Dark Web Threat Profile: pompompurin

Dark Web Threat Profile: pompompurin

July 21, 2022

The dark web world can be considered an ever-changing place consisting of countless opportunities and numerous platforms threat actors use to communicate with each other. One of these platforms, RaidForums, was one of the famous dark web forums where threat actors hang out daily and share their hacks and leaks. One of the hackers using RaidForums, pompompurin, was just an active everyday member in RaidForums back in the day.

Another Active Member with Great Potential: pompompurin 

Pompompurin was not a moderator or an admin but a respected member among RaidForumshackers

RaidForums was not the only forum he was a member of; he was also a member of Russian dark web forums such as XSS. Although we do not know where he is from, we know that he speaks Russian. It is safe to assume he is from one of the Russian-speaking countries.

pompompurin’s xss account
pompompurin’s XSS account

Pompompurin also was a hacker and a data leaker himself. He hacked and leaked the data of countless companies since he first joined RaidForums in 2020. Three of his hacks have attracted massive attention in the threat actor community.

Pompompurin Exploits FBI Domains to Discredit a Cybersecurity Entrepreneur

In November 2021, one of the FBI’s domains was used to send hoax emails to thousands of people. Pompompurin claimed responsibility for the hack. Pompompurin’s main goal was to carry out his vendetta against an innocent cybersecurity entrepreneur, whom he had hacked many times. Just as the hack happened, Pompompurin messages his victim on Twitter, informing him of the attack with a sarcastic message, “enjoy.” 

Leaking PII of 2.5 Million People 

In April 2021, pompompurin leaked a database containing personally identifiable information (PII) of 2.5 million Americans. The leak included full names, date of birth, email addresses, phone numbers, home addresses, marital status, political affiliation, salary, and other private details about US residents. This massive leak was approximately 263 GB and contained about 1255 CSV files and 59 million unique e-mails.

Hacking Crypto and Investing Company Robin Hood 

Also, in November 2021, the threat actor pompompurin hacked crypto and the investing company Robin Hood. The hack has begun with a social engineering attack on one of the customer support employees of the company. 

Then, pompompurin gained access to customer support platforms the company uses. He could harvest emails and full names of approximately 7 million Robin Hood customers. 

Pompompurin attempts to sell the breached data on a dark web underground forum, adding that he was also able to harvest IDs of Robin Hood’s customers, which were not for sale then. He puts at least five figures price for the dataset and claims that the dataset is profitable in the right hands.

pompompurin’s statement on the Robin Hood breach 
pompompurin’s statement on the Robin Hood breach 

Raid’s End 

RaidForums was the forum pompompurin the most active until it was seized by the FBI and closed permanently. The forum was abruptly shut down and replaced with a honeypot server mimicking the login page of the old RaidForums. 

No one understood what happened to RaidForums at first, but as time passed, it was clear that RaidForums was no more. Our person of interest, pompompurin, also waited at first to see and understand what happened to RaidForums.

When it was for sure that RaidForums was shut down, pompompurin did not wait long to open an alternative forum; Breached, aka BreachForums, filling the void RaidForums left. 

A New Era: Breached

A couple of weeks after Raid was closed, pompompurin was sick of “all the stupid people trying to take the empty spot RaidForums once filled” and opened Below, you can see the first post pompompurin posted on BreachedForums, welcoming all users and stating the goal of his forum.

pompompurin welcome post
pompompurin welcome post

On the welcome post, pompompurin says that if RaidForums makes a return, he will close the forum. He says that Breached is not a competitor to RaidForums, but rather an alternative

From this, we see that his main objective was to continue the RaidForums’ legacy. He did not want to lose the active user base and the market RaidForums had. He was able to fulfill his goals up to some extent, and he continues to make Breached as good as RaidForums was.

Breached directly “copies” or “transfers” the functionalities in RaidForums, such as the credit system or the ranking system. Pompompurin states that he will be offering people their ranks, VIP, MVP, GOD, in RaidForums back if they are able to prove it. 

Breached also copies the looks and appearance of RaidForums to continue RaidForums legacy and for simplicity. In the first days of BreachedForums, there were lots of reposts of old data leaks and breaches. Pompompurin and other threat actors were trying to move Raid’s database to Breached as fast as possible and attract the attention of previous Raid members.

Breached has been growing its user database each and each day and since its start, has become one of the most actively used dark web forums thanks to its admin pompompurin and the threat actor community. 

Climbing the ladder from an active member to single admin of a massive forum, pompompurin is writing his name as one of the most influential threat actors in the community, as the founder and the admin of BreachedForums.