Full Report
Kai West, a 25-year-old British national, is accused of stealing data from more than 40 organizations during a two-year spree. The post Notorious cybercriminal ‘IntelBroker’ arrested in France, awaits extradition to US appeared first on CyberScoop.
Analysis Summary
# Threat Actor: IntelBroker (Kai West)
## Attribution & Identity
- **Primary Identity:** Kai West, a 25-year-old British national.
- **Known Aliases:** IntelBroker.
- **Known Associations:** Conspired with members of a cybercrime group he led. Identified as the owner of the online forum 'Forum-1' from August 2024 to January 2025.
## Activity Summary
IntelBroker engaged in a "nefarious, years-long scheme" to steal and sell victim data, allegedly causing over $25 million in damages worldwide. The period of identified activity runs from approximately January 2023 until his arrest in February 2025. He offered data stolen from over 40 organizations for sale.
## Tactics, Techniques & Procedures
- **Data Theft/Exfiltration:** Stole data from victim organizations.
- **Sales of Stolen Data:** Offered stolen data for sale on illicit forums.
- **Data Access Method:** Accused of accessing data from a U.S.-based telecommunications provider via an "improperly configured server."
- **Forum Activity:** Made 158 public posts on 'Forum-1', soliciting sales or distributing data.
- 16 posts included specific asking prices totaling nearly $2.5 million.
- 25 posts solicited negotiated sales prices.
- 117 posts offered stolen data for free distribution.
- *(No specific MITRE ATT&CK IDs were provided in the source text.)*
## Targeting
- **Sectors:** Telecommunications, Municipal Health Care Provider, Internet Service Provider, and Government/Insurance Exchange ([DC Health Link](https://cyberscoop.com/dc-health-exchange-breach-congress-defense-official/)).
- **Geography:** Primarily U.S.-based companies (accused of offering data stolen from U.S.-based companies at least 41 times). Activity caused worldwide damages.
- **Victims:**
- A U.S.-based telecommunications company.
- A municipal health care provider (data included patient PII/PHI).
- An internet service provider.
- DC Health Link (Washington’s health insurance exchange).
## Tools & Infrastructure
- **Malware Families Used:** Not specified in the summary.
- **Infrastructure (C2, domains, IPs):**
- **Forum-1:** An online forum where the actor sold and distributed data, identified as being owned by West between August 2024 and January 2025.
## Implications
The arrest of IntelBroker removes a prolific, high-volume actor from the cybercriminal landscape who specialized in data brokering. His operations demonstrated the financial viability of exploiting misconfigurations (as noted with the telecom breach) to access sensitive customer and patient data for subsequent resale, causing significant financial damage ($25M+) and exposing vast amounts of personal information.
## Mitigations
- **Access Control & Configuration Hardening:** Immediate review and remediation of publicly accessible and improperly configured servers, especially those handling sensitive customer data (as exploited against the telecom provider).
- **Data Security Awareness:** Security teams must be vigilant regarding data exposure points, as selling data (including patient PII/PHI) represents a primary revenue stream for actors like IntelBroker.
- **Monitoring Illicit Forums:** Monitoring platforms like 'Forum-1' is critical for early detection of data leaks originating from victims.