IntelBroker

Early Activity

IntelBroker, the online pseudonym of Kai Logan West (born 1999 or 2000), began hacking activities in October 2021, initially targeting minor organizations. The actor gained wider attention in early 2023 following a breach of the U.S.-based grocery delivery service Weee!, which exposed the personal information of more than one million customers, including names, phone numbers, email addresses, and building entry codes. Prior to the public revelation of their identity, IntelBroker was speculated by some analysts to be an Iranian Persistent Threat Group due to the scale and sophistication of their operations. In an interview with The Cyber Express, IntelBroker confirmed they were a single individual. In a separate interview with the German podcast Inside Darknet, they claimed to be Serbian and stated they resided in Russia for personal safety reasons.

BreachForums and CyberNiggers

In 2023, IntelBroker joined the hacking group CyberNiggers on BreachForums, an online cybercrime forum, and orchestrated the group's most significant cyberattacks during their time with the organization. In August 2024, IntelBroker became the owner of BreachForums, a position they held until resigning in January 2025. The forum remained active following their departure.

Modus Operandi

IntelBroker employed a broad range of tactics to compromise target systems. After gaining initial access, they would typically attempt to establish persistent access by running unauthorized commands and manipulating system accounts, sometimes obfuscating malicious files or escalating privileges to hinder detection. IntelBroker generally sought to sell network access first before extracting and selling victim data on platforms such as BreachForums.

IntelBroker developed a ransomware strain written in C# called Endurance, publishing its source code publicly on GitHub. Unlike conventional ransomware, Endurance overwrites and then deletes targeted files rather than encrypting them for ransom. The Department of Defense Cyber Crime Center (DC3) confirmed that Endurance was used to compromise several U.S. government agencies. Some analysts speculated a connection to the Iranian Shamoon wiping software, a claim IntelBroker denied. Ransomware activity appears to have ceased after 2023.

Notable Attacks

As of June 2024, IntelBroker had posted over 80 separate leaks and sales of compromised data on BreachForums, claiming to have sold information from over 400 organizations, the majority of which were U.S.-based.

Notable incidents include a March 2023 breach of DC Health Link, which exposed the contact information and Social Security numbers of members of the United States Congress. In April 2024, IntelBroker and a collaborator known as Sanggiero breached Acuity, a U.S. government technology contractor, obtaining documents associated with the Five Eyes intelligence alliance and U.S. military personnel; Acuity later determined the leaked data was old and non-sensitive. In May 2024, IntelBroker announced the theft of 9,128 confidential records from Europol, a claim the agency confirmed, though Europol stated no operational data was included. The data was sold for Monero cryptocurrency.

In June 2024, IntelBroker claimed to have obtained source code for several internal Apple tools and released the material on BreachForums; subsequent analysis found the files were plugins rather than source code, though they were still assessed as a potential security risk. Also in June 2024, IntelBroker claimed a breach of semiconductor company AMD, with AMD acknowledging the incident but characterizing it as limited in scope. Bloomberg reported a 2.4% drop in AMD's stock price following the announcement.

In October 2024, IntelBroker and a collaborator identified as EnergyWeaponUser were reported to have exfiltrated a large volume of data from Cisco, including source code, credentials, API tokens, and SSL certificates. Cisco removed public access to its DevHub resources in response but stated its internal systems had not been breached. IntelBroker released approximately 2.9 of the claimed 4.5 terabytes of data in December 2024.

Arrest and Charges

The FBI identified IntelBroker's true identity by tracing a Bitcoin wallet address to a Ramp Network account registered with their driver's license and personal email. IntelBroker was arrested in France in February 2025, along with four other BreachForums administrators. Their identity was formally revealed on June 25, 2025, following an indictment. The United States District Court for the Southern District of New York charged them with four counts related to cybercrime, with alleged damages totaling $25 million; two of the charges carry a maximum sentence of 20 years. The United States has requested extradition.