In a significant legal outcome for the cybersecurity landscape, Conor Fitzpatrick, the founder of the notorious BreachForums underground hacking site, has been resentenced to three years in federal prison after appeals overturned his previous lenient sentence.
Fitzpatrick, who operated under the alias Pompompurin, was originally arrested in March 2023 for running the forum and faced multiple charges: access device conspiracy, access device solicitation, and possession of child sexual abuse material (CSAM). He pleaded guilty to all counts in January 2024 and was initially handed 17 days in jail and 20 years of supervised release, a punishment prosecutors sharply criticized as dramatically insufficient given the gravity of his crimes.
Appeals and resentencing
The U.S. Court of Appeals for the Fourth Circuit agreed with prosecutors, declaring the original sentence “substantively unreasonable” for failing to serve proper sentencing purposes. This led to Fitzpatrick’s resentencing and a harsher three-year prison term.
BreachForums, which emerged in March 2022 as a successor to the dismantled RaidForums, became one of the most active online marketplaces for stolen data and compromised credentials. At its peak, it hosted more than 14 billion individual records and counted 330,000 members among its user base. U.S. authorities emphasized that Fitzpatrick “personally profited from the sale of vast quantities of stolen information,” ranging from private personal details to sensitive commercial data.
Despite repeated law enforcement takedown attempts, BreachForums managed to resurface multiple times, illustrating the resilience of such underground communities. The arrest of Baphomet, the admin who took over after Fitzpatrick was detained, did little to slow the forum; it slipped into the hands of ShinyHunters, a cybercriminal group linked to several high-profile data breaches.
As of mid-September 2025, BreachForums is offline, with its maintainers announcing a decision to “go dark”—a phrase that suggests not just temporary shutdown, but a possible strategic retreat rather than a permanent closure. This mirrors the recent moves of other infamous cybercrime collectives like Lapsus$ and Scattered Spider, who have also vanished from the digital underground, at least for now.
Context and implications
The case of Conor Fitzpatrick and BreachForums highlights the challenges of prosecuting transnational cybercrime and the difficulties law enforcement faces in permanently dismantling underground hacking forums. Despite impressive numbers—14 billion records, hundreds of thousands of members—the legal outcome for operators is often uncertain, with initial sentences sometimes appearing disproportionately light compared to the scale of the harm caused.
The resentencing of Fitzpatrick marks a tightening stance by the U.S. Department of Justice, signaling that courts are now more willing to impose harsher penalties on those who profit from stolen data and operate platforms that enable large-scale cybercrime. Yet, even as high-profile forums like BreachForums disappear, the enduring cycle of takedown, migration, and reemergence of similar platforms suggests that the broader threat will persist as long as demand for stolen data remains high.