Full Report
FBI tracked IntelBroker as UK’s Kai West using an email address, crypto trails, YouTube activity and forum posts after dozens of high-profile data breaches and darknet activity.
Analysis Summary
# Threat Actor: IntelBroker (Kai Logan West)
## Attribution & Identity
**Primary Identity:** Kai Logan West, a British national.
**Aliases:** IntelBroker, Kyle Northern, K West.
**Associated Groups/Affiliations:**
* Associated with and moderated the cybercrime/data breach forum "Forum-1" (identified as BreachForums).
* Leadership of a hacking collective called CyberN (formerly "The Boys").
* Potentially linked (unverified) to a past role as a Security Researcher Trainee at the UK’s National Crime Agency (NCA) in 2019.
## Activity Summary
IntelBroker conducted a series of high-profile data breaches between 2023 and early 2025, leading to at least $25 million in damages globally. West was active in administering and moderating the data breach forum "Forum-1" (BreachForums), where he offered forums, organized the sale of stolen data, and built a following by occasionally giving away data samples. He authored at least 158 threads selling data on Forum-1, with 41 involving US companies. The investigation leading to his arrest involved the FBI deploying undercover officers posing as buyers on Forum-1.
## Tactics, Techniques & Procedures
- **Data Exfiltration and Sale:** Stealing and selling large databases from various organizations on cybercrime forums.
- **Forum Moderation/Administration:** Playing a key administrative role in the major data breach forum "Forum-1" (BreachForums).
- **Operational Security Failures Leading to Attribution:**
- Using traceable cryptocurrency wallets (Bitcoin) for transactions, which were traced back via blockchain analysis.
- Linking personal accounts (Ramp, Coinbase) using his real identity (Kai Logan West/Kyle Northern).
- Using a personal Gmail address linked to KYC verification, university documents, and personal files for communications.
- Exposing activity by linking personal YouTube viewing history and signature blocks in forum posts to his personal email account.
- **Financial Solicitation:** Solicited cryptocurrency payments, primarily Monero, but accepted Bitcoin on specific occasions.
## Targeting
- **Sectors:** Government agencies, healthcare providers (municipal healthcare providers), telecommunications firms, internet service providers (ISPs), and technology companies (e.g., AMD).
- **Geography:** Worldwide involvement, specifically noting 41 breaches targeted US companies.
- **Victims:** At least six formally referenced victims (Victim-1 through Victim-6). Specific examples include:
* Victim-1: A telecom provider whose hosting server data was exfiltrated and deleted.
* Victim-3: A municipal healthcare provider whose patient data (over 56,000 individuals) was stolen.
* Victim-6: An ISP breached via information from previous leaks.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly detailed, but the activities involved data exfiltration and unauthorized access.
- **Infrastructure (C2, domains, IPs):**
* **Forum-1/BreachForums:** The primary platform for operations and sales.
* **Cryptocurrency Wallets:** Bitcoin and Monero wallets used for illicit transactions.
* **Personal Email:** A Gmail account used for personal matters that provided key evidence linking online aliases to KWL.
## Implications
The successful takedown of IntelBroker, a major figure in the data breach market facilitated by structured forums, serves as a strong warning that financial anonymity via cryptocurrency and obfuscation tools are not insurmountable barriers to law enforcement when comprehensive investigative techniques (undercover operations, blockchain analysis, and linking of digital footprints) are employed. His potential past access as an alleged NCA trainee raises concerns about insider threat vectors within sensitive government organizations utilizing cybersecurity roles.
## Mitigations
- **Strengthen Cryptocurrency Tracing Defenses:** Implement robust monitoring and tracing capabilities for Bitcoin transactions when dealing with ransom or illicit data sales.
- **Strict Operational Security (OPSEC) for Forum Administrators:** Individuals controlling large cybercrime platforms must strictly separate operational accounts from all personal identifiers, including linked email addresses and social media activity.
- **Internal Security Review:** Organizations in sensitive sectors (Government, Health, Telecoms) should review access controls and monitor for suspicious lateral movement stemming from previously compromised credentials circulating on dark/clear web forums.
- **Verify Claims of Affiliation/Background:** Given the potential NCA link, organizations hiring individuals with cybersecurity backgrounds should conduct thorough and verifiable background checks on claims related to government agency employment.