A New York man received a three-year prison sentence for creating and operating BreachForums, one of the world's largest hacker forums, and for possessing child sexual abuse material.
The Justice Department resentenced Conor Brian Fitzpatrick, 22, of Peekskill, New York, to three years in prison on Tuesday. Fitzpatrick pleaded guilty to one count of access device conspiracy, one count of access device solicitation, and one count of possession of child sexual abuse material. The resentencing occurred after the U.S. Court of Appeals for the Fourth Circuit vacated Fitzpatrick's prior sentence of time served (17 days) and ordered a new sentencing hearing. As part of his plea agreement, Fitzpatrick forfeited over 100 domain names used in BreachForums' operation, more than a dozen electronic devices, and cryptocurrency proceeds from the scheme.
BreachForums launched in March 2022 as a replacement for RaidForums, a major English-language hacking forum that law enforcement seized in February 2022. The platform grew into one of the world's largest English-language hacking forums, attracting over 330,000 members. Like its predecessor, BreachForums gained notoriety by selling access to high-profile database breaches containing sensitive personal information.
BreachForums maintained and offered access to at least 888 datasets of stolen information containing over 14 billion individual records of personal identifying information. The platform sold bank account information, social security numbers, usernames, passwords, and other sensitive data from various sectors including telecommunications, social media, investment services, healthcare, and internet service providers. Notable datasets included names and contact information for approximately 200 million users of a major U.S.-based social networking site and details of approximately 87,760 members of InfraGard, a partnership between the FBI and private sector companies focused on critical infrastructure protection.
"Following the dismantlement of RaidForums by law enforcement, the defendant set up and administered BreachForums, an online bazaar where criminals could purchase sensitive data," said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department's Criminal Division. "Today's sentence demonstrates the Justice Department's unwavering commitment to bringing to justice those who seek to sell stolen data to the highest bidder."
U.S. Attorney Erik S. Siebert for the Eastern District of Virginia stated, "Conor Fitzpatrick personally profited from the sale of vast quantities of stolen information, ranging from private personal information to commercial data. These crimes were so extensive that the damage is difficult to quantify, and the human cost of his collection of child sexual abuse material is incalculable."
Assistant Director Brett Leatherman of the FBI's Cyber Division said, "The FBI is working tirelessly to dismantle criminal marketplaces like BreachForums, and we are pursuing the full range of actors who run these platforms. Today's sentencing demonstrates that anyone who helps others profit from theft, fraud, and other cybercrimes is not out of reach."
This case demonstrates the Justice Department's efforts to target cybercriminal marketplace operators following the pattern established with RaidForums' seizure. The resentencing sends a clear message that initial lenient sentences for cybercrime operators can be challenged and overturned, particularly when the scale of harm involves billions of compromised records. The forfeiture of cryptocurrency and domain names establishes important precedents for dismantling the infrastructure that enables these criminal marketplaces. Healthcare organizations should pay attention since stolen healthcare data was among the datasets traded on the platform, highlighting ongoing threats to patient information security.
The three-year sentence and asset forfeiture represent an escalation in consequences for cybercriminal marketplace operators. Organizations handling sensitive data must recognize that their information may be actively traded on platforms like BreachForums and invest accordingly in breach prevention and detection capabilities.
The forum attracted hackers, fraudsters, and identity thieves seeking to buy or sell stolen data.
Cryptocurrency provided anonymity and made it harder for law enforcement to track payments.
Seizing domain names disrupts access to criminal marketplaces and prevents quick reactivation.
Healthcare records contain personal details that can be exploited for identity theft and fraud.