Full Report
In what experts are calling a novel legal outcome, the 22-year-old former administrator of the cybercrime community Breachforums will forfeit nearly $700,000 to settle a civil lawsuit from a health insurance company whose customer data was posted for sale on the forum in 2023. Conor Brian Fitzpatrick, a.k.a. "Pompompurin," is slated for resentencing next month after pleading guilty to access device fraud and possession of child sexual abuse material (CSAM).
Analysis Summary
# Incident Report: Civil Forfeiture stemming from Breachforums Data Leak at Nonstop Health
## Executive Summary
The former administrator of the cybercrime forum Breachforums, Conor Brian Fitzpatrick ("Pompompurin"), reached a novel settlement in a civil lawsuit initiated by Nonstop Health, an insurance provider whose customer data was sold on the forum in 2023. Fitzpatrick agreed to forfeit nearly \$700,000 to settle claims, months after he was criminally charged and sentenced for access device fraud and CSAM possession related to operating the illicit marketplace. This incident highlights an unusual instance where a threat actor's assets were directed toward compensating victims of a data breach facilitated by their platform.
## Incident Details
- **Discovery Date:** January 18, 2023 (Date data was posted for sale on Breachforums)
- **Incident Date:** Pre-January 18, 2023 (The period when data was exfiltrated from Nonstop Health)
- **Affected Organization:** Nonstop Health (Insurance provider)
- **Sector:** Health Insurance
- **Geography:** Concord, California, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown (Prior to Jan 18, 2023)
- **Vector:** Unknown (Related to the data breach at Nonstop Health)
- **Details:** Tens of thousands of records, including SSNs, DOBs, addresses, and phone numbers, were stolen from Nonstop Health.
### Lateral Movement
- Not explicitly detailed in source, as the focus is on the data sale via Breachforums, not the initial compromise method at Nonstop Health.
### Data Exfiltration/Impact
- **Date/Time:** January 18, 2023
- **Details:** Stolen customer data was posted for sale on Breachforums by forum users. Fitzpatrick, as administrator, reviewed and escrowed these sales.
### Detection & Response
- **Date/Time:** March 2023 (Arrest of Fitzpatrick by FBI)
- **Details:** Fitzpatrick was criminally charged. Nonstop Health was named in a class-action lawsuit. In November 2023, Nonstop Health added Fitzpatrick as a third-party defendant. In January 2025, Nonstop Health settled the class action for \$1.5 million. Fitzpatrick agreed to forfeit nearly \$700,000 to settle the civil suit.
## Attack Methodology
- **Initial Access:** Not detailed for the Nonstop Health breach itself. However, Fitzpatrick gained control over the criminal ecosystem by launching Breachforums to replace RaidForums.
- **Persistence:** Operating Breachforums (Launched March 2022) and reviewing databases for sale, acting as an escrow agent.
- **Privilege Escalation:** Not applicable to the administrator role (Fitzpatrick operated under an assumed persona).
- **Defense Evasion:** Operating a dedicated cybercrime marketplace designed to evade law enforcement detection.
- **Credential Access:** Not applicable (The compromised credentials/data were provided by third-party breach victims).
- **Discovery:** Not applicable to the administrator's role.
- **Lateral Movement:** Not applicable to the administrator's role.
- **Collection:** Not applicable to the administrator's role (Data was collected by other threat actors).
- **Exfiltration:** Facilitation of sale/exchange of stolen data via the forum.
- **Impact:** Financial fraud potential due to PII exposure and direct financial settlement costs to the victim company.
## Impact Assessment
- **Financial:** Fitzpatrick forfeited nearly \$700,000. Nonstop Health settled the class action for \$1.5 million.
- **Data Breach:** Tens of thousands of customer records exposed, including Social Security numbers, dates of birth, addresses, and phone numbers.
- **Operational:** Not specified, but the exposure of PII likely necessitated notification and remediation efforts by Nonstop Health.
- **Reputational:** Negative impact leading to a class-action lawsuit against Nonstop Health.
## Indicators of Compromise
*Note: Indicators related to Fitzpatrick's criminal activities (CSAM possession, probation violations) are detailed in criminal filings but are not standard network IoCs for the Nonstop Health breach.*
- **Network indicators:** None provided (Defanged).
- **File indicators:** None provided.
- **Behavioral indicators:** Threat actor operating the illicit forum Breachforums (a successor to RaidForums).
## Response Actions
- **Containment:** Fitzpatrick was arrested by the FBI in March 2023, leading to the disruption of his control over the forum in the short term. A subsequent, unrelated reincarnation of Breachforums was seized in May 2024.
- **Eradication:** Fitzpatrick pleaded guilty to multiple charges. The civil suit led to the forfeiture of his assets.
- **Recovery:** Nonstop Health settled the class action for \$1.5 million, with nearly \$700,000 of that amount sourced from the asset forfeiture of the breach facilitator (Fitzpatrick).
## Lessons Learned
- **Novel Legal Precedent:** This case sets a rare precedent where funds seized from a threat actor involved in a breach were successfully directed toward compensating the victims through civil litigation.
- **Administrator Accountability:** Highlights the legal strategy of pursuing platform operators (like Fitzpatrick/Pompompurin) who facilitate large-scale data sales, even if they did not execute the initial compromise.
- **CSAM Correlation:** Further demonstrates the common overlap between individuals profiting from data breaches and those involved in CSAM possession.
- **Criminal Behavior Post-Sentencing:** Fitzpatrick violated his initial supervised release conditions, showcasing a lack of deterrence from the initial January 2024 sentence.
## Recommendations
- **Aggressive Civil Litigation:** Organizations suffering significant breaches should explore adding key facilitators (platform owners, escrow agents) as third-party defendants in civil suits to potentially tap into seized criminal assets.
- **Enhanced Monitoring for Released Offenders:** Stricter monitoring and enforcement measures should be applied, especially when high-profile cybercriminals are sentenced to supervised release, to prevent immediate re-engagement in illicit online activity.
- **Proactive Data Monitoring:** For insurance companies, ensure robust monitoring of known dark web/crime forums for postings of proprietary customer data.