IntelBroker, one of the most prominent figures in the cybercrime landscape, has left a trail of high-profile data breaches and ransomware attacks that have rocked both corporate giants and government entities. A detailed report by KELA sheds light on IntelBroker’s operations, tactics, and digital footprint, offering critical insights for cybersecurity professionals worldwide.
IntelBroker emerged in late 2022, initially making waves on BreachForums, where he quickly gained a reputation as a skilled ransomware operator. Over time, he transitioned into a leadership role, eventually taking control of BreachForums, a notorious hub for hacking activities. His portfolio includes breaches of AMD, Europol, and Cisco, with ransom payments exclusively demanded in Monero (XMR).
KELA notes, “IntelBroker distinguishes himself in the cybercrime underworld by combining technical expertise with a strong emphasis on operational security (OpSec),” ensuring his activities remain shrouded in anonymity.
The report unveils significant details about IntelBroker’s operations through meticulous analysis of open-source intelligence (OSINT). Some highlights include:
- Email Trail: Four verified email addresses tied to IntelBroker were uncovered, spanning domains like cock.li, proton.me, and national.shitposting.agency. These addresses were linked to accounts on platforms such as X (formerly Twitter), Amazon, and Microsoft. One email was notably traced back to Sweden, likely via VPN usage.
- VPN Usage: IntelBroker’s heavy reliance on privacy-focused VPNs like Mullvad and TunnelBear was documented. Connections were traced to geolocations in Serbia, Ashburn (Virginia), and Amsterdam, hinting at his calculated efforts to obfuscate his real location.
- Minecraft Connection: Surprisingly, IntelBroker’s digital footprint extended into the Minecraft community, where he was linked to two accounts: “ClamAV” and “Thick.” Data from leaks associated these accounts with IP addresses in Serbia, the Netherlands, and Florida.
- Possible Links to AgainstTheWest: KELA identified stylistic and operational overlaps between IntelBroker and the hacking group AgainstTheWest, including the use of identical XMR crypto addresses in their profiles.
IntelBroker’s approach to cybercrime reflects a sophisticated strategy:
- Initial Access: Exploiting vulnerabilities in public-facing systems like Jenkins servers or leveraging stolen credentials from infostealers.
- Persistence and Privilege Escalation: Employing advanced techniques to maintain long-term access and gain higher network privileges.
- Data Exfiltration and Monetization: Targeting high-value assets, he capitalizes on direct sales and extortion to maximize profits.
KELA’s analysis underscores the power of OSINT in uncovering the hidden networks and operations of modern cybercriminals. From email trails to Minecraft accounts, these insights provide valuable intelligence for both law enforcement and private organizations aiming to fortify their defenses.
KELA emphasizes, “IntelBroker’s profile highlights the growing importance of OSINT and data leaks in understanding modern cyber threats.”
