IntelBroker: A closer look into a Prolific Cybercrime Threat Actor

Sigmund

28 Apr 2025 • 13 min read

Introduction

In the muddy waters of hacks, data breaches, leaks, and the dark web, some individuals stand out because of their bold actions and the wide reach of their activities. IntelBroker is one of these players. He went from being relatively unknown to a key player in the cybercrime scene, especially known for major data breaches affecting big companies and government bodies around the world. Since at least late 2022, IntelBroker has made a name for himself on forums like BreachedForums, first as a ransomware operator and then as a well-known data broker who sells unauthorized access. Later, he would also run/own the BeachedForums for some time until early this year.

This report gives a detailed look at IntelBroker, pulling together what we know from open sources. It covers who he is, who he works with, his tactics, who he targets, why he does it, his major actions from 2023 to 2025, and what he’s up to now. The goal is to help cybersecurity experts better understand how this actor operates, so they can develop better defense strategies and deal with the threats he poses.

Identity and Background

Self-Reported Details and Initial Speculation

IntelBroker opened up about himself in a couple of interviews. Talking with The Cyber Express and a German podcast called Inside Darknet, he said he is just one person. This goes against earlier thoughts that IntelBroker might actually be a skilled team, maybe even tied to a state-backed group from Iran. He identified as Serbian and said he lives in Russia for safety reasons. IntelBroker expressed annoyance at how cops quickly label independent actors with national tags, and he called out the media for focusing on certain cyberattacks over others. He also mentioned wanting to run a cybercrime forum someday and talked about cashing in on digital weaknesses, claiming it can be done within ethical and legal limits, which is pretty contradictory to what he’s actually doing.

The following is an interview, but this is a German podcast and the interview was translated into German:

Known and Potential Aliases

IntelBroker is the name most people know, but there are a few other usernames that might be linked to this person, like the Minecraft name Thick. They may also have ties to a hacking group called AgainstTheWest (ATW). Investigators found some clues that suggest these connections, such as a shared Monero (XMR) crypto address, some matching email addresses and online profiles, and similar ways of writing. The shared XMR address is a strong piece of evidence that ties IntelBroker to these other activities and past usernames, suggesting this person has been involved in cybercrime for a while before everyone started talking about the IntelBroker name.

Affiliations and Forum Role

IntelBroker is involved in more than just individual hacks. He also connects with hacking groups and plays an important part in the online cybercrime community.

CyberNiggers Group

In 2023, IntelBroker got involved with a hacking group called CyberNiggers on BreachForums. This group became known for carrying out coordinated cyberattacks. During that time, IntelBroker was said to be behind some of their biggest attacks. Reports indicate that IntelBroker played a key role in the group, focusing on helping them gain initial access, which allowed them to carry out their other malicious plans. Their approach to hacking often lined up with the group’s style. After some time off, IntelBroker is said to have brought the group back to life on August 9, 2024, and started recruiting active members from BreachForums. It’s clear that there was teamwork within the group, especially in incidents like the one involving Cisco, where IntelBroker teamed up with members ‘zjj’ and ‘EnergyWeaponUser’.

BreachForums

BreachForums, a major English-language cybercrime forum known for hosting discussions and sales related to data breaches, served as IntelBroker’s primary platform. IntelBroker was an active user and moderator on the forum. Following disruptions in the forum’s leadership, including the arrest of previous administrators like ‘Pompompurin’ and ‘Baphomet’, and the stepping down of ‘ShinyHunters’, IntelBroker ascended to become the owner and acting administrator of BreachForums in August 2024. This position granted significant oversight of the activities conducted on the forum. IntelBroker later resigned from the ownership role in January 2025, though the forum reportedly remains active under different stewardship. IntelBroker’s roles within both the CyberNiggers group and BreachForums administration underscore their prominence and influence within the cybercrime ecosystem, moving beyond simple data theft to positions of coordination and platform control.

Tactics, Techniques, and Procedures (TTPs)

IntelBroker uses a bunch of tactics to break into systems, steal data, and make money from their activities. They’ve got solid technical skills and take security seriously.

Initial Access and Exploitation

IntelBroker utilizes several methods to gain initial access to target networks:

Exploiting Public-Facing Vulnerabilities: One way attackers get in is by taking advantage of weaknesses in apps that are exposed online. They often focus on known issues in popular software, like Jenkins servers. Take the BORN Group supply chain attack, for example. IntelBroker used a vulnerability in Jenkins, specifically CVE-2024–23897, which allowed them to steal SSH keys and access GitHub repositories. It’s likely that they also targeted weaknesses in other platforms like Jira and Confluence, based on some evidence from reported breaches.

Credential Theft and Infostealer Logs: IntelBroker uses stolen login info, likely taken from malware logs/stealer logs. Threat actors often rely on tools like ripgrep to sift through lots of log data, looking for username and password pairs linked to specific websites. Accounts with high privileges, like admin or company emails, are the main targets.
Supply Chain Attacks: Another way they operate is by targeting trusted vendors or software developers. For example, IntelBroker got into the system by breaching a supplier, like the IT service provider BORN Group, which then gave them access to other clients. There were also claims about breaches at T-Mobile and Ford, but those companies argued that their main systems weren’t directly affected.
Targeting Code Repositories: IntelBroker actively targets Git repositories identified in logs or through other means. Tools like git-dumper are used to clone these repositories, searching for sensitive information such as database credentials, API keys, hardcoded secrets, or proprietary code vulnerabilities. Stolen SSH keys have also been used to directly access private GitHub repositories.

Post-Exploitation Activities

Once initial access is achieved, IntelBroker engages in a few different activities to make the control persistent and extract value:

Persistence and Privilege Escalation: The actor attempts to establish persistent access by running unauthorized commands and manipulating system accounts. They employ techniques to escalate privileges, gaining higher-level access to bypass security controls.
Defense Evasion: Techniques like obfuscating malicious files or information are used to make detection by security software more difficult.
Data Discovery and Exfiltration: IntelBroker explores compromised networks to discover valuable data (source code, PII, credentials, confidential documents). This data is then exfiltrated, often via command and control channels. Credential dumping is likely employed to harvest credentials for lateral movement and further access.

Tools Utilized

Endurance Wiper/Ransomware: IntelBroker rolled out a new type of malware called Endurance, which is coded in C#. It’s labeled as ransomware, but it mainly acts as a wiper. It aims at specific files, scrambles them with random data, gives them a new name, and then deletes the originals. The code for this malware was made available on GitHub. The US Department of Defense Cyber Crime Center (DC3) confirmed that IntelBroker used it in attacks on various US government agencies. DC3 also hinted at a possible link to the Iranian Shamoon wiper, but IntelBroker has denied that connection. Reports indicate that IntelBroker stopped using Endurance after 2023.
ripgrep: A high-speed text search tool used to efficiently filter credentials (URL, Username, Password) from large datasets like infostealer logs.
git-dumper: A tool specifically used to download (“dump”) Git repositories that have been identified, often through log analysis.

Monetization and Operational Security (OpSec)

IntelBroker employs several strategies to profit from his activities while maintaining anonymity:

Access Brokering: Selling the initial access gained into compromised networks to other threat actors on underground forums.
Data Sales: Stolen data, including source code, PII, credentials, and confidential documents, is frequently offered for sale on platforms like BreachForums. By June 2024, IntelBroker claimed responsibility for over 80 separate leaks or sales and asserted having sold data from over 400 organizations.
Extortion: In some cases, IntelBroker tries to extort money, asking for ransom to keep data safe. He only wants payments in Monero (XMR), which is all about privacy. A good example of this is the Pandabuy situation, where he got paid a ransom at first, but the data still got leaked. Then he made another demand for more money for an even bigger set of data, but that one didn’t go through. Usually, there are middlemen or escrow services involved to keep their identities hidden.
Operational Security (OpSec): IntelBroker focuses on keeping things private, using some solid anonymity tools. He mainly relies on VPNs, with Mullvad being the go-to option. Other popular choices include TunnelBear, NordVPN, VeePN, and VPNAsia. We noticed VPN exit points in places like Serbia, which matches where he said he is based, or at least has a strong connection to, but that could just be a way to throw people off. There were also exit nodes in Ashburn, Virginia, and Amsterdam. His claimed location in Russia probably serves the same purpose as protecting his identity.

MITRE ATT&CK TTP Mapping

Linking what IntelBroker does to the MITRE ATT&CK framework helps us get a clearer picture of how they operate. This way, security teams can match what the actor does with the right defense and detection methods. From what we’ve seen, IntelBroker probably uses these tactics, techniques, and procedures:

Targeting Profile and Motivations

IntelBroker goes after various organizations but shows clear patterns in who they target and what kind of data they want, based on specific reasons.

Targeted Sectors and Organizations

IntelBroker mainly targets big companies and government agencies. Their list of victims includes a variety of different sectors:

Technology: AMD, Apple, Cisco, Hewlett-Packard Enterprise (HPE), Zscaler, General Electric (GE), Nokia, Acuity, Cognizant
Government/Military: Multiple US government agencies, alleged DARPA data (via GE), Europol, claimed Five Eyes data (via Acuity), US Army, Korea Ministry of Defense
E-commerce/Retail: Weee!, Pandabuy, Facebook Marketplace, Home Depot
Finance: Alleged incidents involving HSBC, Barclays, WePay
Telecommunications: Claims related to Verizon, AT&T, T-Mobile
Hospitality: Accor, also claimed a Hilton Hotels Breach
Automotive: Alleged breaches involving Volvo, Ford
Other: Los Angeles International Airport (LAX) CRM, Tech in Asia, Robert Half

IntelBroker operates worldwide but focuses mainly on US organizations. They also pay a lot of attention to well-known European companies like Europol, Nokia, Volvo, Accor, and Barclays, along with a few others like Pandabuy in China.

Sought-After Data Types

IntelBroker consistently targets and markets specific categories of high-value data:

Source Code: Internal tools (Apple), platform code (Cisco, HPE Zerto/iLO, GE, AMD, Europol FOUO, Nokia)
Credentials: Admin and organizational accounts, API keys, SSH keys, access tokens, embedded secrets
Personally Identifiable Information (PII): Customer data (Weee!, Pandabuy), employee data (Home Depot), health/government data (DC Health Link, including US Congress members), historical delivery info (HPE claim)
Sensitive Documents & Internal Data: Military project files (GE/DARPA claim), intelligence communications (Five Eyes claim via Acuity), operational guidelines (Europol), confidential documents (Cisco), internal financials (AMD claim), customer databases, development pipeline access (GE claim), digital certificates (HPE claim)

Motivational Drivers

IntelBroker’s operations indicate several core motivations:

Financial Gain: The primary driver is financial, as evidenced by the sale of stolen data and access, ransom demands (exclusively in Monero/XMR), and access brokering activities. IntelBroker has openly acknowledged the profitability of his actions. In an interview with a German podcast, he said that his proceeds from 2023 have been at least 800k USD, possibly more.
Notoriety: The selection of prominent targets and public disclosure of breaches on major forums suggest a desire for recognition and status within the cybercrime community. Researchers have noted the tendency to exaggerate breach impact, likely to enhance reputation.
Geopolitical Undertones: Making money is obviously important, but going after US government agencies, military contractors, and NATO groups like Europol suggests there might be other reasons behind it. The person involved claims to be Serbian and lives in Russia, which could show some anti-Western feelings. But IntelBroker says we shouldn’t jump to conclusions about someone’s loyalty. Still, the targeting pattern raises some questions.

IntelBroker goes after a range of industries, mainly targeting companies that hold important data like source code, passwords, and personal info. They seem to have a clear strategy, focusing on big tech firms and government agencies to not just make money but also gain a bit of fame in the underground scene. While the main goal appears to be financial gain, they often zero in on US and NATO-related organizations, hinting that there might be some ideological or political reasons behind their actions, even if profit is the top priority. This mix makes it tricky to pin down their true motives, since their actions could be driven by a mix of factors, including personal feelings.

Timeline of Major (at least alleged) Activities and Breaches (2023–2025)

IntelBroker gained a lot of attention starting in early 2023 with several high-profile breach claims. Here’s a quick timeline of key events, including claims, partnerships, and how victims reacted. There are often differences between what was first claimed and the actual impact.

Some other big names on the list are LAX, Verizon, HSBC, Accor, Facebook Marketplace, Tech in Asia, US Army, Korea MoD, Autotrader, Volvo, AT&T, Barclays, Hilton Hotels, and Robert Half. By June 2024, IntelBroker had reported over 80 breaches or sales.

There’s a pattern where IntelBroker makes bold claims, but the real effects aren’t always as serious, as pointed out by the affected companies. Often, the leaked data wasn’t very sensitive, came from less important systems, or was old. And even when the data was real, its importance was often questioned. This shows that people should carefully check what these threat actors say and rely on proper incident responses to get the real picture.

Even with the hype, the fast pace of high-profile claims from 2023 to 2025 shows that they are keeping busy. IntelBroker’s continuous actions suggest that he has solid tech skills, cleverness, or good teamwork in the cybercrime scene. Whether it’s through directly hacking, buying access, or handling infostealer logs, their ability to hit major organizations repeatedly points to a skilled and ongoing threat.

Current Status and Outlook

As of early 2025, IntelBroker remains an active and serious threat.

Recent Activity: High-profile claims continued into late 2024 (Cisco) and early 2025 (HPE). Social media posts related to the Cisco breach appeared as recently as December 2024.
BreachForums Role: IntelBroker stepped down as owner/administrator of BreachForums in January 2025, though the forum continued under new leadership.
Arrest Rumors: In April 2025, rumors of IntelBroker’s arrest spread via a new Telegram channel, coinciding with the still ongoing BreachForums outage attributed which has no clear cause determined at this point. You can read my analysis of that situation here:

Ongoing Investigations: Organizations such as AMD, HPE, and Cisco have confirmed ongoing investigations, often involving law enforcement.

IntelBroker has been noticeable in the cybercrime world, even with a bunch of major breach reports and a time spent running a well-known forum. He has managed to stay active into 2025, and since there haven’t been any confirmed arrests, this might mean they have good security or maybe the reports are just false. Although IntelBroker says he works alone, his ongoing activity could hint at a larger group, but there’s no proof of that right now. This situation shows how tough it is for law enforcement to tackle skilled cybercriminals who work across different countries while staying under the radar.

Outlook: IntelBroker is still a real concern. He hs solid skills, a name in the underground scene, and he goes after high-value targets, which suggests he’ll keep being active in stealing data and access unless law enforcement really cracks down on him. Companies in key areas, especially tech and government, need to stay on their toes.

A short summary

IntelBroker is known as a serious threat in the world of cybercrime. Since he appeared in late 2022, this actor, who claims to be a Serbian individual living in Russia, has quickly gained notoriety for hacking into big companies and government organizations, mainly in the US and Europe. While many thought it might have government backing, IntelBroker insists he’s acting independently but works with others, especially in a group called CyberNiggers, and has been a key figure on BreachForums.

IntelBroker is mainly in it for the money. He takes advantage of security gaps that anyone can find, uses stolen login info, and hits supply chains to get in. His methods include sneaky actions after breaching networks, staying hidden, and gaining higher access, often going after developers and their code storage. He makes money by selling access, selling stolen data like source code and personal info, and demanding ransom, usually in Monero. While making cash is his major goal, the fact that they often target US and NATO groups suggests there might be some political motives too. They also tend to exaggerate the impact of their hacks, so it’s smart to question their claims. Even with rumors of recent arrests that haven’t been confirmed, IntelBroker has proven to be quite tough to take down.

IntelBroker’s approach works well because it takes advantage of typical weaknesses in technology, processes, and people. A solid security strategy is key. This means stopping initial access, protecting development environments, managing who can get in, and being quick to spot and react to threats. This kind of setup helps reduce risks from tricky, money-driven attackers.

As usual: