Cato CTRL™ Threat Actor Profile: IntelBroker

Executive Summary 

In June 2025, FBI New York and the U.S. Attorney’s Office for the Southern District of New York announced charges against “IntelBroker,” the online persona of 25-year-old British national Kai Logan West. 

IntelBroker operated one of the most sophisticated data brokerage operations documented in the recent history of cybercrime. From December 2022 to February 2025, IntelBroker orchestrated a cybercriminal enterprise that caused more than $25 million in damages to more than 40 victims worldwide.  

Key Threat Actor Attributes: 

• Real Identity: Kai Logan West (also used alias “Kyle Northern”) 

• Nationality: British 

• Primary Platform: BreachForums (owner from August 2024 – January 2025) 

• Group Affiliation: CyberN****** (four core members identified by August 2024) 

• Operational Period: December 2022 – February 2025 

• Total Victim Impact: $25+ million in damages, 40+ victims affected 

• Criminal Charges: Four-count indictment with a potential 50-year maximum sentence  

Cato CTRL identified IntelBroker as “a prominent figure and moderator in the BreachForums hacking community” through systematic dark web monitoring operations, as noted in the Q2 2024 Cato CTRL SASE Threat Report. IntelBroker’s arrest in France in February 2025 by Gendarmerie cyber brigade, followed by the arrest of four additional BreachForums administrators in June 2025 announced by the Brigade de la Crime Intérieur (BL2C) of the Paris police headquarters, represents one of the most significant disruptions to the global stolen data economy since the RaidForums takedown in 2022. 

Our analysis reveals the sophisticated attribution methodologies used to link West’s legitimate persona to his cybercriminal activities, demonstrating advanced digital forensics techniques that can be applied to future threat actor attribution efforts based on a comprehensive analysis of public court documents. 

Technical Overview 

Attack Methodology and Infrastructure 

IntelBroker’s technical approach consistently exploited basic security misconfigurations rather than sophisticated zero-day vulnerabilities, revealing how fundamental security failures continue to enable high-impact cybercrime operations. 

Attack Vectors: 

• Configuration Exploitation: Targeting internet-facing servers with no authentication requirements 

• Third-Party Compromise: Leveraging vulnerabilities to access data.  

• API Exploitation: Unauthorized access through poorly secured application programming interfaces  

Victim Example: 

• Target: U.S.-based telecommunications provider  

• Attack Window: December 29, 2022 – January 6, 2023 

• Technical Vector: Unauthorized access via the victim’s service provider 

• Data Exfiltrated: 3,569 objects (i.e. documents and files)  

• Operational Impact: 45 objects deleted 

• Victim Costs: Several hundred thousand dollars to identify and remedy the breach  

• Monetization: 10,000 Monero was equivalent to approximately $1.55 million  

Source: U.S. District Court for the Southern District of New York 

Operational Security Failures and Attribution 

Despite sophisticated cybercriminal operations, West’s attribution resulted from fundamental OPSEC failures that threat intelligence professionals can leverage for future investigations. The FBI’s methodical approach demonstrates how multiple seemingly minor errors, when correlated, can provide definitive attribution. 

Critical OPSEC Failures: 

1. Cryptocurrency Chain Analysis: The Fatal Bitcoin Transaction 

• Single Bitcoin transaction deviation from preferred Monero when undercover agent insisted on Bitcoin payment 

• IntelBroker provided BTC-Wallet-1 for $250 purchase of stolen API keys 

• Blockchain analysis revealed BTC-Wallet-1 was seeded by West Wallet-1 on October 12, 2022 

• West Wallet-1 created same day by Ramp account registered with UK driving license 

• Direct linkage to Ramp Account-1 with know your customer (KYC) verification: “Kai Logan West” with verifiable date of birth 

• Account creation timing demonstrated deliberate financial structuring to create “pass through” wallet for obfuscation 

2. Email Infrastructure Reuse: Digital Life Consolidation 

• Identical email address across Ramp, Coinbase, Outlook, and social accounts 

• Cross-platform correlation spanning cybercriminal, financial, and educational activities 

• Warranted email dump revealed comprehensive personal information:  

• Selfies matching UK driving license photograph 

• Student certification emails for cybersecurity program (“Certificate of Student Status Academic Year 23/24”) 

• Personal invoices and financial documents addressed to “Kai West” 

• University housing program emails from UK institution addressed to “Kai” or “Kai Logan” 

• Secondary email account (Kyle.Northern1337) contained additional selfies and receipts with “Kai West” name 

• Email correlation linked legitimate student life with cybercriminal cryptocurrency transactions 

3. Network Behavior Patterns: IP Address Forensics 

• Same IP addresses used during active attack operations on servers between January 6-8, 2023 

• VPN → X account → email overlap: The same VPN exit IP address that registered @IntelBroker on December 4, 2023 accessed West’s email account 22 times between September 6, 2023 and March 23, 2024 

• Attack IP → Microsoft account overlap: Two “Attack IP” addresses used during the January 6-8, 2023 breach of a victim were later recorded logging into a Microsoft account linked to West’s email account  

• Microsoft §2703(d) order records provided comprehensive authentication logs 

• Network correlation demonstrated temporal overlap between cybercriminal operations and personal account access 

4. Behavioral Pattern Analysis 

• FBI analysis revealed correlation between West’s personal online activities and IntelBroker forum postings 

• Cross-referenced email account activity logs against forum timestamps revealed consistent patterns 

• West accessed content on personal accounts that was subsequently shared via his cybercriminal persona 

• Investigation included analysis of West’s consumption of media content related to his own cybercriminal activities 

• Minute-level activity correlation: FBI analysis matched West’s YouTube watch history with IntelBroker forum posts; e.g., he watched “kobo requested the ara ara…” from 12:06-12:08 UTC on July 11, 2023 and posted on BreachForums at 12:09 UTC. Two additional matches on February 5, 2024 and April 6, 2024 are detailed in the complaint 

• Self-referential viewing: West viewed news clips covering his own breaches before reposting them under the IntelBroker handle 

5. Digital Evidence Convergence:  

• The FBI’s case demonstrates how wallet transactions, facial photographs, email communications, and live attack traffic became “bound together tighter than zip-ties” through systematic digital forensics 

• This multi-vector attribution approach provides a template for future cybercriminal investigations where single-point failures can expose entire criminal enterprises 

Source: U.S. District Court for the Southern District of New York 

Organizational Structure and Evolution 

Group Development Timeline: 

• January 2023: The Boys (approximately 32 members)  

• March 2023: Rebranded to CyberN****** with expanded operations 

• August 2024: Four core members of CyberN****** including collaborator CC-1 

• August 2024 – January 2025: IntelBroker identified as BreachForums “owner” 

BreachForums Activity Metrics (FBI Analysis): 

• 158 threads offering stolen data for sale or free distribution 

• 41 threads targeting US-based companies specifically 

• Cumulative asking prices totaling $2.47 million 

• 117 posts offering data for free to build reputation and customer base 

Source: U.S. District Court for the Southern District of New York 

International Coordination and Takedown 

Arrest Timeline: 

• February 2025: West arrested at residence in France by Gendarmerie cyber brigade 

• June 23, 2025: Brigade de la Crime Intérieur (BL2C) of the Paris police headquarters arrest four additional BreachForums administrators (“ShinyHunters,” “Hollow,” “Noct,” and “Depressed”)  

• June 25, 2025: U.S. Department of Justice unseals four-count indictment 

Legal Exposure: 

• Two computer intrusion conspiracy counts (maximum 5 years each) 

• Two wire fraud counts (maximum 20 years each) 

• Total potential sentence: 50 years 

• Current status: In French custody pending U.S. extradition proceedings 

2025 Cato CTRL Threat Report | Download the report

Conclusion 

The IntelBroker case demonstrates that even sophisticated cybercriminals operating at the highest levels of underground forums remain vulnerable to persistent and methodical threat intelligence work. The successful attribution and disruption of this operation required coordination between advanced technical analysis, behavioral pattern recognition, and international law enforcement cooperation. 

Key Threat Intelligence Takeaways 

1. Attribution Effectiveness: Combining cryptocurrency chain analysis with behavioral pattern matching provides highly reliable threat actor attribution, even when threat actors attempt sophisticated anonymization. 

2. OPSEC Vulnerability: Single OPSEC failures can compromise years of careful cybercriminal activity. West’s case demonstrates how one Bitcoin transaction and email reuse pattern exposed an entire cybercriminal enterprise.  

3. Platform Disruption Impact: The coordinated takedown of BreachForums leadership created significant disruption in the global stolen data marketplace, representing one of the largest forum disruptions since RaidForums in 2022.  

4. International Cooperation Success: France-U.S. coordination provides a template for future cybercrime investigations targeting threat actors operating across jurisdictions.  

Forward-Looking Implications 

IntelBroker’s takedown illustrates the future of cybercriminal investigations: combining traditional indicators like wallet hops, IP logs, and KYC documents with unconventional behavioral clues such as forum posting patterns, YouTube viewing history, and cloud login activity—until the offender’s identity is fully exposed. This blend of concrete data and human behavior isn’t a temporary tactic but the evolving approach in cyber forensics.  

As threat actors employ more complex obfuscation methods—using mixers, Monero, and burner infrastructures—the real breakthroughs will come from combining reliable technical evidence with large-scale behavioral analysis. Threat intelligence teams that follow this approach will continue to track down threat actors who believe they’ve disappeared from the web. 

The temporary disruption of BreachForums’ global stolen data economy may lead to market fragmentation, requiring threat intelligence teams to monitor a broader ecosystem of smaller platforms (forums, marketplaces, Telegram channels, etc.) rather than focusing on a single dominant marketplace. Organizations should prepare for this evolution by enhancing continuous dark web monitoring capabilities and establishing processes for rapid threat landscape adaptation. 

The post Cato CTRL™ Threat Actor Profile: IntelBroker appeared first on Cato Networks.