Notorious Hacker “IntelBroker” Charged In $25 Million Global Cybercrime Spree | #cybercrime | #infosec

A British national accused of operating under the alias “IntelBroker” has been charged in the U.S. with a sweeping cybercrime campaign that caused more than $25 million in damages worldwide. 

Kai West, 25, allegedly led a prolific hacking operation that targeted over 40 organizations, including a U.S. telecom provider, a municipal health agency, and an internet service company. The scheme, prosecutors say, ran from 2023 to 2025. 

West, who also used the name “Kyle Northern,” is said to have operated a hacking group known as CyberN[——], selling stolen data on an underground forum. Information for sale included customer records, marketing data, and sensitive personal details, often from misconfigured servers. 

Over two years, West offered purloined data for sale or trade in at least 158 separate forum posts, including more than 40 linked to U.S. companies. Some data was sold for Monero, a cryptocurrency favored by cybercriminals for its anonymity. Other data was traded for forum credits or shared for free. 

According to the FBI, West’s online presence as “IntelBroker” reached such prominence that he was named the forum’s “owner” between August 2024 and January 2025. 

“The IntelBroker alias has caused millions in damages to victims around the world,” said U.S. Attorney Jay Clayton. “This action reflects the FBI’s commitment to pursuing cybercriminals globally.” 

West was arrested in France in February 2025. The U.S. is seeking his extradition. He faces four federal charges: conspiracy to commit computer intrusions, wire fraud, unauthorized access to protected systems, and conspiracy to commit wire fraud. If convicted, he could face up to 50 years in prison. 

The case is being handled by the Southern District of New York’s Complex Frauds and Cybercrime Unit, with assistance from international law enforcement partners in France, Spain, the UK, and the Netherlands. 

For now, IntelBroker has gone quiet. But the damage left behind continues to surface. 

Darren Guccione, CEO and co-founder, Keeper Security, says: “The arrest of the alleged British hacker known as IntelBroker and the recent takedown of BreachForums admins highlight a critical truth about cybersecurity: data theft is rarely a one-off event. The details of this story aptly demonstrate how once stolen, credentials and information can circulate, be aggregated and weaponised for months or even years in some cases.”

“In this instance, the global criminal network’s sustained activity through dark web forums provides a pertinent example of how attackers rely on long-term access, collaboration, and shared trust within illicit marketplaces,” Guccione adds.

He says this situation highlights the need for individuals and organizations to have immediate visibility into credential exposure. A dark web monitoring tool such as BreachWatch is designed to detect credential exposure as soon as it becomes available on the dark web. This allows users to take immediate action to update their credentials, thereby preventing a range of attacks, including account takeovers, financial crimes, and identity theft. Within organizations, stolen credentials can be used by attackers to escalate privileges, move laterally, and mount further costly attacks.

“At the same time, robust credential hygiene is crucial,” he continues. “This includes employing a secure password vault, enforcing strong unique credentials and enabling multi-factor authentication. These measures provide critical barriers against attackers, even if an initial breach is successful. Privileged access management further protects organisations by limiting lateral movement through least-privilege access controls, as well as providing session monitoring and real-time threat detection that can automatically terminate suspicious connections.” 

Guccione says these measures prevent bad actors from accessing critical systems and data even if they compromise user credentials – reducing the ‘blast radius’ and significantly minimising, if not completely mitigating, the impact of an attack. 

“While no single measure stops every breach, visibility combined with solid credential protection will provide organisations with the ability to detect early, respond fast and significantly limit attacker dwell time. This approach creates a layered, resilient and proactive risk management strategy to keep organisations ahead of cyber threats.”

Guccione offers tips for managing a data breach: 

If you suspect that you’ve been breached, it’s essential to take control of the situation as quickly as possible:

Figure out what’s been exposed: Start with the basics: was it login details, sensitive files, or something bigger? This will determine your next steps.

Change all your exposed passwords: Swap out any passwords that could’ve been compromised. Ensure they are long, unique, and never reuse old ones.

Turn On Multi-Factor Authentication: Adding an extra layer, like an authenticator app, can block attackers even if they have gained your password.

Stay vigilant: Stay alert for any strange login attempts, phishing emails or password reset requests. Dark web monitoring tools are very effective as they scan hidden parts of the internet where stolen credentials are traded and alert you the moment your information shows up.

Revoke access tokens & API keys: If you’re in a tech environment, reset keys and tokens right away to stop attackers from keeping access.

Restrict permissions: Implement a PAM solution to establish least-privileged access. Less access means less exposure.

Let people know: If others are affected, tell them what happened and what to do next. Transparency isn’t just a virtue,  it’s an effective way to tackle the problem.