On Friday 9 June 2023 I had the opportunity to participate as a speaker at the HackInBo Business event, one of the most important conferences on cyber security in Italy. During the talk I presented, I talked about the history of RaidForum, BreachForum and ExposedForum and the Genesis and Solomon marketplaces, recounting the seizures actions and the arrests of the founders of the various projects. I also put a particular focus on the activities that pompompurin, administrator of the BreachForum forum, has carried out and which have denoted a lack of correct OPSEC.
I am happy to make the slides of the talk available to you.
3. Diogo Santos Coelho
▪ Name: Diogo
▪ Surname: Santos Coelho
▪ AKA: Omnipotent
▪ Date of birth: February 22, 2000
▪ Nationality: Portugal
▪ Arrested on: January 31, 2022
3
Details about indictment against Diogo Santos Coelho are available here https://www.justice.gov/usao-edva/press-release/file/1493606/download
4. From RaidForums to BreachForums
▪ Name: BreachForums
▪ Launched in: March 4, 2022
▪ Closed on: March 21, 2023
▪ Users: 336.800 at time of
shutdown
▪ Founder: "pompompurin"
▪ Number of dbs published:
879(*)
4
(*)https://justpaste.it/bc3dv
05/2023
01,03/2023
03/2022
05/2022
04/2022
08/2021
2020,2021
03/2022
2015
5. pompompurin – the beginning
5
▪ First observed in the underground in December 2020 on RaidForums
▪ Was a prolific access broker and data seller on RaidForums
▪ In March 2021, he told Krebs on Security that he obtained transaction database fow
WeLeakInfo
▪ In November 2021 he find an error in the FBI’s Law Enforcement Enterprise Portal that
allowed to send spoofed email from the FBI’s domain
▪ Some days later pompompurin claimed credit for an attack against the financial services
company Robinhood Markets Inc.
These actions cause pompompurin's reputation to increase exponentially!
05/2023
01,03/2023
03/2022
05/2022
04/2022
08/2021
2020,2021
03/2022
2015
6. pompompurin – enemies
SPOILER
This is the first step in
the acquisition of
enemies for
pompompurin
6
05/2023
01,03/2023
03/2022
05/2022
04/2022
08/2021
2020,2021
03/2022
2015
7. The birth of BreachForums
SPOILER This is the second step in the acquisition of enemies for
pompompurin
7
How the forum started: pompompurin tagged the FBI in his tweet
announcing the forum.
Here are all tweets from pompompurin Twitter account "@xml"
archived and searchable:
https://intelx.io/?did=8630eb0d-be98-4ec5-902a-f1e107baeccc
05/2023
01,03/2023
03/2022
05/2022
04/2022
08/2021
2020,2021
03/2022
2015
8. pompompurin – enemies
SPOILER: This is the third step in the acquisition of enemies for
pompompurin
8
Messages by Peter Kleissner – Intelligence X
05/2023
01,03/2023
03/2022
05/2022
04/2022
08/2021
2020,2021
03/2022
2015
9. What is found on these forums?
9
According to the affidavit(*), page 5:
Since its inception, the FBI’s review of the BreachForums website indicates that, as with RaidForums, it operates a
“Marketplace” section that is dedicated to the buying and selling of hacked or stolen data, tools for committing cybercrime,
and other illicit material, including a “Leaks Market” subsection. Some of the items that are commonly sold on BreachForums
include bank account information, social security numbers and other PII, and account login information for compromised online
accounts, such as usernames and passwords to access accounts with service providersand merchants.
(*)An affidavit is typically defined as a written declaration or statement that is sworn or
affirmed before a person who has authority to administer an oath.
10. BreachForums – the second admin
The second BreachForums administrator is first mentioned by pompompurin in an
interview with the dataknight.org blog. The interview is visible at the link
https://web.archive.org/web/20220317205735/https://dataknight.org/exclusive-interview-with-pompompurin/
10
05/2023
01,03/2023
03/2022
05/2022
04/2022
08/2021
2020,2021
03/2022
2015
11. pompompurin – OPSEC #FAIL!
pompompurin made some mistakes during his activities (based on the affidavit):
▪ he logged into his RaidForums account from his real Verizon IP
▪ during a communication with Omnipotent, administrator of RaidForums, he revealed his
old email account (conorfitzpatrick02@gmail.com)
▪ pompompurin set funmc59tm@gmail.com as the recovery email address for his new account
conorfitzpatrick2002@gmail.com. Subscriber (Google) records for this account reveal that
the account was registered under the name “a a,” and created on or about December 28,
2018 from the IP address 74.101.151.4. Records received from Verizon, in turn, revealed
that IP address 74.101.151.4 was registered to a customer with the last name
FITZPATRICK
11
12. pompompurin – OPSEC #FAIL!
▪ he logged into many real personal accounts and breached accounts from the same IP, multiple times.
He used his personal Gmail addresses conorfitzpatrick02@gmail.com and
conorfitzpatrick2002@gmail.com in a variety activities that are connected to his pompompurin
persona
▪ he use the same IP to log into pompompurin RaidForums account and Purse.io cryptocurrency account
▪ records obtained from the SQL database of forum activity on BreachForums revealed that the
pompompurin account on BreachForums was accessed from IP address 69.115.201.194 on or about
June 27, 2022. Records received from Optimum Online, an ISP, revealed that this IP address was
registered under the name of FITZPATRICK’s apparent father
12
13. pompompurin – OPSEC #FAIL!
▪ records received from Apple Inc. concerning an iCloud account associated with FITZPATRICK revealsthat the
account was accessed approximately97 times from IP address 69.115.201.194 betweenon or about May
19, 2022 and on or about June 2, 2022, from an iPhone mobile device
▪ The FBI’s examinationof the pompompurinaccount’s posting activityon RaidForums and BreachForums
further suggests that they’ve been controlled by a common user. For instance, in a post titled “Welcome &
FAQ Thread”on BreachForums on or about March 16, 2022, pompompurinposted, “I’ve created this forum
as an alternativeto RaidForumssince it was seized…If you used RaidForums you most likelyremember
me, I was one of the more active users on there.”
13
14. Brian Conor Fitzpatrick
▪ Name: Brian Conor
▪ Surname: Fitzpatrick
▪ Date of birth: September 26,
2002
▪ AKA: pompompurin
▪ Nationality: USA
▪ Arrested on: March 15, 2023
14
Other details about Brian Conor Fitzpatrick are available here https://doxbin.org/upload/pompompurin
21. BreachForums – post seizure
The second admin of BreachForums "Baphomet" initially claimed to move the forum to a new
server, then decided to shut it down. According to him "someone logged in" to the CDN server.
21
22. Exposed.vc – the next one?
▪ Name: ExposedForums
▪ Launched in: 2023
▪ Seized on: xxxx xx, xxxx
▪ Users: 4.904 at June, 5 2023
▪ Founder: xxxx xxxx aka
"Impotent"
▪ Number of GOD users: 182 at
June, 5 2023 ($ 9100)
22
05/2022
04/2023
05/2023
01,03/2023
03/2022
05/2022
04/2022
08/2021
2020,2021
23. xxxx xxxx
▪ Name: n.a.
▪ Surname: n.a.
▪ AKA: Impotent
▪ Date of birth: n.a.
▪ Nationality: n.a.
▪ Arrested on: n.a.
23
24. 05/2022
04/2023
Another story – Genesis Market
▪ Info stealer market place
▪ access via invite only
▪ seized on April 4, 2023
24
05/2023
01,03/2023
03/2022
05/2022
04/2022
08/2021
2020,2021
25. From Genesis to Solomon
25
All the links to the presented forums and marketplaces
can be found within the deepdarkCTI project
available here:
https://github.com/fastfire/deepdarkCTI
05/2022
04/2023
05/2023
01,03/2023
03/2022
05/2022
04/2022
08/2021
2020,2021
26. 26
C ONTACT U S
www.wuerth-phoenix.com/en/contact-us
info@wuerth-phoenix.com