You are using an older browser version. Please use a supported version for the best MSN experience.

Police pounce on 'pompompurin' – alleged mastermind of BreachForums

The Register logo: MainLogo The Register 3/20/2023 Brandon Vigliarolo
© Provided by The Register

Crypto laundering service gets cleaned up by police and SVB mess draws in more criminals

In Brief  A man accused of being the head of one of the biggest criminal online souks, BreachForums, has been arrested in Peekskill, New York.…

Conor Brian FitzPatrick, believed to operate the forum under the name pompompurin, was reportedly arrested on Wednesday afternoon and according to court documents [PDF] Fitzpatrick confessed to running the forum.

"When I arrested the defendant on March 15, 2023, he stated to me in substance and in part that: a) his name was Conor Brian FitzPatrick; b) he used the alias 'pompourin,' and c) he was the owner and administrator of 'BreachForums,' the data breach website referenced in the Complaint," FBI special agent John Longmire testified.

BreachForums appeared on the dark web shortly after the demise of RaidForums – a site which specialized in selling purloined data. It quickly grew to become a massively popular site for data thieves to announce their exploits.

FitzPatrick was charged with one count of conspiracy to commit access device fraud and bail was set at $300,000 – paid for by his parents.

Silicon Valley Bank account holders are already being battered by the collapse of their financial institution, and cyber criminals have been quick to add insult to injury by jumping at the opportunity to prey on those whose cash has been caught up in the bank run. 

We've already warned readers about online scams cropping up to take advantage of the collapse of Silicon Valley Bank, and at least one campaign has already emerged: security firm Inky reported what it claims is the first SVB-related scam to target Microsoft account credentials. 

Per Inky's report, the attack starts with fake DocuSign notifications branded to appear as if they came from SVB's Know Your Customer Refresh Team, and asks the victim to fill out a pair of surveys to verify their identity as an SVB account holder.

When links in the email are clicked, however, it redirects users to a pair of different links that claim to be redirecting the user to their organizational sign in page – in this case spoofed to look like a Microsoft account login.

Of course, if one were clicking those links with a critical eye, a bit of confusion may arise from needing to sign in to a Microsoft account to access DocuSign documents. In case that doesn't tip users off it's a good idea to blacklist the domains that Inky flagged as part of the scam: serving-sys[.]com and docuonline[.]eu. Inky also warns of the use of web[.]app domains being used to host fake Microsoft login pages. 

This campaign is different from SVB scams that have come before it, but only by degrees, as previously reported scams have also tried to fool people with fake DocuSign links. 

Proofpoint also identified a campaign earlier this week targeting users of DeFi app Circle, which had a considerable stake in SVB, by tricking people into buying the cryptocurrency USDC – a "stablecoin" pegged to the value of the US dollar that lost its peg when SVB collapsed. Proofpoint said the scam was trying to lure customers to redeem USDC for US dollars at a 1:1 rate. 

So, like other trending cyber crime scams, those surrounding SVB's collapse aren't particularly well crafted, nor uniquely dangerous. It's the same old phishing tricks: lures for the greedy and simple solutions for the frightened.

Proofpoint summed up how those with an interest in SVB should respond to the current threat environment well in a tweet: "Anyone involved in handling financial info or transactions [should] exercise additional caution and diligence as messages could emanate from fraudsters." 

ChipMixer, a cryptocurrency "mixer" used extensively by cybercriminals, has been taken down thanks to a joint effort led by the US Justice Department and German authorities, who in the process seized nearly 2,000 Bitcoins ($50.7 million), four servers and seven terabytes of juicy crime-adjacent data.

Until its takedown on March 15, ChipMixer was used to launder cryptocurrency by converting all deposited crypto – primarily Bitcoin – into its own virtual asset called chips. Those chips were then mixed into one large pool before being redistributed, hiding all blockchain trails in the process. 

The service was set up in 2017 by Vietnamese national and resident Minh Quốc Nguyễn, whom the US DoJ has charged with money laundering, operating an unlicensed money transmission business and identity theft. Nguyễn is currently at large and faces up to 40 years in prison if convicted. 

According to the DoJ, Chipmixer laundered money for the cyber criminals behind 37 ransomware strains, more than $700 million in Bitcoin linked to stolen wallets, more than $200 million associated with darknet markets – including $60 million that belonged to Hydra, and millions more associated with dark web forums where bad actors could buy stolen account credentials and the like. 

ChipMixer allegedly counted among its clientele the Russian General Staff Main Intelligence Directorate, or GRU, and its subsidiary units, which includes APT 28, North Korean actors behind the Axie Infinity hack, and the individuals behind the Horizon Bridge hack. European officials said that ransomware actors including Mamba and Lockbit have also used the service. 

Of the idea that cryptocurrency – or laundering services such as ChipMixer – can anonymize crime, the FBI said technology won't protect anyone. 

"Technology has changed the game … In response, the FBI continues to evolve in the ways we 'follow the money' of illegal enterprise," said FBI special agent in charge Jacqueline Maguire of the Philadelphia Field Office. ®


The Register

image beaconimage beaconimage beacon