Full Report
The U.S. is alleging that 25-year-old British national Kai West is the prolific hacker “IntelBroker.” IntelBroker was arrested in February, the Paris, France Public Prosecutor’s Office announced yesterday, while also revealing that four members of the “ShinyHunters” collective that operated the BreachForums cybercrime forum were arrested this week. French officials didn’t name IntelBroker or the other hackers, but the U.S. named West in a four-count indictment and complaint unsealed yesterday. How FBI investigators made the connection between West and IntelBroker was detailed in the 15-page complaint filed in the U.S. District Court for the Southern District of New York. IntelBroker Mingled Personal, Online Accounts, U.S. Alleges The U.S. alleges that IntelBroker and the “CyberNiggers” group conspired “to steal data from a telecommunications company, municipal health care provider, an Internet service provider, and more than 40 other victims,” according to a Justice Department press release announcing the unsealing of the court documents. West and his co-conspirators “took that stolen data, and offered it for sale online for more than $2 million,” the press release claims, adding that the alleged hackers “caused in excess of $25 million in damages to victims.” West was arrested in France in February 2025, and the U.S. is seeking his extradition. An undercover purchase by law enforcement in January 2023 helped investigators begin to piece together IntelBroker’s identity, according to the complaint signed by an FBI Special Agent. IntelBroker offered for sale an API key for a particular victim for $250 in Monero cryptocurrency, the complaint said. An undercover agent sent a private message to IntelBroker asking if the threat actor would sell the data for $250 in Bitcoin, a cryptocurrency that isn’t as private as Monero. IntelBroker gave the agent a particular Bitcoin wallet address referred to as "BTC Wallet-1” in the complaint. After the agent sent the payment, IntelBroker provided the API key “as well as three purported administrator logins with a password for those logins.” FBI personnel analyzed BTC Wallet-1’s transactions on the Bitcoin blockchain and connected four transactions and two other accounts, dubbed “West Wallet-1” and “Ramp Account-1,” that seeded BTC Wallet-1. The FBI concluded that BTC Wallet-1 was created as a pass-through wallet to obscure funds from Ramp Account-1. Ramp Account-1 “is associated with a particular United Kingdom Provisional Driving License with the name ‘Kai Logan West,’” who also goes by the alias “Kyle Northern,” the U.S. complaint claims. That license is also associated with a particular Coinbase account that investigators said they connected to West via “Know-Your-Customer” (KYC) data. The court filing included an image of that license with some information redacted: Both Ramp Account-1 and the Coinbase account were registered to a personal email account used by West, the U.S. claims. Investigators also tied a data storage invoice and university correspondence with the email account that they say also confirms West’s identity. Accounts registered to West’s email account also used the same IP addresses as “IntelBroker,” the complaint alleges, and the email account also had YouTube activity that overlapped with IntelBroker. Also read: IntelBroker Interview: The Elusive Hacker in the Shadows Talks to The Cyber Express ‘Innocent Unless and Until Proven Guilty’ Whether the U.S. has enough evidence to convict West – or elicit a plea deal – is a matter for the courts to decide. As the press release noted, “The charges contained in the Indictment and Complaint are merely accusations, and the defendant is presumed innocent unless and until proven guilty.” West has been charged with conspiracy to commit computer intrusions, which carries a maximum sentence of five years in prison; conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison; accessing a protected computer to obtain information, which carries a maximum sentence of five years in prison; and wire fraud, which carries a maximum sentence of 20 years in prison.
Analysis Summary
# Threat Actor: IntelBroker (Alleged)
## Attribution & Identity
* **Identified:** A British national, alleged by U.S. court filings to be the threat actor known as **IntelBroker**.
* **Alleged Identity/Name:** Kai Logan West.
* **Aliases/Associated Names:** Kyle Northern.
* **Supporting Evidence (Alleged):** Association with a UK Provisional Driving License under the name ‘Kai Logan West,’ a Coinbase account linked via KYC data, personal email correspondence (data storage invoice, university correspondence), and overlapping IP addresses/YouTube activity linked to the "IntelBroker" moniker.
## Activity Summary
The provided article focuses primarily on the allegation and identification of the individual behind the pseudonym "IntelBroker" via U.S. court filings, rather than detailing specific recent campaigns or operations conducted by the actor. However, the context implies IntelBroker is a known entity in the cyber underground, potentially linked to major data breaches or illegal information sales (suggested by the name "IntelBroker" and reference to an "IntelBroker Interview").
## Tactics, Techniques & Procedures
The article does not explicitly list detailed cyber TTPs or corresponding MITRE ATT&CK IDs. The focus is on the *criminal infrastructure/financial trail* used for alleged activities:
* **Association with illicit online platforms:** Implied association with the cybercrime ecosystem (e.g., the existence of an "IntelBroker Interview" suggests interaction with platforms or media covering illegal activities).
* **Financial/Identity Traces:** Use of Coinbase accounts and specific personal email addresses for registration and activity, which were used by investigators to tie the online persona to the alleged real-world identity.
## Targeting
* **Sectors:** Not explicitly defined in the context of IntelBroker's historical activities, though the mention of *BreachForums Operators Arrested* and *Aflac Reports Breach* suggests the actors within this sphere often target various organizational sectors, including finance/insurance implicitly.
* **Geography:** The alleged actor is a British national, targeted by U.S. legal action.
* **Victims:** No specific historical victims are named in relation to IntelBroker in this summary snippet.
## Tools & Infrastructure
* **Malware families used:** None mentioned.
* **Infrastructure (C2, domains, IPs):**
* Coinbase account (used for financial transactions/registration).
* Personal email account (used for account registrations linked to both the alleged real identity and the "IntelBroker" persona).
* Specific IP addresses overlapping between the alleged personal activity and the "IntelBroker" activity.
## Implications
The primary implication is a successful attribution effort by U.S. law enforcement against a high-profile cybercriminal figure known as IntelBroker. This attribution (if proven in court) poses a significant disruption to the underground economy of stolen intelligence and data being traded online. The actor faces serious charges including conspiracy to commit computer intrusions and wire fraud.
## Mitigations
* **Identity Verification:** Law enforcement/financial institutions rely heavily on KYC data associated with accounts (like Coinbase) to attribute cyber actors.
* **Digital Footprint Correlation:** Investigators utilized overlapping IP addresses and online activity signatures (YouTube) across different claims to build an identity case.
* **Legal Process:** The case will proceed through the U.S. court system, with charges including conspiracy to commit computer intrusions (max 5 years) and wire fraud (max 20 years). (Note: These are legal proceedings, not preventative technical mitigations).