May 10, 2023 By Jonathan Reed 4 min read

In mid-March 2022, the underground cyber forum BreachForums quietly made its debut. Within a year, the platform became one of the most prolific cyber crime forums in history.

According to the FBI, BreachForums illegally posted hacked data pertaining to nearly 14 billion people globally. It hosted breaches that included data related to 7 million Robinhood customers, 23 terabytes of Shanghai National Police data and, more recently, 56,000 records from the D.C. Health Benefit Exchange Authority. The D.C.-based hack exposed the personal details of Congress members, their families, staff and tens of thousands of other Washington area residents.

The meteoric rise of BreachForums came to an abrupt halt on March 15th with the arrest of Conor Fitzpatrick, 20, of Peekskill, New York. From his parents’ house, Fitzpatrick allegedly operated the forum and went by the username “pompompurin”.

Now that BreachForums is down, what will take its place — and when?

The rapid rise of BreachForums

According to a DOJ press release, BreachForums was a marketplace for cyber criminals to buy, sell and trade hacked or stolen data and other contraband. Data commonly sold on the platform included bank account information, social security numbers, other personally identifying information (PII), hacking tools, breached databases, services for gaining unauthorized access to victim systems and account login information for compromised online accounts.

The BreachForums operator, Conor Fitzpatrick has been accused of victimizing millions of U.S. citizens and both domestic and foreign entities, including companies, organizations and government agencies. Among the stolen data sets were ones that contained sensitive information belonging to customers of telecommunication, social media, investment, health care and internet service providers.

In one instance, a user on BreachForums uploaded the personal details and contact information of around 200 million Twitter users. Another leak disclosed information on 87,760 members of InfraGard, which is a partnership between private sector firms and the FBI aimed at protecting critical infrastructure.

BreachForums’ predecessor was RaidForums, which launched in 2015 and was shut down in April 2022 with the arrest of its founder and administrator. According to threat intelligence, RaidForums contained more than 530,000 registered members and was a powerful tool for low to mid-level cyber criminals. RaidForums attackers bought and sold information stolen from UK companies related to credit cards, bank accounts, usernames and passwords.

What the BreachForums timeline tells us

The RaidForums lifespan ran from 2015 to April 2022. Meanwhile, BreachForums started operations in March 2022.

According to CyberScoop, BreachForums started out slow. But after about six months, the forum built a vibrant community, and posters developed known personalities and brands. BreachForums entrenched itself as a “mid-tier” source of stolen data in the global cyber crime ecosystem. The forum initially struggled to gain traction, but within months it became the largest English-speaking hacked data broker forum anywhere.

While the takedown of BreachForums is welcome news, its dramatic rise to success tells us something important. News of RaidForums’ demise was still fresh when BreachForums debuted. Within a year, the new forum exposed 14 billion people’s data.

Did they let BreachForums operate on purpose?

It’s not unusual for law enforcement to be aware of illicit criminal activity but not act upon it right away. If they shut things down too fast, the big fish perpetrators might get away. Imagine if the feds infiltrated BreachForums, and then one day posted that the platform was under surveillance. Everybody would scatter, and the operators might not be apprehended.

There’s no doubt that threat intelligence was monitoring the forum since that’s what they do. However, law enforcement was lurking until it could identify and locate the forum’s operator.

An FBI affidavit cites Fitzpatrick’s alleged involvement in data leaks himself. It also highlights his role as a middleman for transactions in the sale of data involving an undercover FBI employee. The affidavit also details security blunders that tied Fitzpatrick to running the site, including data such as IP addresses associated with Fitzpatrick’s phone and his house, and a personal Gmail address.

How long the feds had this info on Fitzpatrick is anybody’s guess. An expert cited by CyberScoop speculated that the D.C. leak involving Congress members’ personal data may have been the straw that broke the camel’s back.

Why doesn’t someone else just pick up where pompompurin left off? In the wake of Fitzpatrick’s arrest, “Baphomet,” a BreachForums “staff member,” posted a series of statements urging calm, as per CyberScoop. Baphomet claimed the site would continue on. But on March 19, Baphomet said he’d seen signs of someone using Fitzpatrick’s admin accounts to log into a content delivery server after Fitzpatrick’s arrest.  This suggested that “nothing can be assumed safe, whether it’s our configs, source code or information about our users — the list is endless.” Therefore, BreachForums was shut down forever.

Who will take BreachForums’ place?

Some security experts predict that cyber actors will be scrambling to find a new home now that BreachForums has been taken down. But if it evolved so quickly and had such a wide-ranging impact, what’s to prevent another forum from taking BreachForums’ place within months? It would not be a surprise if one is already in the works.

Nevertheless, the dramatic fall of BreachForums will have a major impact on the cyber crime community. Threat actors looking to sell data will have to find a new marketplace. And threat researchers who track illicit activity will have to cast new nets looking for risk patterns. Part of threat intelligence includes curating information from darknet forums to know what threat actors are talking about.

The BreachForums story underlines the need for solid threat intelligence. Underground cyber forums aren’t going away soon. Meanwhile, threat intelligence drills into understanding how threat actors think, strategize and strike. This knowledge then enables prevention, detection, response and recovery strategies.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today