How the FBI Caught Hacker Pompompurin

00:00

Pompompurin, the infamous hacker and owner  of breachforums was recently arrested,  

00:05

and the FBI has just revealed exactly how they  tracked him down. But, before we get to that  

00:10

how did this guy, who brands himself using a  hellokitty character rise to become one of the  

00:15

most famous personalities in the cyber criminal  underworld? Well - owning breachforums certainly  

00:20

played a part, it’s become one of the largest  English speaking blackhat forums on the internet 

00:25

the most famous section being the leaks  market which has facilitated the sale of  

00:29

countless data breaches I’d say maybe even most  of the leaks we’ve looked at on this channel  

00:34

over the past year, came from breachforums. Aside from being a cyber criminal King Pin,  

00:39

Pompompurin also gained notoriety and became  a bit of a celebrity for his rivalries with  

00:45

security researchers, the most notable being his  frequent and very public clashes with the owner of  

00:50

NightLion security, Vinny Troia, which stems  from Vinny’s unsuccessful attempts to unmask  

00:56

Purin’s real identity. Purin wasn’t too happy  with these attempts and responded by unleashing  

01:01

a multi-year long troll campaign against Vinny,  which included hacking his Twitter account, as  

01:06

well as breaching the National Center for Missing  and Exploited children, all in an effort to put  

01:11

out an alert claiming Vinny is a Pedo. But by far  his biggest troll was utilising a vulnerability in  

01:17

the FBI website itself to send thousands of spam  emails from a legit FBI email address, warning of  

01:24

fake cyberattacks being perpetrated by Vinny. But arguably Pompom’s biggest enemy was his  

01:29

ego - which is by no means unique among cyber  criminals. Whilst attracting so much attention  

01:34

made him a celebrity amongst his peers, it painted  a large target on his back in the eyes of the FBI,  

01:40

which has just revealed exactly how they hunted  him down. For this story we have to go back to the  

01:45

days of raidforums, a now seized blackhat site  that Purin was a regular user of. When the FBI  

01:51

shut the site down last year they obtained its  database which included the private messages of  

01:56

all the forums’ members. One such conversation  between Pompompurin and raidforum’s owner  

02:01

“Omnipotent”, is of particular interest. They were  discussing a data leak pertaining to the keyboard  

02:06

app AI.type, over 30 million user’s details were  leaked, and the database was of course posted on  

02:12

raidforums - the database was said to include  all the app’s users. However Purin messaged  

02:18

Omnipotent, saying the leaked database could not  have contained all the app’s users, because his  

02:23

email wasn’t included in the dump. He says “Not  messaging to ask for credits back or anything,  

02:28

because I wanted it anyways, I just wanted to  let you know that it doesn’t seem to be the  

02:32

full amount of data" Omnipotent responds “What  email did you look up and how?” “I don’t want  

02:37

to share my actual email for obvious reasons, but  this email seems to have the same case as mine):”  

02:43

“[email protected]”. Pompompurin  no doubt thought he was being real smart when  

02:50

he told Omnipotent this wasn’t his email, but  not only was it his real email, but it contains  

02:55

Purin’s real name “Conor Fitzpatrick” - Whilst  Omnipotent didn’t figure this out - the FBI did. 

03:01

After the FBI served Google warrants, they  found that this email was linked to a google pay  

03:07

account, which another gmail account shared the  same details to. The FBI investigated this second  

03:12

email and found it was accessed using the same IP  address as a zoom account which was registered to  

03:18

the email address “[email protected]” - which  is the exact same email that Purin used to log  

03:24

into raidforums. Regardless of whether Purin used  VPNs or TOR, he had committed the deadly sin of  

03:31

mixing his irl and online identities, firstly  when he sent Omnipotent that fateful message,  

03:37

and secondly when he mixed the IPs he was using  for his irl and Pompompurin identities. Oh and  

03:43

those Google pay accounts, were linked to Pompom’s  home address, so tracking him down was simple. 

03:49

Court documents show that when Pompompurin, also  known by his much less catchy name “Conor Brian  

03:55

Fitzpatrick” was arrested he quickly accepted  the game was over, admitting to the FBI that  

04:00

he was Pompompurin and “the owner and admin of  BreachForums”. Conor was charged with “conspiracy  

04:06

to solicit individuals with the purpose of selling  unauthorized access devices”. “Access devices”  

04:11

simply being a fancy term for a means of accessing  an account, like usernames and passwords.  

04:17

His bail was set at $300 thousand dollars, which  was promptly paid by his parents - because the  

04:22

guy is apparently only 20 years old - and  under sentencing guidelines he could be  

04:27

facing the next 20 years of his life in prison. BreachForums’ second in command, an admin going  

04:32

by ‘Baphomet’ posted an announcement in the  early hours of Purin’s arrest. Saying he  

04:36

assumed the worst after just 24 hours of Purin  being afk - which really puts into perspective  

04:42

just how glued Purin was to his criminal  enterprise. During this initial 24 hours,  

04:47

Baphomet “[removed] his access to all important  infrastructure and restricted his forum account  

04:52

[so he could] still login but not carry out any  administrator actions.”. He’s also been monitoring  

04:57

“[logs] to see [if there’s been] any access or  modifications to [Breachforums infrastructure]”.  

05:02

Which brings us to the next act in this saga,  the future, or lack thereof, of breachforums. 

05:07

Breachforums was born out of the downfall  of raidforums, an almost identical site,  

05:13

hosting a community dedicated to cyber  crime, with sales of hacking tools,  

05:16

a leaks market, and so on. After 8 years  on the internet, raidforums was - well,  

05:21

raided themselves by the FBI, with  its owner “Omnipotent” arrested - to  

05:26

this day the 21 year old behind it is  still fighting extradition to the US. 

05:31

The shutdown of raidforums left its half  a million registered users homeless,  

05:35

but Pompompurin, a user of the site with a good  reputation soon stepped in to fill the void,  

05:41

creating breachforums. The new site was pretty  much a continuation of raidforums, just under new  

05:47

management, so much so that Purin even let users  keep the ranks they had gained on raidforums. 

05:52

However barely 12 months after breach was  set up, with Purin now sitting in a jail  

05:57

cell. Admin Baphomet has been forced to not only  restrict Purin’s access to the site he founded,  

06:02

but ban him altogether, after all it’s clear  at this point he just ain’t coming back,  

06:07

and fear runs high that the FBI could  in some way exploit Purin’s access to  

06:11

breachforums in order to deanonymise it’s users. Let’s not forget, after raidforums’ seizure,  

06:17

it was transformed into an FBI honeypot, every  page on the site redirected to a login page that  

06:22

law enforcement was using in order to grab user  credentials. After banning Purin, Admin Baphomet  

06:28

vowed to takeover the site and keep it alive  long term by migrating to new infrastructure. 

06:34

However this pledge didn’t last long, he soon  released an update saying he was going to shut  

06:38

down breachforums for good - reason being that  logs showed someone (presumably the FBI) had  

06:44

exploited Purin’s credentials to access breached  infrastructure shortly after his arrest, meaning  

06:49

in his words “nothing can be assumed safe, whether  its our configs, source code, or information about  

06:54

our users - the list is endless. This means  that I can't confirm the forum is safe”, 

07:00

His fears were confirmed in the last day or so,  when newly published court documents revealed  

07:04

Pompompurin’s other opsec mistakes. Like the  time he forgot to use a VPN when logging into  

07:10

breachforums, but rather using an IP registered to  his real home address. The fact the FBI even know  

07:16

this confirms they have access to breachforum’s  database, just as they did with raidforums. 

07:22

What happens now? Well - Baphomet says he’s  having conversations with competitor forum admins,  

07:27

“hoping to work with some of those people to build  a new community”. Whether that happens or not, the  

07:32

void will be filled one way or another, with its  quarter of a million users now internet refugees. 

08:04

As always thanks for watching, and I’ll  see you in the next video, have a good one!