Full Report
A British national known online as "IntelBroker" has been charged by the U.S. for stealing and selling sensitive data from dozens of victims, causing an estimated $25 million in damages. [...]
Analysis Summary
# Threat Actor: IntelBroker
## Attribution & Identity
Threat Actor Identity: IntelBroker
Attribution: British hacker (UK national).
Real Name Allegedly Identified as: Kai West (or Kyle Northern).
Known External Associations: Was an administrator for the BreachForums hacking forum until stepping down in January [2023].
## Activity Summary
IntelBroker was charged by the FBI for causing an estimated \$25 million in damages to victims globally. The investigation involved an undercover operation where an agent purchased a stolen API key from IntelBroker in January 2023. Evidence linking the hacker was found through financial tracing (Bitcoin address traced back to a Ramp online banking platform account registered to a UK driving license in West's name) and the use of consistent email accounts linked to the aliases "IntelBroker" and "Kyle Northern."
## Tactics, Techniques & Procedures
- Sale and distribution of stolen data, including API keys. (Implied cybercrime methodology)
- Utilizing online aliases ("Kyle Northern") linked to real-world identities via financial/email trails.
- Use of cryptocurrency (Bitcoin) for transactions.
- *No specific MITRE ATT&CK IDs were mentioned in the provided text.*
## Targeting
- Sectors: Not explicitly detailed, but activities focus on selling stolen credentials/data, implying targeting infrastructure owners or organizations holding valuable data.
- Geography: Victims are stated to be "around the world." The perpetrator is based in the UK.
- Victims: Not specifically named, but implied to be organizations whose data (like API keys) were stolen and sold.
## Tools & Infrastructure
- Malware families used: None explicitly mentioned (focus is on data sales).
- Infrastructure (C2, domains, IPs):
- Used the **Ramp online banking platform** for account registration associated with identity verification.
- Used a **Coinbase account** registered to the alias "Kyle Northern."
- Used **Bitcoin** for illicit transactions.
## Implications
IntelBroker represents a significant threat actor focused on data brokering and facilitating cybercrime through the sale of exploited access methods (like API keys). The successful identification and charging of an international actor like this demonstrates significant cross-jurisdictional investigative capabilities by agencies like the FBI, utilizing financial tracing linked to physical identities. The scale of damage (\$25 million) indicates high-value targets were impacted.
## Mitigations
- Enhanced monitoring and investigation of cryptocurrency transactions, especially those involving Bitcoin linked to platform services (Ramp, Coinbase).
- Strict internal controls regarding the handling and access associated with sensitive credentials like API keys.
- Organizations should ensure employee/partner digital footprints are not easily cross-referenced with illicit marketplace activity.