Cybercrime Boss ‘IntelBroker’ Exposed as BreachForums Admin

IntelBroker is a prominent cybercriminal known for high-profile breaches that target both corporations and government entities and often involve advanced techniques like social engineering, malware deployment, and exploitation of vulnerabilities, which results in significant data exfiltration and disruption of critical services.

It emerged in late 2022 as a prominent threat actor, initially operating as a ransomware group and quickly expanding their activities to include large-scale data breaches, targeting high-profile organizations like AMD, Europol, and Cisco. 

IntelBroker gained notoriety for their involvement in BreachForums, ultimately assuming leadership of the platform as their operations primarily focused on exfiltrating sensitive data and demanding ransom payents exclusively in Monero cryptocurrency.

It leverages vulnerability exploitation for cyberattacks, prioritizing operational security by implementing advanced anonymity techniques, and increasing trust within the cybercrime community due to his consistent focus on maintaining operational secrecy while executing malicious activities.

The investigation linked the username “IntelBroker” to multiple emails, four of which were confirmed to be malicious. Email 1 from cock.li was registered to IntelBroker’s banned X account and Email 2 from proton.me appeared in a forum leak.

Four leaked emails were found to be used for registering accounts on various services, including Amazon, Vimeo, Dailymotion, Keybase, and Dropbox, while the final email was also linked to a banned X account and a Skype account.

Mullvad VPN was the primary VPN service that IntelBroker utilized, with TunnelBear serving as a secondary option. The BreachForums leak revealed a diverse VPN infrastructure, including connections from Serbia, Ashburn, and Amsterdam. 

VPN Services used by IntelBroker

It utilized at least two Minecraft accounts, as the “ClamAV” account created in 2020 exhibited VPN usage with locations in the Netherlands and France and the “Thick” account, created in 2010, displayed an IP address registered in Florida, suggesting a potential direct connection.

IntelBroker’s Minecraft user on the NameMC website

KELA linked the AgainstTheWest hacking group to a Medium account by identifying the same email address used in both the OGUsers forum leak and the AgainstTheWest social media profile.

Investigation of AgainstTheWest’s profile photo linked a GitHub account and a new email address to a Microsoft account possibly associated with IntelBroker.

IntelBroker initiates attacks by exploiting vulnerabilities in public-facing services and leveraging compromised credentials. They establish persistent access, escalate privileges, and exfiltrate high-value data, monetizing it through direct sales and extortion schemes.

In order to identify potential cyber threats, IntelBroker makes use of open source intelligence (OSINT) and data leak analysis utilizing unconventional sources such as Minecraft. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here