In a precedent-setting legal development, Conor Brian Fitzpatrick, the 22-year-old former administrator of the notorious cybercrime marketplace BreachForums-known online as “Pompompurin”-has agreed to forfeit nearly $700,000 to settle a civil lawsuit brought by Nonstop Health, a California-based health insurance provider whose customer data was posted for sale on the forum in 2023.
This marks one of the first instances in which a cybercriminal has been directly named and held financially accountable in civil litigation stemming from a data breach.
The Breach and Legal Fallout
On January 18, 2023, cybercriminals using BreachForums advertised tens of thousands of stolen records from Nonstop Health, including Social Security numbers, dates of birth, addresses, and phone numbers- classic examples of personally identifiable information (PII) and protected health information (PHI).
The breach triggered a class-action lawsuit against Nonstop Health, which subsequently added Fitzpatrick as a third-party defendant after his arrest by the FBI on charges of access device fraud and possession of child sexual abuse material (CSAM).
Nonstop Health ultimately agreed to a $1.5 million settlement to resolve the class action, with Fitzpatrick’s forfeiture earmarked to benefit affected customers who submit valid claims for losses such as identity theft, fraud, or credit monitoring expenses.
A Novel Use of Civil Litigation Against Cybercrime
Legal experts highlight the rarity of such a civil outcome. Jill Fertel, head of cyber litigation at Cipriani & Werner, noted, This is the first and only case where a cybercriminal or anyone related to the security incident was named in civil litigation.
Mark Rasch, a former federal prosecutor, echoed the novelty, explaining that threat actors are seldom identified or possess sufficient assets to pay civil claims.
Civil remedies in cybercrime cases, while traditionally focused on injunctive relief or seizure of property under statutes like the Computer Fraud and Abuse Act (CFAA), are increasingly being leveraged to disrupt criminal operations and compensate victims.
The BreachForums case demonstrates the potential for civil courts to issue orders for asset forfeiture even against individuals facing parallel criminal prosecution.
BreachForums: The Hub for Stolen Data
BreachForums, launched by Fitzpatrick in March 2022 after the FBI’s takedown of RaidForums, quickly became the largest English-language cybercrime marketplace, amassing over 300,000 users and facilitating the sale of databases from hundreds of hacking victims.
The platform offered an escrow service technical mechanism where the forum administrator holds funds or goods in trust until both parties fulfill their obligations, reducing fraud risk in illicit transactions.
Fitzpatrick’s role as administrator included personally vetting all data listings and managing a “Leaks Market,” where access to compromised databases was sold via a credits system.
The forum’s infrastructure and business model exemplify the “cybercrime-as-a-service” trend, where threat actors monetize stolen data, hacking tools, and illegal access devices.
Criminal Charges and Sentencing
Fitzpatrick pleaded guilty to conspiracy to commit access device fraud and possession of CSAM, admitting to having more than 600 illicit images on his devices.
Initially sentenced to time served and 20 years of supervised release, Fitzpatrick was later rearrested for violating release terms by using unmonitored computers and a breach of court-ordered monitoring.
Federal prosecutors objected to the leniency of his sentence, arguing it failed to reflect the seriousness of his crimes.
In January 2025, a federal appeals court vacated the sentence, ordering resentencing scheduled for June 3, 2025.
Broader Implications
This civil settlement sets a new benchmark for victim restitution in cybercrime cases, demonstrating that even anonymous threat actors can be unmasked and held financially liable.
It also signals a shift toward integrating civil litigation tools with criminal enforcement to disrupt the economics of cybercrime and provide tangible relief to breach victims.
As law enforcement and courts adapt to the evolving threat landscape, the BreachForums case may serve as a model for future actions against cybercriminals operating at the intersection of data breaches, identity theft, and illicit online marketplaces.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=This marks one of the first instances in which a cybercriminal has been directly named and held financially accountable in civil litigation stemming from a data breach.){kind=link}