BreachForums grab banner

US law enforcement today seized the clear web domain of popular hacking forum BreachForums (aka Breached) three months after apprehending its owner Conor Fitzpatrick (aka Pompompurin) on cybercrime charges.

Hosted at Breached[.]vc, the domain now displays a grab banner stating that the website has been taken down by the FBI, Department of Health and Human Services, Office of Inspector General, and Department of Justice based on a warrant issued by the United States District Court for the Eastern District of Virginia.

Other law enforcement authorities around the world also participated in this action, including the United States Secret Service, Homeland Security Investigations, New York Police Department, Postal Inspection Service of the United States, the Dutch National Police, the Australian Federal Police, the UK National Crime Agency and Police Scotland.

BleepingComputer learned that law enforcement also seized the pompur[.]in domain, which was Pompompurin’s personal site, as part of this operation.

While the BreachForums clear net domain has been seized, its dark web counterpart does not yet display the seize banner but instead displays an Nginx “404 Not Found” error.

Spokespersons for the FBI and Department of Justice were not immediately available for comment when contacted by BleepingComputer earlier today.

As first reported by DataBreaches.netthese domain seizures also led to the seizure of one of their own sites used to report data breaches.

Breached against the new Breached

After Fitzpatrick’s arrest, Baphomet, the remaining administrator, attempted to keep the original domains running. However, Baphomet believed that federal agents had gained access to the servers, prompting the administrator to shut down the site on March 20.

Shortly after, the visit to the domain displayed “502 – Bad Gateway” Error Messagesindicating that the site was now closed.

In June, after rumors that Baphomet was teaming up with Shiny Hunters, a threat actor notorious for data breaches, to relaunch BreachForums on a new domain, the former Breached domain began defaulting to displaying “Welcome to nginx ! ” page.

This indicated that someone else had taken control of the domains and was modifying their content and configuration. Baphomet denied responsibility for these changes.

Even stranger, messages have appeared on old domains warning users that BreachedForums will never return and stressing that any forum claiming to be a new version of BreachedForum should be approached with caution.

“Any forums claiming to be ‘Breached’ or ‘BreachForums’ should be used with caution. BreachForums will never return,” read a post on the Breached site.[.]vc domain.

This alert was later updated with alleged messages from Baphomet warning that any forum claiming to be the new BreachForums should be considered unsafe. Baphomet denied that they are the ones doing these updates on old domains.

In a growing conflict between various hacking forums, Baphomet’s new BreachForums and Shiny Hunter have been hit by their own data breach, with threat actors releasing the site’s stolen database.

Subsequently, an update appeared on the old Breached[.]vc, advising against trusting the BreachForums clone as it had already been hacked. This message also contained a link to an SQL file for the leaked leaked database of the new BreachedForums.

Violation Warning
Violation warning (BleepingComputer)

All of these new updates to the site included a hidden HTML comment that read “Meow”, followed by a crying smiley:

While some in the cybersecurity community felt this was an attempt by law enforcement to discourage the return of new data breaches and hacking forums, this post also leaked the news. BreachForums database, which you wouldn’t typically see from law enforcement.

The old forum domain began displaying the FBI seizure banner three days later.

The arrest of Pompompurin

During his arrest on March 15the owner of BreachForums openly admitted without the presence of a lawyer and after waiving his constitutional rights that his real name was Connor Brian Fitzpatrick and that he was indeed Pompourin, according to a statement by FBI Special Agent John Longmire included in court documents.

He was loaded with involvement in the theft and sale of sensitive personal information belonging to “millions of American citizens and hundreds of U.S. and foreign businesses, organizations, and government agencies.”

Fitzpatrick was released a day later on $300,000 bond and was scheduled to appear in District Court for the Eastern District of Virginia on March 24.

On the day of his arraignment, the FBI confirmed in new court documents that they had access to the BreachForums database.

After the arrest of the owner, Baphomet farm after stating that they believed law enforcement had access to the forum servers.

Who is Pompompurin?

Pompompurin was a prominent member of RaidForums and is part of a network of cybercriminals focused on hacking into corporate networks and selling or leaking stolen data online.

Following the seizure of RaidForums in 2022Pompompurin created the BreachForums (or Breached) forum, which quickly became the largest data breach platform, frequently used by ransomware groups and other threat actors to leak stolen information.

Notably, prior to Fitzpatrick’s arrest, an unidentified individual attempted to sell personal data belonging to US politicians. These data were obtained during the breach of DC Health Linkthe health care provider for US House members, their families, and staff.

Pompompurin has also been implicated in breaching other prominent organizations and companies. For example, he exploited a vulnerability in the FBI Law Enforcement Enterprise Portal (LEEP) to send fake cyberattack alert emails.

He also stole customer data by Robinhood and allegedly exploited a Twitter bug to find the email addresses of around 5.4 million users.

It should also be noted that court documents released following Fitzpatrick’s arrest have yet to reveal any charges against Pompompurin related to violations and malicious activity beyond BreachForums.


Source link