IntelBroker

IntelBroker is a cybercriminal threat actor and stolen-data broker active publicly since at least October 2022. The actor is repeatedly described as a prominent BreachForums user and later owner/administrator of BreachForums, with a reputation for posting large, genuine leaks and selling or releasing stolen data. In June 2025, U.S. authorities announced charges identifying “IntelBroker” as the online persona of 25-year-old British national Kai Logan West, also referenced as using the alias Kyle Northern. Based on the provided reporting, IntelBroker has been linked to intrusions, breach claims, or data sales affecting a wide range of targets, including U.S. government agencies and contractors, technology companies, telecommunications providers, retailers, and critical infrastructure-related entities. Reported victims or claimed victims include Acuity, Cisco, AMD, Apple, Europol, DC Health Link, PandaBuy, Weee!, Los Angeles International Airport, Hewlett Packard Enterprise, General Electric/GE Aviation, Volvo Cars, Verizon, AT&T, USCellular, Autotrader, Hilton Hotels, ICE, USCIS, the Department of Defense, the U.S. Army, and Zscaler. Some incidents remain claims by the actor, while others were at least partially confirmed by affected organizations. Tactics and tradecraft directly mentioned in the content include exploiting security misconfigurations, insecure APIs, third-party compromises, stolen credentials, and public-facing development resources; abusing multiple API flaws; exploiting Jenkins CVE-2024-23897 to obtain credentials and then access a corporate GitHub account and private repositories; stealing GitHub credentials from an Acuity Tekton CI/CD server according to a collaborator’s claim; accessing exposed DevHub/JFrog resources in the Cisco case; and obtaining or selling source code, credentials, API tokens, certificates, private keys, cloud storage access, internal documents, and large datasets containing PII. The actor commonly advertised stolen data on BreachForums, leaked samples publicly to prove authenticity, and sought payment in cryptocurrency including Monero. The content also links IntelBroker to collaboration with Sanggiero/Sangierro in the PandaBuy and Acuity-related activity. IntelBroker is additionally associated in the reporting with the group CyberN****** and with ownership/administration of BreachForums after prior law-enforcement disruption. One source notes IntelBroker denied ties to Iranian APT groups. Another source states IntelBroker has been linked to ransomware operations under the name Endurance Ransomware, but no further corroborating detail is provided in the supplied content. IntelBroker is not described in the provided content as a nation-state actor. The reporting instead characterizes the actor as financially motivated, focused on data theft, brokerage, extortion-oriented sales, and high-profile leak activity, though one article notes motives may also include disruption.