The BreachForums case: The HHS-OIG did WHAT?!? Why?
Revelations contained in an affidavit by an FBI agent and a press release by the Department of Justice about the arrest of the owner of a popular hacking forum raise a few questions about the role of the U.S. Department of Health and Human Services Office of the Inspector General (HHS-OIG).
An affidavit by FBI Special Agent John Longmire in support of the criminal complaint against Conor Fitzpatrick, aka “Pompompurin” (Pom), the owner of BreachForums, states that since “on or around March 2022,” HHS-OIG investigated an administrator and certain members of BreachForums. The affidavit does not explain why HHS-OIG started investigating Pom or some of the new forum’s members. There had never been any public statement suggesting that HHS-OIG had been involved in investigating or seizing RaidForums, BreachForum’s predecessor, which had been seized in February. So why did HHS-OIG start investigating Pom and some BreachForum members in March 2022?
More intriguingly, the Department of Justice’s press release credits HHS-OIG for participating in a “disruption activity” that “caused BreachForums to go offline.” The DOJ press release does not explain why HHS-OIG got involved in that.
Because HHS-OIG has not issued any press release or statement explaining its actions, DataBreaches sent the agency an email with questions, including:
- Was this the first time HHS-OIG engaged in any “disruption” activity?
- Was the arrest of Fitzpatrick a bit rushed to prevent leakage of more data from DC Health Links? On March 9, forum user “Denfur” had re-listed the data previously posted for sale by “IntelBroker.” On March 13, Denfur added a post indicating that there was more data and that it would be leaked at some point. Two days later, a complaint was filed against Fitzpatrick, a search warrant was executed, and he was arrested. Correlation or causation?
- Was HHS-OIG’s participation in a disruption activity intended to get BreachForums down so that more DC Health Links data could not be leaked on the popular forum where it would be more likely to be noticed and downloaded?
- Did HHS-OIG’s disruption activity include brute force attempts on IntelBroker’s forum account? Those attacks had been reported to DataBreaches by a self-described friend of IntelBroker. The same friend claims that the brute force attacks were why IntelBroker self-banned (brute force attacks do not work against suspended accounts).
- Did HHS-OIG’s disruption activity include accessing a server with the intention that the access would be noticed by the new administrator, who would then be less likely to put the forum back up? In other words: did Baphomet see the access he was intended to see and respond as any security-conscious administrator would respond by not putting the forum back up?
- Can HHS-OIG explain what statute, law, or regulation gives HHS-OIG the authority to engage in any disruptive activities targeting cybercrime websites or individuals?
Those were DataBreaches’ questions. You may have others.
If this site gets any answers, this post will be updated, but a reply to the email has not been received.
Update of March 28: A reply from HHS-OIG today reads, “Thank you for contacting HHS-OIG. We are not able to provide further information regarding this case.”