Update and note: After this post appeared and was posted on Mastodon, some people complained about the original headline, characterizing it as “clickbait.” That was not my intention. I was just trying to accurately describe what I saw as the most noteworthy part of the situation without mentioning either CSAM or CP in the headline lest it trigger blocks. I have since edited the headline in light of their feedback, but I’m not sure if this will cause other problems.
When the arrest of Conor Fitzpatrick, aka “Pompompurin,” was made known on March 17, 2023, the members of Breached.vc (“BreachForums”) were shocked to learn from court filings how poor their forum owner’s OpSec was and that he had already admitted to law enforcement that he was known as “Pompompurin” and was the owner of BreachForums. It seemed very likely that with all the evidence law enforcement had and his own admissions, “Pom” would likely plead guilty in hopes of some reduced charges or sentencing.
At the time of his arrest, there was one charge against Fitzpatrick: conspiracy to commit access device fraud, but it seemed somewhat obvious that there would be other charges.
But some things didn’t go quite as some predicted. Fitzpatrick’s indictment, delayed by consent of both the prosecution and defense until May 15, wound up further delayed after Fitzpatrick reportedly attempted suicide and was hospitalized. It was difficult to tell from all the sealed documents on the court docket exactly what was happening after that, but then there was a sudden flurry of activity this week. Fitzpatrick’s case was ended and the docket was transferred to a new case, USA v. Fitzpatrick, 1:23-cr-00119-TSE-1, still in the Eastern District of Virginia.
On July 11, the new docket indicated that there would be a pre-indictment plea hearing on July 13.
Yesterday, an Information was docketed for the case. It showed that Fitzpatrick was now charged with three counts — one count each of:
18 U.S.C. § 1029(b)(2) and 3559(g)(1) Conspiracy to Commit Access Device Fraud;
18 U.S.C. § 1029(a)(6) and 2 Access Device Fraud – Unauthorized Solicitation; and
18 U.S.C. § 2252(a)(4)(B) and (b)(2) Possession of Child Pornography
Shock and Anger
While people expected the first count two counts based on Fitzpatrick’s known activities on the forum and related to the forum, the possession of child pornography charge came as a total shock to those who DataBreaches has heard from already. The information had this explanation for the charge:
On or about March 15, 2023, in the Southern District of New York, the defendant, CONOR BRIAN FITZPATRICK (a/k/a “Pompompurin”), did knowingly possess and attempt to possess at least one matter containing one or more visual depictions that had been transported using a means and facility of interstate and foreign commerce, and in and affecting interstate and foreign commerce, and which visual depictions were produced using materials which had been mailed and so shipped and transported, by any means including by computer; and the production of such visual depictions involved the use of a minor engaging in sexually explicit conduct and such visual depictions were of such conduct, to wit: videos depicting prepubescent minors and minors who had not attained 12 years of age engaging in sexually explicit conduct, stored on a Dell Inspiron 5593 laptop computer (service tag number B2W9723) with a Samsung 870 QVO 4TB solid state drive (SN S5VYNJ0T405292K).
(In violation of Title 18, United States Code, Sections 2252(a)(4)(B) and (b)(2)).
Possible Maximum Penalties
According to the Plea Agreement:
The maximum penalties for conspiracy to commit access device fraud, as pleaded with 3559(g)(1), are 10 years of imprisonment, a fine of $250,000, full restitution, forfeiture of assets as outlined below, a $100 special assessment, and three years of supervised release. The maximum penalties for solicitation for the purpose of offering access devices are 10 years of imprisonment, a fine of $250,000, full restitution, forfeiture of assets as outlined below, a $100 special assessment, and three years of supervised release. The maximum penalty for possession of child pornography is 20 years of imprisonment, a fine of $250,000, full restitution, forfeiture of assets as outlined below, any special assessment pursuant to 18 U.S.C. §§ 3013, 3014, and 2259A, and a minimum supervised release term of 5 years and a maximum of Life. The defendant understands that any supervised release term is in addition to any prison term the defendant may receive, and that a violation of a term of supervised release could result in the defendant being retumed to prison for the full term of supervised release.
Most defendants do not get the maximum penalty, and the sentences do not all necessarily run consecutively. Part of the Plea Agreement goes through the base level and enhancements for each count and explains that the court can set a sentence that is higher or lower than the sentencing guidelines as long they would be upheld by a higher court as reasonable.
Part of what Fitzpatrick agreed to is to pay restitution, which will be at least almost $700,000 based on gross proceeds of his crimes with unnamed co-conspirators. He will also forfeit devices and the numerous domains he owned that are listed in the Plea Agreement.
Sentencing and Bond
Fitzpatrick is scheduled to be sentenced on November 17, 2023. In the interim, he remains free on the $300,000 bond as he has been since his arrest, but now with even more restrictions than before. As outlined in the docket:
- The defendant shall not access a computer and/or the internet unless a computer monitoring program has been installed by the pretrial services office. The defendant shall consent to the installation of computer monitoring software on any computer to which the defendant has access. Installation shall be performed by the pretrial services officer. The software may restrict and/or record any and all activity on the computer, including the capture of keystrokes, application information, internet use history, email correspondence, and chat conversations. The defendant shall not remove, tamper with, reverse engineer, or in any way circumvent the software. The cost of the monitoring will be paid by the defendant.
- No contact with minors under the age of 18 (with the exception of the defendant’s sibling) unless supervised by an adult who is aware of the defendant’s offense, at the discretion of the probation officer.
- The defendant shall not access any websites or accounts focused on breached, leaked or stolen data, computer hacking, security research, malware, computer programming, domains, cybercrime, online obfuscation, or computer networking, without prior approval of probation.
- The defendant shall not use any tools for obfuscating his identity, such as virtual private networks (VPNs), the onion router (Tor), or proxies.
- The defendant shall not create, register, or rent any new websites, domains, servers, or computer infrastructure associated with the operation of websites.
- Court further included at the discretion of the probation officer, defendant maintain or actively seek employment and/or enroll in an educational/vocational program.
Can There Be Other Charges?
DataBreaches was somewhat surprised to see only 3 counts, given how many things it seemed Fitzpatrick could have been charged with — including the FBI email hoax. Indeed, Count 2 of the Information seemed to relate to only one incident during a specified time period — a time period that correlates with the listing of the Shanghai Police Department data, where the listing indicated that Fitzpatrick would be the middleman for any transaction. By being a middleman, Fitzpatrick would have aided and abetted the solicitation etc etc.
So where were all the other charges or counts they could have levied? Is this plea deal the end of all possible prosecutions for Fitzpatrick?
No, it’s not necessarily the end. The Plea Agreement states:
The United States will not further criminally prosecute the defendant in the Eastern District of Virginia for the specific conduct described in the Information or Statement of Facts. This Plea Agreement and Statement of Facts does not confer on the defendant any immunity from prosecution by any state government in the United States.
But for now, however, those who knew Fitzpatrick and liked him are trying to understand how and why the nice kid they knew had child pornography on his device.