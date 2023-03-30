ALEXANDRIA, Va. (WRIC) — A 20-year old New York man will face federal charges in Virginia after he was charged with running an online marketplace for data stolen from millions of Americans, including members of congress.

Conor Brian Fitzpatrick, 20, of Peekskill New York has been accused of running BreachForums, a site that popped up in March 2022 after the forcible shutdown of other marketplaces for stolen data.

The site was at the center of several major hacking incidents, including the compromising of stock-trading platform Robinhood and the release of data from DC Health Link, which included personal information of sitting members of congress.

According to an affidavit filed by the FBI, Fitzpatrick isn’t accused of actually masterminding those breaches. Instead, he’s been charged with providing a forum for those who do traffic in stolen data to find buyers.

In an interview conducted on a hacker news site in March 2022, Fitzpatrick, under the moniker Pompompurin (his screen name is taken from a popular Sanrio character), said he knew he might face arrest for running the site, but was confident it would be back up within days.

“It doesn’t really bother me,” he said. “If I get arrested one day it also wouldn’t surprise me, but as I said I have a trusted person who will have full access to everything needed to relaunch it without me.”

The site did explicitly forbid the sale of debit and credit card information, according to the affidavit, though the rules were enforced unevenly.

At various points, Fitzpatrick acted as an intermediary for buyers and sellers, holding funds in escrow as transactions were completed. One of those transactions was the sale of a database containing bank account information — including account and routing numbers — from a credit union in Virginia.

Fitzpatrick came under suspicion by the FBI after they shut down another data marketplace, RaidForums, in 2022. In the seized servers for the site, they found messages from Pompompurin in which they flagged the fact that the email “conorfitzpatrick02@gmail.com” — which they knew to have been compromised — had not been included in a supposed list of compromised Gmail accounts.

Other Google accounts, meanwhile, linked that old address to conorfitzpatrick2002@gmail.com — an address registered to Fitzpatrick’s address in New York.

That was enough to secure agents a search warrant for Fitzpatrick’s home, where agents say Fitzpatrick admitted to being Pompompurin and to runnign BreachForums. In passing, Fitzpatrick told agents that he made up to $1,000 a day from running the site.

Fitzpatrick was granted a $300,000 bond by the federal court in Alexandria and, if convicted, could face up to five years in prison.