ranking users previously held on Raid Forums on Breach Forums. From March 2022 to November 2022, our analysts observed that the site’s membership expanded from 1,500 members to over 192,000.
Breach announces shutdown
On March 21, 2023, in a Telegram message within the “Breach Forums” channel, the administrator “baphomet” announced that they would be closing the forum. Following pompompurin’s arrest, the admin initially claimed they had access to the infrastructure and would keep the forum online. However, their most recent message indicates that it may not be worthwhile to keep the forum online:
Hello everyone. Please consider this the final update for Breached.
I will be taking down the forum, as I believe we can assume that nothing is safe anymore. I know that everyone wants the forum up, but there is no value in short term gain for what will likely be a long term loss by propping up Breached as it is.
I want to make it clear, that while this initial announcement is not positive, it’s not the end. I’m going to setup another Telegram group for those who want to see what follows. You are allowed to hate me, and disagree with my decision but I promise what is to come will be better for us all.
As stated in the attached message please give me 24 hours to get some rest and give thought to how we move on from here. I will be back online after that, and we will talk. I am going nowhere.
The cybercrime underground has continually demonstrated resilience. While an arrest or takedown can result in a short-term disruption, its activity will likely be replaced by some alternative. However, given the takedown of Raid Forums and arrest of their administrator, and seeing history almost repeat itself with pompompurin’s arrest, it is unclear what threat actor would be willing to take on that risk.
baphomet’s latest message indicated that the forum will likely relaunch in another format, though it remains to be seen whether this will continue in the spirit of Raid or Breach, or be something new entirely. Threat actors will likely continue to have an appetite for breached databases, and it remains to be seen if this can be through an alternative venue, or requires a new forum entirely.