Pedo Pompompurin: BreachForums Founder Gets 3 Years in Prison, While Equifax Executives Cash $90 Million

Update/correction: On September 16, 2025, the Justice Department announced that Conor Brian Fitzpatrick (aka “Pompompurin”) was resentenced to three years in federal prison. His earlier sentence—17 days time served and 20 years of supervised release imposed in January 2024, was vacated by the Fourth Circuit and remanded for resentencing.

The Justice Department is celebrating their prosecution of Conor Brian Fitzpatrick, a 22-year-old from Peekskill, New York, who ran BreachForums and possessed child sexual abuse material. On September 16, 2025, prosecutors secured a three-year federal prison sentence after the Fourth Circuit Court of Appeals vacated his original 17-day sentence with supervised release as too lenient.

Anyone possessing CSAM deserves prosecution and real prison time. But here’s what the feds don’t want you to notice: even as they finally put this pedophile behind bars, they’ve consistently ignored the corporate executives whose negligence poured billions of Americans’ records onto forums like BreachForums.

The Real Criminals Still Walk Free

BreachForums hosted 888 datasets containing 14 billion individual records of personal identifying information (PII). That data didn’t materialize from thin air. Every single record represents a corporate or government failure to secure information they forcibly collected from you.

The 2017 Equifax breach exposed 147 million Americans to identity theft. The executives responsible? They retired with multimillion-dollar packages. The 2015 Office of Personnel Management hack compromised 21.5 million federal employees’ fingerprints and security-clearance data. The consequence was that some bureaucrats got shuffled to different departments.

One dataset on BreachForums contained 200 million social-media users’ data. Another held information on 87,760 members of InfraGard, the FBI’s own corporate partnership program. The FBI couldn’t even protect their own partners’ data, yet no FBI official faced charges for that security failure.

Fitzpatrick’s Actual Crimes

Fitzpatrick pleaded guilty to three counts: access device conspiracy, access device solicitation, and possession of child sexual abuse material. The CSAM possession alone justifies serious punishment. This isn’t someone to defend or martyrize. He possessed the worst kind of illegal content while profiting from stolen data.

He forfeited 100+ domain names, more than a dozen electronic devices, and cryptocurrency tied to the forum. That’s standard forfeiture theater. The core issue is accountability: he’s finally getting prison time for CSAM and his role in trafficking stolen data.

The Double Standard of Federal Prosecution

While Principal Deputy Assistant Attorney General Nicole Argentieri claims this shows DOJ’s “unwavering commitment to bringing to justice those who seek to sell stolen data,” the feds consistently ignore corporate actors whose negligence created the pipeline that BreachForums monetized.

Consider who hasn’t been prosecuted: the Equifax executives who ignored patch warnings for months before 147 million Americans’ data was stolen. The OPM officials who let Chinese actors take 21.5 million federal employees’ fingerprints and security-files. Corporate boards that treat breaches as cost of doing business line items.

When corporations mishandle your data, they pay fines that amount to rounding errors. Equifax’s settlement was $425 million—less than $3 per victim. Executives kept their bonuses. Target’s 2013 breach of 110 million customers ended with an $18.5 million multistate settlement while the CEO walked with a $61 million retirement package.

The government’s own failures are worse. The TSA leaked 87,000 employee records in 2023. No prosecutions. The State Department’s 2014 email compromise? No prosecutions. IRS breaches? Fines paid with your tax dollars—and no jail time.

How BreachForums Actually Operated

BreachForums launched in March 2022, right after RaidForums was seized. It grew to ~330,000 members trading stolen data—888 datasets, 14 billion records. Under the hood it was a 1990s bulletin board with crypto payments bolted on. Nothing sophisticated. Just a marketplace for the data corporations and agencies failed to protect.

The datasets included telecom records, health-care information, investment-account details, and social-media profiles. Every record represented someone whose trust was betrayed—not by random hackers they never trusted, but by the entities that collected their data under promises of security they didn’t keep.

From an operational perspective, the forum exposes an ugly constant: demand for unsecured personal data is massive and persistent. BreachForums didn’t create that demand. Corporate negligence did—by turning your identity into a leaky commodity. Being a member there was like watching which corporation would get caught not caring today.

Brett Leatherman, the FBI's Cyber Division Assistant Director, claims they're "working tirelessly to dismantle criminal marketplaces." Yet the FBI purchases zero-day exploits through contractors, runs honeypot operations, and maintains its own network of informants in these exact forums. By definition then are they not eliminating competition?

The Real Crime: Corporate Immunity

The Computer Crime and Intellectual Property Section (CCIPS) brags about securing 180 cybercrime convictions since 2020 and recovering $350 million. That's $1.9 million per conviction, pocket change compared to the billions in damages from corporate breaches that never result in criminal charges.

Here's the pattern: Individual criminals like Fitzpatrick get prosecuted, as they should when they possess CSAM. But corporate executives who expose millions through criminal negligence get severance packages. Government officials who lose classified data get transferred to different departments. The actual hackers, especially state-sponsored ones from China and Russia, operate with impunity.

The 14 billion records on BreachForums didn't appear through magic. Every single record traces back to a corporation or government agency that failed its legal duty to secure data. Those failures constitute criminal negligence under existing law, laws that prosecutors refuse to enforce against corporations.

The Systemic Failure Nobody Will Address

Fitzpatrick is now doing three years in federal prison. That’s fine. But contrast that with corporate criminals: Equifax's former CEO Richard Smith, who presided over one of history's worst breaches, collected $90 million on his way out the door.

The appeals court's decision to demand harsher sentencing reveals the real dynamic here. Individual criminals, especially those possessing CSAM, face the full weight of federal prosecution, correctly so. But corporate criminals who enable identity theft for millions through criminal negligence face nothing but negotiations over settlement amounts their insurance will cover.

This case sends a clear message: If you're a corporate executive whose criminal negligence exposes millions to identity theft, fraud, and financial ruin, you'll retire rich.

The government doesn't want to fix the systemic security failures that create markets like BreachForums. They want to prosecute individuals who are convenient targets, no matter what else they've done, while protecting the corporate criminals who donate to campaigns and rotate through the revolving door between industry and regulation.

Every one of those 14 billion records represents a person whose data was collected without meaningful consent, stored without adequate protection, and lost without real consequences for those responsible. Fitzpatrick was a pervert who deserved prosecution and prison, if for no other reason than the revictimization of children. But he's also a convenient distraction from the corporate criminals who created the entire ecosystem he operated in. They're still walking free, still collecting bonuses, and still losing your data.

That's the real crime the Justice Department won't prosecute.