This one gets a bit murky in places because a significant portion of the case file is currently redacted and makes referrence to a parallel and ongoing investigation. If I had to venture a guess I would say that this second investigation is likely in regards to a fellow who goes by the moniker Baphomet, as he was co-founder of BreachForums and has vowed to pick up the torch in a signed message to the community. Another curious detail is that in this case the accused, Conor Fitzpatrick, admitted guilt when authorities raided his New York home. Fitzpatrick created BreachForums in order to fill the void left when the law seized and shuttered RaidForums, a similar exploit-based marketplace. Fitzpatrick says he started his own forum after he was approached by individuals who thought he would be competent enough to do so. If I’m allowed to put on my tinfoil hat for a moment I might suspect that our man Conor was set up by law enforcement. He was an active contributor to RaidForums, and would have made a logical next target for law enforcement.

Alleged Offense

Conspiracy to commit access device fraud.

Overview

The first piece of meaningful evidence mentioned in the criminal complaint comes from when the FBI reviewed RaidForums logs. The logs showed a list of IPs that had been used to log in to the account “pompompurin,” and alias that was an active member of RaidForums as well as the founder of BreachForums. The FBI goes on to state that, according to records received from a redacted source, at least nine of the listed IPs we’re associated with a mobiled device registered to Conor Fitzpatrick. It’s not clear what records are being cross-referenced here, but the point is…

Further evidence that Fitzpatrick is pompompurin was found on RaidForum’s seized server in the form of a conversation between pompompurin and site-runner Omnipotent. In the conversation pompompurin mentions that a database that he had bought access to appeared to be incomplete. He pointed out that there was a missing entry for “conorfitzpatrick” as well as a missing entry for a redacted email that, according to the complaint, contains Fitzpatrick’s name.

Perhaps most baffling of all, Fitzpatrick waived his right to remain silent when agents eventually raided his house. According to the criminal complaint he admitted to being pompompurin. It’s not clear why he thought spilling his guts like this was a good idea, but it almost certainly wasn’t.

tl;dr

The GOOD: Fitzpatrick seemed to be fairly competent within a certain niche. He was an active contributor to RaidForums before his brief venture into running his own service.

The BAD: Sloppy OpSec. Don’t use your cell phone to do adult computing.

The UGLY: Admitting guilt without any sort of deal. Fitzpatrick should have at least talked to a lawyer and worked out some kind of deal before making LE’s job so much easier. Don’t be like Fitzpatrick.