Cybercriminals// Malicious Actors//
Defending against doxing
In this Studio 471, Jacob Larsen discusses the effects of doxing, how sites like Doxbin take advantage of legal loopholes and how to defend against being doxed.
One of the most significant events in the underground this year is the arrest of the alleged administrator of the BreachForums aka Breached cybercrime forum. On March 15, 2023, FBI agents arrested 20-year-old Conor Brian Fitzpatrick of Peekskill, New York, at his house. According to an FBI affidavit, Fitzpatrick admitted at the time of his arrest to being the person behind the handle pompompurin, who was the founder and administrator of Breached. After Fitzpatrick’s arrest, another administrator of Breached, the actor Baphomet, stepped in to continue running the forum. However, Baphomet soon abandoned these plans due to concerns that law enforcement may have access to the site via devices they seized during Fitzpatrick’s arrest. In this post, we’ll examine the actor pompompurin, explore possibilities about where cybercriminal activity may shift in the absence of Breached and what this means for organizations affected by data breaches.
Stolen Data Marketplace
Breached was one of the most popular English-language cybercriminal forums. It facilitated a prolific trade in stolen data. As of January 2023, the site hosted 879 datasets with 14 billion records, according to U.S. law enforcement. The forum had specific channels for certain types of information, including “combo” lists, which contain email addresses and passwords for accounts; game leaks; information-stealer malware logs; “doxes” or dossiers of personal information; and cracked accounts. Sellers offered bank account details, U.S. Social Security numbers (SSNs) and personally identifiable information (PII). It also had a marketplace section, where users could solicit or offer services. Users could buy stolen data with credits, which cost US $0.25 each as of October 2022, and credits were sold in bundles of 30, 60, 120, 240 and 500, according to an FBI affidavit. Alternatively, credits could be earned by contributing data leaks to the site. There were also non-criminal channels on Breached for discussions about current news, music, programming and interests such as anime and manga.
[Image: This view of Breached on March 18, 2023, shows its channels for certain categories of stolen or leaked data. - This view of Breached on March 18, 2023, shows its channels for certain categories of stolen or leaked data.]
Although there was a .onion hidden service site for Breached, the forum was accessible on the clear web. Some cybercriminal forums closely vet who is allowed to create an account, sometimes requiring either a referral from someone in the community or a deposit. Breached, however, was open: anyone could make an account. It attracted a huge user base, making Breached at the nexus of streams of criminal activity on the internet.
pompompurin
pompompurin was first observed in the underground in December 2020 on Raid Forums, an underground forum that preceded Breached. Raid Forums had a user base of about 550,000 members, with about 20,000 being active on any given day. The forum operated a marketplace, trading in various criminal commodities and providing escrow services to its members. Raid Forums didn’t require registration to view its content, but a free registration was required to participate in discussions and conclude deals in the marketplace. Considering the low entry threshold, many of the forum members were non-sophisticated actors, however a number of reputable actors also operated there.
[Image: pompompurin advertised seven data sets for sale on Raid Forums on Dec. 25, 2020. - pompompurin advertised seven data sets for sale on Raid Forums on Dec. 25, 2020.]
pompompurin was a prolific access broker and data seller on Raid Forums and claimed to have conducted the intrusions alone. The actor consistently offered access to leaked databases originating from high-profile organizations worldwide. In March 2021, pompompurin told Krebs on Security that he obtained a transaction database for WeLeakInfo, a data leak site shut down by law enforcement, after the FBI allowed one of its domains to expire. pompompurin registered the domain and then reset the password for a Stripe account, allowing for the download of Stripe transactions that belonged to WeLeakInfo.
The actor’s reputation grew in November 2021 after spotting an error in the FBI’s Law Enforcement Enterprise Portal that allowed pompompurin to send spoofed emails from the FBI’s domain. Shortly after the FBI email incident, pompompurin claimed credit for an attack against the U.S.-based financial services company Robinhood Markets Inc. Robinhood later confirmed the actor behind the breach used social engineering to gain access to customer support systems. Bleeping Computer reported pompompurin said they tricked an employee into installing remote access software. The threat actor eventually extracted 5 million email addresses, 2 million names and other data, such as phone numbers.
On Feb. 25, 2022, Raid Forums went offline but came back online, and it was reported in March 2022 but not officially confirmed that law enforcement had control of the site. It turned out that law enforcement in a European country had indeed taken control of Raid Forums’ back-end infrastructure. Then on April 12, 2022, the U.S. Department of Justice announced it had seized three domains associated with Raid. The U.S. charged Diogo Santos Coelho of Portugal – who allegedly went by the handle omnipotent – with running Raid Forums since its inception in 2015. The Justice Department said Raid Forums hosted hundreds of databases of stolen data containing more than 10 billion unique records for people around the world.
pompompurin received acclaim due to his activity on Raid Forums in part by giving away stolen data sets. That improved the actor’s standing and credibility. Given the wide-ranging data sets the person was able to acquire as well as the FBI email and Robinhood attacks, we assessed the actor had a high degree of technical skill. The end of Raid Forums meant the effort pompompurin had put into building a reputation there would have been for naught. As law enforcement closed in on Raid Forums, pompompurin established a new underground forum called “Breached,” which used the breached[.]co domain.
Breached Forum Launches
Breached used the same open-source MyBB forum software as Raid Forums, and its format was similar. It first used Cloudflare’s content delivery network (CDN) for resiliency and for protection against distributed denial-of-service (DDoS) attacks, eventually moving to DDoS-Guard. pompompurin’s established reputation in the underground community meant that other threat actors looking for the next Raid-style forum established accounts, and the site rapidly grew. A screenshot captured March 18, 2023, by the Internet Archive’s Wayback Machine of the forum’s main page showed 336,737 users. Although Raid Forums had more than 500,000 users when it was taken offline, Breached had gained its large user base in around a year. As an administrator, pompompurin maintained a central role. pompomurin often analyzed and vetted data sets before release on the forum and gained access to additional evidence from other threat actors to prove the content was reliable. There was no charge to this service, and in return it allowed pompompurin to gain insights into data breaches and leaks.
Signs of trouble appeared on March 16, 2023. A TV station, News 12 Westchester, broadcast a short piece about a raid that occurred at 531 Union Ave. in Peekskill, New York, an address later confirmed to be Fitzpatrick’s residence.
On Breached, the actor Baphomet wrote a public message signed with the actor’s pretty good privacy (PGP) key. Baphomet wrote that pompompurin was inactive for nearly 24 hours on Breached, Telegram and Element without a reason, and that they would be taking control of the forum. The post linked to a Bloomberg story about Fitzpatrick’s arrest. Baphomet maintained they had no concern about law enforcement at that time and that “OPSEC (operational security) has been my focus form day one, and thankfully I don’t think any mountain lions will be attacking me in my little fishing boat.” Baphomet wrote that pompompurin's administrative access to Breached’s infrastructure had been removed although pompompurin’s account could still log in to the forum.
[Image: Baphomet took over administration of Breached after pompompurin was believed to have been arrested. - Baphomet took over administration of Breached after pompompurin was believed to have been arrested.]
Even though Baphomet expressed confidence and indicated the forum would stay online, worries abounded in posts and conversations on Breached that law enforcement had perhaps infiltrated the forum now, which would pose greater risks for registered users. The threat actor katy, the actor Baphomet and other board members exchanged messages about pompompurin’s arrest on the Breached forum’s “ShoutBox” communications channel. One such conversation revealed:
Baphomet: Everything was already done before the news came out
Baphomet: Pom has almost never been offline 24 hours across everything
Baphomet: And we had stuff we were working on
Baphomet: So why he wouldn't give me any sort of heads up
katy: so you estimate 24 hrs since time of arrest baph?
katy: any access log of anybody accessing server apart from you?
Baphomet: Not from what I've seen.
Baphomet: They haven't even tried to access the admin panel url
Baphomet and Breached staff members such as Dedale announced the Breached forum would be unavailable for maintenance and security purposes, and it became inaccessible March 19, 2023. A day later, Baphomet posted a link on the Breached Telegram group to an update with a PGP-signed message. The actor claimed a migration of the Breached forum infrastructure was underway, but was delayed due to technical issues:
Hello again everyone.
Just wanted to provide the smallest of updates.
I'm alive, and the migration is ongoing. Things broke as I expected, but that's what happens when you have to move things this quickly, especially things that don't like to be reconfigured this quickly. Keep in mind that during the migration I have to take extra consideration to not accidenly reveal any part of our new infrastructure without something or someone scanning the internet 24/7 discovering the true hosts of our infra by chance.
Again, any updates that come from me will be from my domain, my telegram, and my PGP key.
I know the community is wanting things to move much faster than they are, but taking the easy route will only put is in a bad spot. I'd rather make sure everything is correctly done. Thank you for your patience.
- - Baphomet
Finally, on March 21, 2023, Baphomet posted to the Telegram channels associated with the forum the decision to completely shut down Breached due to members' safety concerns. Baphomet stated pompompurin's computer likely was under control of law enforcement, implying that further use of the Breached forum servers could put the forum's community in danger. Baphomet wrote that after Fitzpatrick’s arrest someone logged in to an old CDN server, which was a likely sign that law enforcement had control of parts of the site. Baphomet wrote that “I'm going to continue conversations with some of the competitor forum admins and various service operators who reached out to me over the past few days. I'm hoping to work with some of those people to build a new community that will have the best features of Breached, while reducing the attack surfaces we never properly addressed.”
[Image: Baphomet announced the shut down of Breached after indications that law enforcement may have back-end access to the forum. - Baphomet announced the shut down of Breached after indications that law enforcement may have back-end access to the forum.]
Assessment and Outlook
The demise of Breached has caused threat actors to scatter and look for alternatives. Whether a replacement that aims to emulate the culture and feel of Breached will come online remains to be seen. It’s possible another threat actor will launch a forum that intends to capture the Breached audience, as it can be lucrative. Fitzpatrick allegedly told investigators he made US $1,000 per day running Breached. There’s also underground notoriety that comes with such a prominent role. It’s a risk/reward tradeoff that may be appealing.
In the meantime, former Breached users may shift to forums where they have existing accounts or to messaging services such as Telegram, which as we’ve written before has seen increased cybercriminal activity. Some threat actors who frequented Breached were highly skilled, such as pompompurin, but many were not. Breached forum’s remit tended to be in the account cracking and data leak spheres, so more skilled actors likely already have accounts on other underground forums. However, those forums often restrict new registrations and do not necessarily want an influx of users.
Starting up a new forum would be risky, as cybercrime forums are constantly in the sights of law enforcement. When Raid Forums was taken over, law enforcement took control of a structured query language (SQL) database that contained the IP address logs of those who authenticated to the site. The FBI linked nine IP addresses used by pompompurin to log in to Raid to mobile devices that were registered to a Verizon phone number belonging to Fitzpatrick. Further, law enforcement claims they found private messages between omnipotent, who was Raid’s administrator, and pompompurin, in which the latter revealed the personal email address conorfitzpatrick02@gmail[.]com. Investigators also allege they found an IP address in Raid Forums’ SQL logs that traced to an internet service provider (ISP) account registered to Fitzpatrick’s father. If investigators are correct, pompompurin’s lack of OPSEC may have contributed to the recent arrest.
What does the demise of Breached mean for companies and organizations targeted by threat actors? Breached held a notable spot in the cyber underground due to its large user base and relative openness. No one welcomes a data breach, but data turning up on Breached with a claim of responsibility generally meant that an organization was dealing with a financially motivated threat actor rather than a state-oriented one. That also lent visibility: forum posts and threat actor handles can be collected and analyzed to give context to an incident and perhaps how it took place.
The shut down of Breached is a law enforcement win, but the resilience of the underground ecosystem as a whole remains mostly unaffected. Criminal demand for illicit goods continues to rise, and with that there will be a continued demand for online places to sell those goods. We’ll continue to watch this space closely.
