Dark Web Threat Profile: pompompurin

Dark Web Threat Profile: pompompurin

July 21, 2022

[March 22, 2023] Update: The BreachForums has been shut down. Added the subheading “Fearing Compromise, BreachForums Shuts Down.”

[March 20, 2023] Update: The BreachForums admin Pompompurin has been seized by law. Added the subheading “Authorities Arrested Pompompurin.”

The dark web world can be considered an ever-changing place consisting of countless opportunities and numerous platforms threat actors use to communicate with each other. One of these platforms, RaidForums, was one of the famous dark web forums where threat actors hang out daily and share their hacks and leaks. One of the hackers using RaidForums, pompompurin, was just an active everyday member in RaidForums back in the day.

Another Active Member with Great Potential: pompompurin 

Pompompurin was not a moderator or an admin but a respected member among RaidForumshackers

RaidForums was not the only forum he was a member of; he was also a member of Russian dark web forums such as XSS. Although we do not know where he is from, we know that he speaks Russian. It is safe to assume he is from one of the Russian-speaking countries.

pompompurin’s xss account
pompompurin’s XSS account

Pompompurin also was a hacker and a data leaker himself. He hacked and leaked the data of countless companies since he first joined RaidForums in 2020. Three of his hacks have attracted massive attention in the threat actor community.

Pompompurin Exploits FBI Domains to Discredit a Cybersecurity Entrepreneur

In November 2021, one of the FBI’s domains was used to send hoax emails to thousands of people. Pompompurin claimed responsibility for the hack. Pompompurin’s main goal was to carry out his vendetta against an innocent cybersecurity entrepreneur, whom he had hacked many times. Just as the hack happened, Pompompurin messages his victim on Twitter, informing him of the attack with a sarcastic message, “enjoy.” 

Leaking PII of 2.5 Million People 

In April 2021, pompompurin leaked a database containing personally identifiable information (PII) of 2.5 million Americans. The leak included full names, date of birth, email addresses, phone numbers, home addresses, marital status, political affiliation, salary, and other private details about US residents. This massive leak was approximately 263 GB and contained about 1255 CSV files and 59 million unique e-mails.

Hacking Crypto and Investing Company Robin Hood 

Also, in November 2021, the threat actor pompompurin hacked crypto and the investing company Robin Hood. The hack has begun with a social engineering attack on one of the customer support employees of the company. 

Then, pompompurin gained access to customer support platforms the company uses. He could harvest emails and full names of approximately 7 million Robin Hood customers. 

Pompompurin attempts to sell the breached data on a dark web underground forum, adding that he was also able to harvest IDs of Robin Hood’s customers, which were not for sale then. He puts at least five figures price for the dataset and claims that the dataset is profitable in the right hands.

pompompurin’s statement on the Robin Hood breach 
pompompurin’s statement on the Robin Hood breach 

Raid’s End 

RaidForums was the forum pompompurin the most active until it was seized by the FBI and closed permanently. The forum was abruptly shut down and replaced with a honeypot server mimicking the login page of the old RaidForums. 

No one understood what happened to RaidForums at first, but as time passed, it was clear that RaidForums was no more. Our person of interest, pompompurin, also waited at first to see and understand what happened to RaidForums.

When it was for sure that RaidForums was shut down, pompompurin did not wait long to open an alternative forum; Breached, aka BreachForums, filling the void RaidForums left. 

A New Era: Breached

A couple of weeks after Raid was closed, pompompurin was sick of “all the stupid people trying to take the empty spot RaidForums once filled” and opened Below, you can see the first post pompompurin posted on BreachedForums, welcoming all users and stating the goal of his forum.

pompompurin welcome post
pompompurin welcome post

On the welcome post, pompompurin says that if RaidForums makes a return, he will close the forum. He says that Breached is not a competitor to RaidForums, but rather an alternative

From this, we see that his main objective was to continue the RaidForums’ legacy. He did not want to lose the active user base and the market RaidForums had. He was able to fulfill his goals up to some extent, and he continues to make Breached as good as RaidForums was.

Breached directly “copies” or “transfers” the functionalities in RaidForums, such as the credit system or the ranking system. Pompompurin states that he will be offering people their ranks, VIP, MVP, GOD, in RaidForums back if they are able to prove it. 

Breached also copies the looks and appearance of RaidForums to continue RaidForums legacy and for simplicity. In the first days of BreachedForums, there were lots of reposts of old data leaks and breaches. Pompompurin and other threat actors were trying to move Raid’s database to Breached as fast as possible and attract the attention of previous Raid members.

Breached has been growing its user database each and each day and since its start, has become one of the most actively used dark web forums thanks to its admin pompompurin and the threat actor community. 

Climbing the ladder from an active member to single admin of a massive forum, pompompurin is writing his name as one of the most influential threat actors in the community, as the founder and the admin of BreachedForums.

Authorities Arrested Pompompurin

“Pompompurin” has recently been arrested by US law enforcement for running the BreachForums hacking forum. The FBI filed an affidavit stating that the suspect, who identified himself as Conor Brian Fitzpatrick, admitted to owning the website and has been charged with conspiring to sell unauthorized access devices.

Baphomet's post about Pompompurin arrest.
Baphomet’s post about Pompompurin arrest.

“Pompompurin” has been involved in some of the most notable hacks recently, including multiple cases involving the FBI. They claimed responsibility for breaching the agency’s email servers in 2021 and disseminating thousands of false cybersecurity warnings

He was released on a $300,000 bond signed by his parents and is set to appear before the District Court for the Eastern District of Virginia on March 24, 2023. As part of his release conditions, Fitzpatrick is not allowed to obtain a passport, contact his co-conspirators, or use any narcotic drugs unless prescribed by a licensed medical practitioner.

After Fitzpatrick’s arrest, another forum user named Baphomet said they would take control of the website.

Fearing Compromise, BreachForums Shuts Down

Following the arrest of “pompompurin,” the remaining administrator, Baphomet, took the BreachForums site offline and began moving it to a new infrastructure that would be safe from law enforcement. 

The plan was to migrate the site to an untraceable infrastructure, but Baphomet later announced that they canceled this plan because law enforcement likely had access to Poms machine.

Baphomet discovered that someone had logged into an old CDN server, indicating that nothing could be considered safe, including the configurations, source code, and user information. 

Fearing that the infrastructure was compromised, Baphomet announced on March 21, 2023, that the hacking forum had been taken down but stated that this might not be the end of the forum.

The Telegram channel will remain up, and Baphomet will continue to have an online presence to discuss with other forum owners and potentially build something new.

Latest Posts