If you’ve been following cybersecurity news lately, you’ve almost certainly heard the name "IntelBroker." For years, this digital phantom haunted major corporations and government agencies, leaking sensitive data and making bold claims on the dark web. It turns out, the person behind the mask wasn't a state-sponsored Russian operative as many suspected, but a 25-year-old British national named Kai Logan West.
Profile Picture Used By IntelBroker
West, who allegedly caused over $25 million in damages worldwide, was finally unmasked and charged in June 2025 after a dramatic arrest in France earlier that year [1]. His targets were a "who's who" of the tech world, including Apple, AMD, Cisco, and Europol. In a twist of irony, investigations revealed that this notorious cybercriminal once worked as a trainee for the National Crime Agency [2]. Ultimately, his capture came down to a simple slip-up in a cryptocurrency transaction, which gave investigators the digital thread they needed to unravel the entire scheme. Here is the full scoop on the man behind the keyboard and how he was finally caught.
West’s License (Source: justice.gov [3])
For a long time, IntelBroker was just a mysterious online username. He told people he was Serbian and lived in Russia for safety.
His real name is Kai Logan West. He is a British national born around 1999 or 2000, making him about 25 years old when the charges were announced. Before his life of crime made headlines, he actually had a background in security. Amazingly, investigators found that he had previously worked as a trainee at the National Crime Agency [2], which is like the UK's version of the FBI.
Kai West lived a double life. Online, he was a powerful hacker known as "IntelBroker" (or sometimes "Kyle Northern"), but in the real world, he was just a young man from England.
IntelBroker was not just a quiet hacker who stole things and left. He was very loud and public about his work. He spent a lot of time on a criminal website called BreachForums. In fact, he was so involved that he eventually became the owner of the site from August 2024 to January 2025, until his resignation.
IntelBroker Announcing Resign (Source: X [4])
He also announced his resignation on BreachForums [5].
|
I am making this thread to announce my resignation as BF owner. This has been a long time coming. As of resigning I'm waiting for the two admins to remove my rank.
I did previously say that I didn't want to be admin or anything higher due to me not having any time. I'm very busy IRL and I don't want to be a useless staff member who is inactive. I'm sure the BreachForums community has noticed my lack of interaction overall from me. So I'm resigning because of this.
|
IntelBroker operated as a prolific data trafficker who breached the networks of major corporations and government agencies like T-Mobile, AMD, and Europol. He exfiltrated high-value assets such as source code, future product plans, and sensitive customer databases [6]. He then monetized this stolen data on the cybercrime marketplace BreachForums. Between 2023 and 2025, he posted over 150 threads to sell data or leak it for free to boost his reputation while aiming to generate millions in illicit profit [1].
IntelBroker did not act alone as he orchestrated attacks through a hacking collective known by the racist moniker "CyberNiggers”. He utilized this group to coordinate sophisticated breaches against varied targets, including telecommunications firms and municipal healthcare providers [1].
IntelBroker developed and deployed a unique malicious software strain named "Endurance" that was written in C#. While often labeled as ransomware, Endurance functioned more as a "wiper" because it was designed to overwrite and permanently delete target files rather than simply encrypting them for extortion. The US Department of Defense confirmed that this destructive tool was used to compromise several U.S. government agencies [7]. The aggressive nature of the software initially led experts to misidentify it as the work of state-sponsored Iranian hackers, which was a claim IntelBroker denied.
Financial anonymity was central to IntelBroker's strategy, so he demanded payment in Monero [1]. Monero is favored by cybercriminals for its privacy features that obscure transaction details from law enforcement.
IntelBroker was responsible for dozens of breaches, but five campaigns stand out for their severity and the panic they caused:
One of his most shocking hacks was against "DC Health Link”, a health insurance market. This breach leaked the personal info of US Congress members and their staff [8]. He also claimed to steal data from US agencies like Immigration and Customs Enforcement (ICE).
He managed to get into a platform used by European police (Europol) and claimed to have leaked confidential records, including guidelines for officers [9].
IntelBroker targeted several major technology companies with varying degrees of success. He claimed to have acquired internal tools used by Apple employees, although later analysis suggested this was not the core source code of the internal tools, but plugins for internal tools [10].
He also asserted that he had stolen data regarding future products, employee information, customer information, source code, and financial records from the chip manufacturer AMD [11].
Additionally, he leaked gigabytes of data from the networking giant Cisco [12].
Finally, he claimed to have breached T-Mobile's infrastructure in June 2024 by displaying what appeared to be administrative access, though the company denied that its main systems had been compromised [13].
You might wonder, if he was so good at hacking, how did he get caught? The answer lies in a simple mistake and some smart detective work.
IntelBroker was usually very careful. He preferred Monero, the privacy coin we mentioned earlier. But in January 2023, an undercover police officer reached out to buy stolen data from him. The officer convinced him to accept Bitcoin instead of Monero. Bitcoin is much easier to track because every transaction is recorded publicly [2].
Once he accepted the Bitcoin, investigators could see where the money went.
Police found other sloppy mistakes, too. For example, he used the same internet connection (IP address) for his hacker activities and his personal life. Investigators also saw that his personal IP address watched specific YouTube videos. Shortly after, the "IntelBroker" account posted those exact same videos on the hacking forum [14].
Because of these clues, authorities knew exactly who he was. In February 2025, French authorities, acting on U.S. intelligence, arrested Kai Logan West at his residence in France. The US Justice Department unsealed the charges in June 2025 [1].
We strongly recommend simulating attacks by threat actors such as IntelBroker to validate the effectiveness of your security controls against data exfiltration using the Picus Data Exfiltration Module. You can also validate your security posture against hundreds of other threat actors and region-specific exfiltration campaigns in minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for IntelBroker:
|
Threat ID |
Threat Name |
Attack Module |
|
49541 |
PDF Format Data Exfiltration Campaign |
Data Exfiltration |
|
96916 |
XLS(X) Format Data Exfiltration Campaign |
Data Exfiltration |
|
60131 |
DOC(X) Format Data Exfiltration Campaign |
Data Exfiltration |
|
58765 |
Country Specialized Data (U.K.) Exfiltration Campaign - 1 |
Data Exfiltration |
|
35732 |
Country Specialized Data (US) Exfiltration Campaign |
Data Exfiltration |
|
86756 |
Personally Identifiable Information (PII) Data Exfiltration Campaign - 1 |
Data Exfiltration |
|
30199 |
Payment Card Industry (PCI) Data Exfiltration Campaign - 1 |
Data Exfiltration |
|
43837 |
Financial Data Exfiltration Campaign |
Data Exfiltration |
|
48280 |
Personally Identifiable Information (UK) Data Exfiltration Campaign |
Data Exfiltration |
|
21375 |
Personally Identifiable Information (US) Data Exfiltration Campaign |
Data Exfiltration |
|
80898 |
Country Specialized Data (U.K.) Exfiltration Campaign - 2 |
Data Exfiltration |
|
69511 |
Payment Card Industry (PCI) Data Exfiltration Campaign - 2 |
Data Exfiltration |
|
47972 |
Payment Card Industry (PCI) Data Exfiltration Campaign - 3 |
Data Exfiltration |
|
21600 |
Payment Card Industry (PCI) Data Exfiltration Campaign - 4 |
Data Exfiltration |
|
24992 |
Payment Card Industry (PCI) Data Exfiltration Campaign - 5 |
Data Exfiltration |
|
25566 |
XLS(X) Format (U.K.) Data Exfiltration Campaign |
Data Exfiltration |
|
71123 |
Personally Identifiable Information (PII) Data Exfiltration Campaign - 2 |
Data Exfiltration |
|
51350 |
Payment Card Industry (US) Data Exfiltration Campaign |
Data Exfiltration |
|
50011 |
Payment Card Industry (UK) Data Exfiltration Campaign |
Data Exfiltration |
|
61054 |
Financial (UK) Data Exfiltration Campaign |
Data Exfiltration |
|
47996 |
DOC(X) Format (UK) Data Exfiltration Campaign |
Data Exfiltration |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
References
[1] “Serial hacker ‘IntelBroker’ charged for causing $25 million in damages to victims.” Accessed: Jan. 13, 2026. [Online]. Available: https://www.justice.gov/usao-sdny/pr/serial-hacker-intelbroker-charged-causing-25-million-damages-victims
[2] “The IntelBroker Takedown: Following the Bitcoin Trail,” Chainalysis. Accessed: Jan. 13, 2026. [Online]. Available: https://www.chainalysis.com/blog/breachforum-intelbroker-takedown-french-cybercrime-unit-july-2025/
[3] R. B. Finkel and C. Hughes, “COUNTY OF OFFENSE: NEW YORK SOUTHERN DISTRICT OF NEW YORK, ss.” Accessed: Jan. 13, 2026. [Online]. Available: https://www.justice.gov/usao-sdny/media/1404616/dl?inline
[4] “[No title],” X (formerly Twitter). Accessed: Jan. 13, 2026. [Online]. Available: https://x.com/IntelBrokerBF/status/1882553538645225653
[5] Kaaviya, “IntelBroker Resigned as a BreachForums Owner,” Cyber Security News. Accessed: Jan. 13, 2026. [Online]. Available: https://cybersecuritynews.com/intelbroker-resigned-as-a-breachforums-owner/
[6] E. Kovacs, “AMD Investigating Breach Claims After Hacker Offers to Sell Data,” SecurityWeek. Accessed: Jan. 13, 2026. [Online]. Available: https://www.securityweek.com/amd-investigating-breach-claims-after-hacker-offers-to-sell-data/
[7] Accessed: Jan. 13, 2026. [Online]. Available: https://www.dc3.mil/Portals/100/DCISE-DIB-CyberThreats-CY22-Q4-Final.pdf
[8] A. J. Vicens, “Hacker tied to D.C. Health Link breach says attack ‘born out of Russian patriotism,’” CyberScoop. Accessed: Jan. 13, 2026. [Online]. Available: https://cyberscoop.com/dc-health-link-breach-russia-hacker-congress/
[9] S. Sharma, “IntelBroker steals classified data from the Europol website,” CSO Online. Accessed: Jan. 13, 2026. [Online]. Available: https://www.csoonline.com/article/2104251/intelbroker-steals-classified-data-from-the-europol-website.html
[10] Andrew, “Technical Analysis Of Apple Internal Source Code Leak - AHCTS, LLC,” AHCTS, LLC. Accessed: Jan. 13, 2026. [Online]. Available: https://ahcts.co/technical-analysis-of-apple-internal-source-code-leak/
[11] A. Khaitan, “Intelbroker Advertises Massive AMD Data Breach on Dark Web,” The Cyber Express. Accessed: Jan. 13, 2026. [Online]. Available: https://thecyberexpress.com/amd-data-breach-on-dark-web/
[12] E. Kovacs, “Cisco Confirms Authenticity of Data After Second Leak,” SecurityWeek. Accessed: Jan. 13, 2026. [Online]. Available: https://www.securityweek.com/cisco-confirms-authenticity-of-data-after-second-leak/
[13] I. Ilascu, “T-Mobile denies it was hacked, links leaked data to vendor breach,” BleepingComputer. Accessed: Jan. 13, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/t-mobile-denies-it-was-hacked-links-leaked-data-to-vendor-breach/
[14] E. Kovacs, “British Man Suspected of Being the Hacker IntelBroker Arrested, Charged,” SecurityWeek. Accessed: Jan. 13, 2026. [Online]. Available: https://www.securityweek.com/british-man-suspected-of-being-the-hacker-intelbroker-arrested-charged/