Full Report
Kai West, a 25-year-old British national, is accused of stealing data from more than 40 organizations during a two-year spree. The post Notorious cybercriminal ‘IntelBroker’ arrested in France, awaits extradition to US appeared first on CyberScoop.
Analysis Summary
# Threat Actor: IntelBroker (Kai West)
## Attribution & Identity
* **Name:** Kai West
* **Nationality:** 25-year-old British national.
* **Aliases:** IntelBroker.
* **Known Associations:** Conspired with members of a cybercrime group he led.
* **Status:** Arrested in France in February 2025; facing federal charges in the US; awaiting extradition.
## Activity Summary
Kai West, operating as IntelBroker, engaged in a prolific, two-year scheme (approximately January 2023 until February 2025) stealing data from over 40 organizations globally and selling the information on underground forums. The resulting damage is estimated to exceed $25 million worldwide. He was identified as the owner of the sales forum 'Forum-1' between August 2024 and January 2025. He made 158 public posts offering data for sale, negotiation, or free distribution.
## Tactics, Techniques & Procedures
The article focuses heavily on the *objective* (data theft and sale) rather than specific technical TTPs, but implies the following:
- **Data Exfiltration/Theft:** Stealing sensitive data from victim networks.
- **Initial Access (Implied):** Gaining access to systems, demonstrated by exploiting an improperly configured server at one telecommunications provider.
- **Sales/Monetization:** Listing and selling stolen data on underground forums (Forum-1).
*Note: Specific MITRE ATT&CK IDs are not mentioned in the source material.*
## Targeting
* **Sectors:** U.S.-based telecommunications, municipal health care, internet service provider, and health insurance exchanges (e.g., DC Health Link).
* **Geography:** Primarily U.S.-based companies; global impact due to resulting damages.
* **Victims:** Data stolen from over 40 organizations. Specific named victims include:
* A U.S.-based telecommunications company.
* A municipal health care provider (patient data including SSNs, DOBs, health/employer info).
* DC Health Link (exposing personal information of Washington powerbrokers and a former defense official).
## Tools & Infrastructure
* **Malware Families Used:** Not specified.
* **Infrastructure:**
* **Sales Platform:** Forum-1 (which West allegedly owned from August 2024 to January 2025).
* **C2/Domains:** None specified or defanged.
## Implications
The successful identification and arrest of IntelBroker highlights the international cooperation necessary to dismantle cybercrime operations focused on data monetization. The nature of the data stolen (including patient records, PII, and information on government figures) indicates a significant threat to both corporate security and national security/privacy interests. The volume of his illicit sales ($2.5 million sought across 158 posts) underscores the high profitability of selling stolen corporate data.
## Mitigations
* **Server Configuration:** Immediately review and correct improperly configured servers that allow unauthorized access to sensitive data stores.
* **Data Protection:** Implement robust controls to prevent the exfiltration of Personally Identifiable Information (PII) and protected health information (PHI).
* **Vendor Monitoring:** Be aware of underground market discussions; monitor forums where stolen data matching internal assets might be advertised for sale.