On September 16, 2025, the U.S. Department of Justice (DoJ) announced the resentencing of Conor Brian Fitzpatrick, the former administrator of the notorious cybercrime forum BreachForums, to a three-year prison term. This decision follows his guilty plea to charges including access device conspiracy, access device solicitation, and possession of child sexual abuse material (CSAM).
Fitzpatrick, known online as Pompompurin, was initially arrested in March 2023. In July of the same year, he admitted to his involvement in operating BreachForums, a platform that facilitated the buying, selling, and trading of stolen data from high-profile companies worldwide. At its peak, the forum boasted approximately 330,000 members and contained over 14 billion individual records.
As part of his plea agreement, Fitzpatrick consented to the forfeiture of more than 100 domain names associated with BreachForums, numerous electronic devices used in the forum’s operations, and cryptocurrency assets representing the illicit proceeds from the platform.
U.S. Attorney Erik S. Siebert for the Eastern District of Virginia emphasized the gravity of Fitzpatrick’s actions, stating, Conor Fitzpatrick personally profited from the sale of vast quantities of stolen information, ranging from private personal information to commercial data. These crimes were so extensive that the damage is difficult to quantify, and the human cost of his collection of child sexual abuse material is incalculable. We will not allow criminals to hide in the darkest corners of the internet and will use all legal means to bring them to justice.
The resentencing was prompted by a decision from the U.S. Court of Appeals for the Fourth Circuit on January 21, 2025, which vacated Fitzpatrick’s previous sentence of 17 days time served and remanded the case for resentencing. In January 2024, Fitzpatrick had been sentenced to time served and 20 years of supervised release for his role as the creator and administrator of BreachForums.
BreachForums emerged in March 2022, filling the void left by the dismantlement of RaidForums by law enforcement. Despite multiple efforts to shut it down, the forum resurfaced under various domains. In July 2024, the entire database of the original BreachForums was leaked online, exposing members’ information.
In August 2025, ShinyHunters, who had taken over the forum after the arrest of another administrator known as Baphomet in 2023, claimed that BreachForums had been compromised and was under the control of international law enforcement agencies. Subsequently, the forum went offline on its latest domain, with administrators stating they had decided to go dark along with 14 other e-crime groups, including LAPSUS$ and Scattered Spider.
This case underscores the ongoing efforts by law enforcement to combat cybercrime and the exploitation of vulnerable individuals online. The DoJ’s actions reflect a commitment to holding individuals accountable for their roles in facilitating and profiting from illegal online activities.
