BreachForums admin Conor Fitzpatrick (Pompompurin) faces resentencing after his lenient 17-day sentence was vacated, highlighting the serious consequences of his cybercrime.
Conor Brian Fitzpatrick, the 21-year-old founder of BreachForums, a notorious marketplace for stolen personal data, is set to be resentenced following a federal appeals court decision to vacate his previous punishment. The ruling comes after concerns that the original 17-day sentence failed to adequately reflect the seriousness of his crimes or serve as a deterrent.
BreachForums: A Haven for Stolen Data
Fitzpatrick, operating under the alias “Pompompurin,” launched BreachForums in March 2022 after the FBI shut down RaidForums, a similar platform. BreachForums quickly grew to become the largest English-language data-breach marketplace. Over its one-year operation, the forum hosted over 14 billion individual records, including sensitive information such as databases, Social Security numbers (SSNs), birth dates, and banking details.
The platform also served as a hub for hackers to buy and sell stolen data, often facilitated by Fitzpatrick himself. Federal investigators revealed that Fitzpatrick earned approximately $698,000 during this period, causing significant financial and reputational harm to victims. Undercover FBI agents infiltrated the site in July 2022 and purchased records of 15 million Americans for $5,000, setting the stage for his eventual arrest in March 2023 at his home in Peekskill, New York.
The Arrest and Initial Sentencing
Following his arrest, Fitzpatrick faced multiple federal charges, including:
- Conspiracy to traffic stolen personally identifiable information in violation of 18 U.S.C. § 1029.
- Fraudulent solicitation of personally identifiable information.
- Possession of child sexual abuse material (CASM), involving over 600 explicit images and videos of minors.
Fitzpatrick pleaded guilty to all charges and was released on bond, subject to strict conditions. However, he repeatedly violated these conditions by using unauthorized devices, accessing the internet through a virtual private network (VPN), and participating in chatrooms where he joked about selling government secrets.
At sentencing, the district court recognized Fitzpatrick’s crimes but expressed concern over his autism spectrum disorder and young age. The court sentenced him to 17 days of time served and 20 years of supervised release. It justified the lenient sentence by citing the Bureau of Prisons’ alleged inability to provide adequate treatment for Fitzpatrick’s condition and the likelihood of his victimization in prison.
The Government’s Appeal and Appellate Ruling
The U.S. government appealed the sentence, arguing it was excessively lenient and failed to meet federal sentencing guidelines, recommending 188 to 235 months in prison. Prosecutors highlighted the gravity of Fitzpatrick’s offenses, the need to deter cybercrime, and the failure of supervised release to address his pattern of violations.
“A 17-day sentence for the commission of three serious felonies signals to would-be criminals that they might get one free pass before facing any serious penalties.”
Joseph Attias, the Assistant U.S. Attorney
On January 21, 2025, the Fourth Circuit Court of Appeals vacated the sentence, deeming it substantively unreasonable. The court criticized the district court’s heavy reliance on Fitzpatrick’s characteristics while overlooking the seriousness of his crimes, the need for deterrence, and public protection. The appellate court remanded the case for resentencing, indicating that a harsher punishment was warranted.
What Comes Next?
As the case returns to the district court, Fitzpatrick faces the possibility of a significantly longer prison term. The appellate ruling suggests that mitigating factors such as autism and youth cannot overshadow the severity of his crimes or the risks posed to public safety. Legal experts predict a sentence more aligned with federal guidelines, likely spanning several years in prison.
The resentencing of Conor Fitzpatrick will not only determine his future but may also set a precedent for how courts balance individual circumstances with the need to address grave cybercrimes. Nevertheless, the case shows the importance of enforcing strict legal penalties to protect online systems from misuse and exploitation.
Stay tuned as this story develops.
RELATED TOPICS
- GTA 6 Hacker from Lapsus$ Gang Sentenced to Hospital
- Mastermind of 2020’s top celebrity Twitter hack Jailed to 3 years
- Dispute moderator for Alphabay market jailed to 11 years in prison
- US Man Sentenced to 21 Years for Dark Web Distribution of CSAM
- iSpoof Fraud Website’s Mastermind Sentenced to 13 Years in the UK
