Breached and its future

March 23, 2023    Article    2582 words    13 mins read

Again, the Breached forum will not be coming back. If it’s back for any reason, you need to assume that is an attempt to target our users and is not safe. I will not suddenly come back online and tell everyone I was just kidding and we will bringing back the forum, so please use your best logic here. Baphomet

TLDR: Stay away from the Breached infrastructure.

In case you didn’t already know, one of the Breached forums administrators, Pompompurin, got arrested on cybercrime charges in the land of the free. The other admin, Baphomet, posted several updates on his website regarding the future of the Breached forums.

You might want to verify the message signature, and for that you will need GPG. Start by saving Baph’s public key somewhere and import it.

$ gpg --import pgp.txt

Save Baph’s safety update (as of today) somewhere and verify the signature on it.

$ gpg --verify safe.txt.asc

If you’re a so called “security researcher” or “journalist” and you’re unfamiliar with GPG and/or opening basic text files that are not ending in .txt (like most of you assholes are), here is the contents of the update.

Hello everyone.

Let me first apologize for the abruptness of my announcements, as well as the lateness on this one. I'm trying to be very cautious how active I am, and I'd prefer not to get DPR'd based on my activity atm.

First you can join the new announcement channel here:
https://t.me/OfficialBaphomet

In the next day or so an actual group will be made for people to communicate. Right now I'm trying to let the news cycle calm down a bit as it's only causing more chaos the more I respond to anything. I am working with specific people to provide a more secure and constant way to communicate with me outside of Telegram. As it stands I opened Telegram to an additional 700 messages, and there are just far too many people to respond to.

At the moment feds and researchers are pouring over every single packet that has gone across the internet attempting to find our infrastructure, as well as information about myself. Some things like the Wiki were left up because the infrastructure touches nothing and only wastes time of those trying to understand everything going on in the background. There may still be infrastructure that only Pom had access to that I'm unable to access, but that shouldn't be anything *critical* to our users safety. Things like f.sb and a.sc are completely out of my control so do not bother using them. Again, the Breached forum will not be coming back. If it's back for any reason, you need to assume that is an attempt to target our users and is not safe. I will not suddenly come back online and tell everyone I was just kidding and we will bringing back the forum, so please use your best logic here.

For the time being, I'm going to be more cautious on the updates I push out as each one only enters into the flurry of people who want to speculate and twist the things I'm saying. From now on there is a hard 48 hour limit where if I have not provided an update, specifically one that is PGP signed, then assume the worst has happened. From now into the future, my current local setup will not have any way to access my PGP keys except for very specific, brief timeframes - so for that reason again please only assume that if I am providing the signed message it is me. There are plenty of people impersonating me on Telegram atm, and I'm sure that the psyops against our community is only going to increase in the coming days/weeks.

- - Baphomet

I’d like to emphasize this part: “Again, the Breached forum will not be coming back. If it’s back for any reason, you need to assume that is an attempt to target our users and is not safe. I will not suddenly come back online and tell everyone I was just kidding and we will bringing back the forum, so please use your best logic here.”

What’s next for the Breached administrator and the Breached users? We’ll see, I guess. Don’t forget to join Baph’s Telegram channel for future updates. And practice your OPSEC like your life is depending on it, because it might.

Later edit: The new chat channel is available now.

Some juicy stuff found by inspecting the PDF court documents (notice that I did replace @ with AT so that the email addresses won’t be clickable) and the investigation of one of the FBI’s Washington Field Office Cyber Task Force’s agents:

Notably, on or around March 21, 2022, I observed a thread with the subject “Welcome” in which a former RaidForums member with the online moniker “pompompurin” introduced BreachForums as a replacement for RaidForums.

On or about March 16, 2022, on the website dataknight.org, an individual using the moniker “Lander” posted an apparent interview with pompompurin under the title “Exclusive Interview with ‘Pompompurin’ about ‘Breached’” at https://dataknight[.]org/exclusive- interviewwith-pompompurin/.

On or about May 10, 2022, the post’s creator, using the moniker “agent,” posted that the database had been moved to the CDN, after he/she had requested pompompurin to approve it on or about April 30, 2022. On or about September 24, 2022, pompompurin edited the post, stating “Official information edited,” indicating that pompompurin had modified the link to the compromised database on the BreachForums CDN.

On or about October 27, 2022, a FBI online covert employee (“OCE”) located in the Eastern District of Virginia purchased and downloaded this database for 8 credits.

On October 17, 2022, a FBI OCE located in the Eastern District of Virginia purchased and downloaded this database. The downloaded archive contained an identical Breached_Info.txt file, along with a text file containing approximately 7,732,243 lines of comma- delimited text.

For instance, on or about August 9, 2022, a FBI OCE reviewed a post initially made by pompompurin on BreachForums on or around July 24, 2022, and last modified on or around November 6, 2022, in which pompompurin officially announced his middleman service and explained that he would accept cryptocurrency from the purchaser and files from the seller.

On or about July 1, 2022, an OCE located in the Eastern District of Virginia reviewed the BreachForums website and observed the below depicted post made by “expo2020” on or about June 28, 2022, which offered to sell “SSN.DOB.ADDRESS.PHONE etc. USA.”

On or about July 2, 2022, the OCE contacted expo2020 through private messages on BreachForums and the messaging application Telegram and arranged to pay approximately $500 to buy the PII and bank account information of approximately one million U.S. persons.

Later, on or about July 2, 2022, the OCE contacted pompompurin through private messages on BreachForums and Telegram to inquire about using pompompurin’s middleman service to conduct a second transaction with expo2020 in which the OCE paid approximately $5,000 to purchase the PII and bank account information of approximately 15 million U.S. persons. Pompompurin agreed to act as an escrow for the funds transfer to ensure the data purchased was received and, on or about July 6, 2022, the OCE, pompompurin and expo2020 engaged in a Telegram group chat to complete the transaction.

On or about August 17, 2022, an OCE located in the Eastern District of Virginia reviewed the BreachForums website and observed a post depicted below that was made by “jigsaw” on or about August 10, 2022. In this post, jigsaw attempted to sell “Access to a US healthcare company accounting system (contains US citizens documents).”

Later, on or about August 17, 2022, the OCE contacted jigsaw through private messages on BreachForums and Telegram and arranged for the purchase of the access to the U.S. healthcare company’s system, as well as a list of additional credentials that jigsaw had stolen from Victim-1 for $3,000.

On or around August 18, 2022, the OCE and jigsaw arranged to have pompompurin act as a middleman for the transaction. In a private message on BreachForums, pompompurin contacted the OCE and requested payment via Bitcoin

In response, the OCE asked, “just wondering if theres [sic] a way to make sure this access actually has the IDs, card #s, and records that the description says before the money is released. The access is not very helpful for me if theres [sic] no data I can use,” to which pompompurin replied, “The money wont [sic] be released until you confirm you got what you paid for.”

On or about December 18, 2022, a BreachForums user with the moniker “USDoD” posted details of approximately 87,760 members of InfraGard, a partnership between the FBI and private sector companies focused on the protection of critical infrastructure. The FBI has determined that the information was obtained without authorization using a social engineering attack.

As mentioned above, in or around February 2022, law enforcement seized RaidForums and the website was taken offline. As part of the investigation, pursuant to mutual legal assistance requests, the FBI obtained images of servers controlled by RaidForums that, among other things, contained a SQL database of forum activity. TheRaidForums database included communications between the RaidForums administrator, using the moniker “omnipotent,” and pompompurin, as well as pompompurin’s RaidForums logins and subscriber information.

In reviewing the RaidForums logs, the FBI determined that the pompompurin user account was accessed from the following IP addresses that resolve to Verizon Communications:[…]

Records received from Verizon, in turn, revealed that at least nine of the above IP addresses3 used to access the pompompurin account on RaidForums were, at the time, associated with the following mobile devices registered to “Conor Fitzpatrick” at the UNION PREMISES with a cell phone number ending in 3144 (“the 3144 Verizon Telephone Number”).

The RaidForums records also contained the following communication between pompompurin and omnipotent on or about November 28, 2020, in which pompompurin specifically mentions to omnipotent that he had searched for the e-mail address conorfitzpatrick02 AT gmail.com and name “conorfitzpatrick” within a database of breached data from “ai.type”:

As an initial matter, in my training and experience, hackers commonly search themselves in databases to identify any vulnerabilities they might have and determine if any of their personal information may be accessible online.

Further, records received from Google indicate that, in the months preceding pompompurin’s correspondence with omnipotent, FITZPATRICK appears to have registered a Google account with the email address conorfitzpatrick2002 AT gmail.com to replace the older email address (conorfitzpatrick02 AT gmail.com) that pompompurin had identified. For instance, according to records from Google, the conorfitzpatrick2002 AT gmail.com Google account was registered on or about May 26, 2019, and the Google account associated with conorfitzpatrick02 AT gmail.com was then closed on or about April 8, 2020. In addition, the Google Pay accounts linked to the conorfitzpatrick2002 AT gmail.com and conorfitzpatrick02 AT gmail.com accounts were both registered under the name “Conor Fitzpatrick,” and listed the UNION PREMISES and the 3144 Verizon Telephone Number as contact information. As described above, the 3144 Verizon Telephone Number was linked to nine IP addresses that accessed pompompurin’s account on RaidForums. The Google Pay account associated with conorfitzpatrick2002 AT gmail.com also listed a Visa credit card ending in 3068 with an expiration date of May 2027 (5/2027).

The FBI also searched the email addresses conorfitzpatrick2002 AT gmail.com and conorfitzpatrick02 AT gmail.com on the website https://haveibeenpwned.com/ to determine if they were included in the breached ai.type database.

Additional records received from Google further tie the user of the conorfitzpatrick2002 AT gmail.com to FITZPATRICK and the moniker pompompurin. For instance, the recovery email address for conorfitzpatrick2002 AT gmail.com was funmc59tm AT gmail.com. Subscriber records for this account reveal that the account was registered under the name “a a,”6 and created on or about December 28, 2018 from the IP address 74.101.151.4

Records received from Verizon, in turn, revealed that IP address 74.101.151.4 was registered to a customer with the last name FITZPATRICK8 at the UNION PREMISES with a telephone number ending in 2956, and an email address that is associated with this same person’s public employment.

Records received from Google concerning conorfitzpatrick2002 AT gmail.com also showed logins from numerous virtual private network (VPN) provider companies from at least on or about September 20, 2021 through on or about May 12, 2022, including M247 Ltd, Datacamp Limited, Tzulo, Performive, Blix Solutions, Sharktech, Hosting Services Inc, QuadraNet, IVPN, and Mullvad.

For instance, on or about March 7, 2022, records received from Google showed that the conorfitzpatrick2002 AT gmail.com Google account was accessed from IP address 89.187.181.117 on or about March 7, 2022. IP address 89.187.181.117 was owned by Datacamp Limited. However, a query of this IP address on Spur.us, in turn, revealed that this IP address was actually used by the VPN provider IVPN at the time. According to records from Zoom, this IP address was used the following day, on or about March 8, 2022, to log into a Zoom account under the name of “pompompurin” with an e-mail address of pompompurin AT riseup.net.

Records received from Purse.io, a cryptocurrency exchange used to purchase products online, reveal that four of the IP addresses9 used to access the conorfitzpatrick2002 AT gmail.com Google account and pompompurin’s RaidForums account were also used to log into a Purse.io cryptocurrency account that was registered to “Conor Fitzpatrick” with the email address conorfitzpatrick2002 AT gmail.com from on or about March 14, 2022, through on or about April 27, 2022 (the “Conor Fitzpatrick Purse.io account”). These IP addresses were owned by the providers M247 Ltd, Datacamp Limited, and Tzulo at the time. However, a lookup on Spur.us shows that the 212.103.48.197 IP address (M247 Ltd) and 37.19.206.108 IP address (Datacamp Limited) were both utilized by VPN provider IVPN.

In my training and experience, I know that cyber criminals use a variety of methods to obscure their IP addresses, such as utilizing VPN services or The Onion Router (Tor).11 However, these services are occasionally misconfigured and expose the user’s true IP address. Accordingly, while the FBI’s examination of the BreachForums database reveals that the pompompurin account was typically accessed through VPN services or Tor, I believe it is notable that IP address 69.115.201.194 was once used to login to the pompompurin account on or about June 27, 2022.

Further, records received from Apple Inc. concerning an iCloud account associated with FITZPATRICK reveals that the account was accessed approximately 97 times from IP address 69.115.201.194 between on or about May 19, 2022 and on or about June 2, 2022, from an iPhone mobile device.

On or about October 26, 2022, an FBI OCE observed the user profile of the pompompurin account at a time it was logged into BreachForums.12 At the same time, an FBI agent reviewed records reflecting the physical location of the telephone associated with FITZPATRICK’s 3144 Verizon Telephone Number, which was obtained from Verizon Wireless pursuant to a cell phone GPS warrant obtained in a parallel investigation out of the Northern District of California. These results, accurate to within approximately 1 kilometer, indicate that while accessing BreachForums, FITZPATRICK was likely physically located around the area of the UNION PREMISES.

Further, while performing physical surveillance of the UNION PREMISES on or about February 6, 2023, FBI and HHS-OIG agents observed that the pompompurin account was active on BreachForums while FITZPATRICK was inside the UNION PREMISES.

So yeah, from the bucketload of text of the court documents you can see the extent of surveillance and which were the companies that gave away pompompurin’s data.