A New York man has been resentenced to three years in prison for his creation and operation of BreachForums, a marketplace for cybercriminals to buy, sell, and trade hacked or stolen data and other contraband, and for possessing child sexual abuse material (CSAM).
“Following the dismantlement of RaidForums by law enforcement, the defendant set up and administered BreachForums, an online bazaar where criminals could purchase sensitive data,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division.
Conor Brian Fitzpatrick, 22, of Peekskill, New York, pleaded guilty to one count of access device conspiracy, one count of access device solicitation, and one count of possession of child sexual abuse material.
As part of the plea agreement, Fitzpatrick also agreed to forfeit over 100 domain names used in the operation of BreachForums, more than a dozen electronic devices used to execute the scheme, and cryptocurrency that represented proceeds of the scheme.
Fitzpatrick’s resentencing came after the U.S. Court of Appeals for the Fourth Circuit issued an opinion on January 21, 2025, vacating Fitzpatrick’s prior sentence of time served (17 days) and remanded the case for resentencing.
According to court documents, BreachForums, launched in March 2022, rapidly developed into one of the world’s largest English-language hacking forums with over 330,000 members. BreachForums emerged as a replacement to RaidForums, a then-major English-language hacking forum that law enforcement seized in February 2022.
As with RaidForums, BreachForums gained notoriety by selling access to high-profile database breaches that contained, among other things, bank account information, social security numbers and other personal identifying information (PII), and usernames and associated passwords for accessing online accounts with merchants and service providers.
BreachForums also maintained and offered access to at least 888 datasets of stolen information containing over 14 billion individual records of PII. Some of the stolen datasets contained sensitive information of customers at telecommunication, social media, investment, health care services, and internet service providers.
For instance, one database contained the names and contact information for approximately 200 million users of a major U.S.-based social networking site.
Another database listed the details of approximately 87,760 members of InfraGard, a partnership between the FBI and private sector companies focused on the protection of critical infrastructure.
