Founder of One of World’s Largest Hacker Forums Resentenced to Three Years in Prison

Earlier today, a New York man was resentenced to three years in prison for his creation and operation of BreachForums, a marketplace for cybercriminals to buy, sell, and trade hacked or stolen data and other contraband, and for possessing child sexual abuse material (CSAM).

“Following the dismantlement of RaidForums by law enforcement, the defendant set up and administered BreachForums, an online bazaar where criminals could purchase sensitive data,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division. “Today’s sentence demonstrates the Justice Department’s unwavering commitment to bringing to justice those who seek to sell stolen data to the highest bidder. To those seeking to operate a similar forum, take note: we will tirelessly investigate those who commit these crimes.”

“Conor Fitzpatrick personally profited from the sale of vast quantities of stolen information, ranging from private personal information to commercial data,” said U.S. Attorney Erik S. Siebert for the Eastern District of Virginia. “These crimes were so extensive that the damage is difficult to quantify, and the human cost of his collection of child sexual abuse material is incalculable. We will not allow criminals to hide in the darkest corners of the internet and will use all legal means to bring them to justice.”

“The FBI is working tirelessly to dismantle criminal marketplaces like BreachForums, and we are pursuing the full range of actors who run these platforms,” said Assistant Director Brett Leatherman of the FBI’s Cyber Division. “Today’s sentencing demonstrates that anyone who helps others profit from theft, fraud, and other cybercrimes is not out of reach.”

Conor Brian Fitzpatrick, 22, of Peekskill, New York, pleaded guilty to one count of access device conspiracy, one count of access device solicitation, and one count of possession of child sexual abuse material. As part of the plea agreement, Fitzpatrick also agreed to forfeit over 100 domain names used in the operation of BreachForums, more than a dozen electronic devices used to execute the scheme, and cryptocurrency that represented proceeds of the scheme. 

Fitzpatrick’s resentencing came after the U.S. Court of Appeals for the Fourth Circuit issued an opinion on Jan. 21, 2025, vacating Fitzpatrick’s prior sentence of time served (17 days) and remanded the case for resentencing.

According to court documents, BreachForums, launched in March 2022, rapidly developed into one of the world’s largest English language hacking forums with over 330,000 members. BreachForums emerged as a replacement to RaidForums, a then major English-language hacking forum that law enforcement seized in February 2022. As with RaidForums, BreachForums gained notoriety by selling access to high-profile database breaches that contained, among other things, bank account information, social security numbers and other personal identifying information (PII), and usernames and associated passwords for accessing online accounts with merchants and service providers. BreachForums also maintained and offered access to at least 888 datasets of stolen information containing over 14 billion individual records of PII. Some of the stolen datasets contained sensitive information of customers at telecommunication, social media, investment, health care services, and internet service providers. For instance, one database contained the names and contact information for approximately 200 million users of a major U.S.-based social networking site. Another database listed the details of approximately 87,760 members of InfraGard, a partnership between the FBI and private sector companies focused on the protection of critical infrastructure.

The FBI’s Washington Field Office investigated the case.

Trial Attorney Thomas Dougherty of the Justice Department’s Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorney Lauren Halper for the Eastern District of Virginia prosecuted the case.

CCIPS investigates and prosecutes cybercrime in coordination with domestic and international law enforcement agencies, often with assistance from the private sector. Since 2020, CCIPS has secured the conviction of over 180 cybercriminals, and court orders for the return of over $350 million in victim funds. 

This case was brought as part of Project Safe Childhood, a nationwide initiative launched in May 2006 by the Department of Justice to combat the growing epidemic of child sexual exploitation and abuse. Led by U.S. Attorney’s Offices and the Child Exploitation and Obscenity Section (CEOS), Project Safe Childhood marshals federal, state, and local resources to better locate, apprehend, and prosecute individuals who exploit children via the internet, as well as to identify and rescue victims. For more information about Project Safe Childhood, please visit www.justice.gov/psc.