The former administrator of the hacker forum BreachForums, 22-year-old Conor Brian FitzPatrick (Conor Brian FitzPatrick), also known as Pompompurin, has been sentenced to three years in prison. A federal appeals court overturned the earlier sentence handed down in early 2024, when FitzPatrick was sentenced to 20 years of supervised release.
In the spring of 2023, the site was shut down by law enforcement, and Pompompurin was arrested. Subsequently, authorities reported that they had gained access to the site’s database, and then seized the domains of BreachForums and Fitzpatrick’s personal site.
Who is Pompompurin?
Previously, Pompompurin hacked companies and then sold or leaked the stolen data on the black market, and he was an active member of the RaidForums hacking forum. After the FBI shut down RaidForums in 2022, Pompompurin decided to create his own site — BreachForums.
The site soon became the largest hacking forum dedicated to data leaks, and it was most often used by hackers and extortionists to dump stolen information.
In addition to creating BreachForums, Pompompurin is known for a number of high-profile hacks. In particular, at the end of 2021, amid a dispute with security researcher Vinny Troia, he hacked FBI mail servers and sent out fake cybersecurity warnings, claiming Troia was responsible for the incidents.
Pompompurin has also been linked to the theft of data from millions of Robinhood users, the leak of data from 5.4 million Twitter users, and other major incidents.
After his 2023 arrest, Fitzpatrick was hit with numerous charges, including stealing and selling confidential personal information belonging to “millions of U.S. citizens and hundreds of American and foreign companies, organizations, and government agencies,” conspiracy to commit access device fraud, solicitation of access device fraud, and even possession of child pornography on one of his devices. In the end, the former BreachForums admin pleaded guilty.
At the time, Pompompurin remained free after posting $300,000 bail and awaited sentencing out of custody. In May 2023, Fitzpatrick attempted suicide, and in October his attorneys filed a motion to postpone the sentencing date so that experts could evaluate their client’s mental health.
However, Fitzpatrick was still sent to jail because he violated the conditions of his release on bail. It turned out that Pompompurin accessed the internet from devices that did not have the required monitoring software installed and continued to use VPN services, which he was prohibited from doing.
In January 2024, the hacker was sentenced. Although the prosecution insisted that Pompompurin should be sentenced to at least 188 months (about 15.7 years) in prison, the court disagreed and showed leniency toward the defendant. The lenient sentence was attributed to the defendant’s age and an autism diagnosis.
Last year, Fitzpatrick was sentenced to 20 years of supervised release (and 17 days in prison, which he had already served). For the first two years, he was required to serve his sentence under house arrest with a GPS tracker and to receive psychiatric treatment.
In addition, the former head of BreachForums was prohibited from using the internet for the first year, and he had to allow his probation officer to install special monitoring software on his computer, as well as periodically undergo polygraph examinations.
Pompompurin was also required to register as a sex offender, as he had previously pleaded guilty to possession of materials containing child pornography.
However, the sentence handed down in 2024 did not satisfy the prosecution. After an appeal filed by the prosecutor’s office, in January 2025 the appellate court overturned the sentence as inadequate and remanded the case for reconsideration.
As a result, this week Fitzpatrick was sentenced to three years in prison on three counts: conspiracy to commit access device fraud, incitement to commit access device fraud, and possession of materials related to child sexual abuse.
The judge noted that under Fitzpatrick’s leadership, BreachForums “became the largest English-language data-breach forum in history, hosting more than 14 billion individual records, including names, dates of birth, Social Security numbers, employment information, and health insurance data.”
“Over the course of the site’s year of operation, Fitzpatrick acted as an intermediary and facilitated the buying and selling of illegal information, earning $698,714 and causing numerous victims material and reputational harm,” the judge concluded.