The founder of the popular cybercrime website BreachForums will spend three years in prison after previously being let off with a slap on the wrist.
After pleading guilty to a range of offenses related to his administration of BreachForums and possession of child sex abuse material, Conor Brian Fitzpatrick, 22, was handed by the District Court for the Eastern District of Virginia what a US appeals court later called a “substantively unreasonable sentence.”
After his original 2023 arrest at his parents’ home in Peekskill, New York, Fitzpatrick violated his pretrial conditions – namely, the use of a VPN – and was jailed as a result. However, he was released less than a month later following the lenient sentence given to him in 2024.
Fitzpatrick’s time-served sentence of just 17 days, plus 20 years of supervised release, was deemed insufficient by appellate court judge Paul Niemeyer, who ordered a resentencing.
Prosecutors in Virginia won their appeal on September 16 – a three-year prison stint for the New York man, who was first arrested in 2023, although they fell well short of the 15 years they set out to secure.
They argued that Fitzpatrick’s crimes, which involved facilitating the vast collection and sale of stolen data, in addition to the child sexual abuse material, were too severe to be met with the lenient punishment he initially received.
Fitzpatrick, known to forum users as Pompompurin, was originally handed a sentence that involved no prison time, citing his autism diagnosis. His defense lawyer successfully argued that prison would offer no correctional value.
However, Niemeyer said in his opinion [PDF] given in January that the court failed to acknowledge the severity of Fitzpatrick’s offenses, to which he pleaded guilty.
Niemeyer noted that, under Fitzpatrick’s watch, BreachForums “became the largest English-language data-breach forum ever, featuring over 14 billion individual records consisting of names, dates of birth, Social Security numbers, employment information, and health insurance information.”
“During the site’s year-long operation, Fitzpatrick acted as a middleman and facilitated the purchase and sale of the illegal information, earning $698,714 and causing many victims monetary and reputational injury.”
Fitzpatrick’s collection of child sex abuse files also spanned “at least 600 images,” and authorities discovered that he had previously “viewed videos that depicted prepubescent children engaging in sex acts.”
Niemeyer said that instead of time served, per sentencing guidelines, the BreachForums admin should have received a sentence in the region of 188 to 235 months behind bars.
Fitzpatrick again pleaded guilty to three charges this week: one count of access device conspiracy, one count of access device solicitation, and one count of possession of child sexual abuse material.
He also agreed to surrender more than 100 domain names used to operate the forum, more than a dozen devices used to administer the site, and cryptocurrency he earned while in charge.
“Conor Fitzpatrick personally profited from the sale of vast quantities of stolen information, ranging from private personal information to commercial data,” said Erik S. Siebert, US Attorney for the Eastern District of Virginia, in response to the resentencing.
“These crimes were so extensive that the damage is difficult to quantify, and the human cost of his collection of child sexual abuse material is incalculable. We will not allow criminals to hide in the darkest corners of the internet and will use all legal means to bring them to justice.”
Brett Leatherman, assistant director of the FBI’s Cyber Division, said: “The FBI is working tirelessly to dismantle criminal marketplaces like BreachForums, and we are pursuing the full range of actors who run these platforms. Today’s sentencing demonstrates that anyone who helps others profit from theft, fraud, and other cybercrimes is not out of reach.” ®