OpSec Failures made by Pompompurin, Administrator of BreachForums.

[Mr. Tommy]

OpSec Failures made by Pompompurin, Administrator of BreachForums.


Well, I don't know what to say. The amount of fuckups done by him are just mind blowing. The recent indictment document was released and going through it, I can confidently say that Pompompurin had NO OpSec at all. And it will be proven by the following statements taken from the indictment and I will briefly explain them. We will be going through only the critical parts of it, let's jump right into it.

1. Logging in from his real IP

The court documents shows that he logged in to the RaidForums as well as BreachForums from his own IP without using any kind of proxy or VPN. On point 50, it states

50. In reviewing the RaidForums logs, the FBI determined that the pompompurin user
account was accessed from the following IP addresses that resolve to Verizon Communications:
2600:1017:b017:810f:5899:2deb:d428:647e at 4/24/21 7:10:35 PM UTC
2600:1017:b01e:d0b9:a9ee:1962:532a:8189 at 3/13/21 6:34:21 PM UTC
2600:1017:b801:325f:a0e9:c125:d43:c55c at 5/10/21 1:58:21 PM UTC
---
51. Records received from Verizon, in turn, revealed that at least nine of the above IP
addresses3 used to access the pompompurin account on RaidForums were, at the time, associated
with the following mobile devices registered to “Conor Fitzpatrick” at the UNION PREMISES
with a cell phone number ending in 3144 (“the 3144 Verizon Telephone Number”).
IMSI: 311480405756028
IMEI: 353888106005342 (iPhone 11 Pro Max), 356697089909371 (iPhone 7 Plus)

2. Using his real name and email address while talking with RaidForums Administrator

Another such a silly fuck up he did was in a conversation between him and "omnipotent" on point 52 states:

52. The RaidForums records also contained the following communication between
pompompurin and omnipotent on or about November 28, 2020, in which pompompurin
specifically mentions to omnipotent that he had searched for the e-mail address
[email protected] and name “conorfitzpatrick” within a database of breached data
from “ai.type”

The original conversation mentioned in the document is as follows:

[Quoting “pompompurin”:]
Hello, I'm sorry to bother you with this but I noticed recently that the ai.type databreach
post doesn't seem to include every user (?) at least to my understanding. Looking up one
of my old emails on HIBP, I come up as in it, but I cannot locate myself in the file
provided at https://raidforums.com/Thread-ai-type-Database-Leaked-Download-
Exclusive

It seems that maybe it is only a partial amount of data from it? I was under the impression
that it was the full amount of data from looking at the thread as I didn't see any mention
of it only being “some” of the data from the breach.

Not messaging to ask for credits back or anything, because I wanted it anyways, I just
wanted to let you know that it doesn't seem to be the full amount of data and that the
thread doesn't seem to communicate that it isn't the full one.
Thanks

[Quoting “Omnipotent”:]
What email did you look up and how?

[Quoting “pompompurin:]
Apologies for late reply, here is another email that I found to be present on HIBP, but not
inside of the file provided on the thread ( I don’t want to share my actual email for
obvious reasons, but this email seems to have the same case as mine):
[email protected]
https://a.pomf.cat/vvxevp.png (backup: https://archive.is/uYiTq )

That's actually funny. He said "I don't want to share my email" and yet proceeds on giving out a very critical information about himself.

3. Using same email address everywhere

Pompompurin's email address "[email protected]" was on the registered email address on RaidForums. He also distributed this email address quite often among other people in the forum.

He used the same email address to register to a Zoom account. Here's the full statement from the document (64):

64. For instance, on or about March 7, 2022, records received from Google showed that
the [email protected] Google account was accessed from IP address
89.187.181.117 on or about March 7, 2022. IP address 89.187.181.117 was owned by Datacamp
Limited.

However, a query of this IP address on Spur.us, in turn, revealed that this IP address was
actually used by the VPN provider IVPN at the time. According to records from Zoom, this IP
address was used the following day, on or about March 8, 2022, to log into a Zoom account under
the name of “pompompurin” with an e-mail address of [email protected].

The [email protected] email address is notable because, at the time of the Zoom account’s
creation, it served as pompompurin’s registration email address on RaidForums, per records
obtained by the FBI in that investigation.

There might be more to it but I think these were the critical ones. These kind of OpSec practices are laughable. No wonder he got arrested.

For anyone wanting to read the whole document, here's the link
https://storage.courtlistener.com/recap/gov.uscourts.vaed.535542/gov.uscourts.vaed.535542.2.0.pdf

 

[p2pCookies]

 

[4pfcarder]

Yo, that guy is either dumb as a brick or he just don't give a rat's ass about gettin busted. What a fool! He straight up said he was the boss of the forum when the FBI agents pulled up to his spot. He ain't have no decent security measures and was caught mad easy ain't nothing special about the feds catching him.