Introduction

In the ever-evolving world of cybercrime, IntelBroker has emerged as one of its most prominent figures. Known for his high-profile breaches, IntelBroker’s actions have shaken both corporations and government entities alike. At KELA, our deep dive into his online presence has revealed valuable insights, with OSINT traces playing a pivotal role in uncovering his connections. This blog provides a detailed summary of our findings, highlighting the critical intelligence available in KELA’s comprehensive threat actor profile.

IntelBroker: A Snapshot of Cybercrime Excellence

IntelBroker entered the scene in late 2022, first appearing on BreachForums and rapidly building a reputation as a ransomware operator at first and then an actor responsible for many data breaches. Over time, he transitioned into a leadership role, taking over BreachForums, an infamous hacking forum. His portfolio includes breaches of notable entities such as AMD, Europol, and Cisco, targeting sensitive data and demanding ransom payments exclusively in Monero (XMR).

IntelBroker distinguishes himself in the cybercrime underworld by combining technical expertise with a strong emphasis on operational security (OpSec). His approach involves exploiting vulnerabilities as a primary attack vector, while simultaneously utilizing advanced anonymity tools to maintain operational secrecy, solidifying his reputation as a trusted figure within the community.

OSINT Traces: A Window into IntelBroker’s Operations

KELA’s analysis identified a wealth of OSINT traces, shedding light on IntelBroker’s digital footprint and operational ecosystem. Below are some of the key findings:

1. Email Trail: Connecting the Dots

Based on KELA’s research, multiple emails are associated with the username “IntelBroker,” but only four have been verified as belonging to the threat actor.

1. Email 1: The first email, associated with the domain cock.li, was previously registered to IntelBroker’s now-banned X (formerly Twitter) account (@IntelBroker). 
2. Email 2: The second email, linked to the domain proton.me, appeared in the BreachForums V2 leak. This forum was established following the FBI’s seizure of the original BreachForums.
3. Email 3: The third email, also using the domain proton.me, surfaced in a leak tied to the original BreachForums. It can draw law enforcement interest due to its use in registering accounts on various services, including Amazon, Vimeo, Dailymotion, Keybase, X, and Dropbox. These registrations were verified via reverse email searches.
4. Email 4: The final email, associated with the domain national.shitposting.agency, was listed by IntelBroker on their BreachForums profile once. Reverse searches reveal that the email was registered to their banned X account, a Keybase account, and was also used on platforms like Skype and Microsoft. The Microsoft account associated with this email traces back to Sweden, likely due to VPN usage. While the alias used on Microsoft and Skype is attributed to another threat actor, it appears IntelBroker adopted it for amusement.

2. VPN Usage and IP Analysis

IntelBroker’s reliance on Mullvad VPN, a no-logs service, has been widely publicized. Our analysis of the BreachForums leak reveals a broader scope. The leak, which occurred in July 2024, exposed not only the user database but also all the forum tables, including private messages exchanged between users.

• Mullvad is the most commonly used VPN by IntelBroker, followed by TunnelBear. Other services, such as NordVPN, VeePN, and VPNAsia, were used to a much lesser extent.
• A significant number of connections from the VPNs originated from Serbia, aligning with IntelBroker’s claimed location. However, this could also be a false trail. Other geolocations, including Ashburn (Virginia) and Amsterdam.
• This diversity in VPN infrastructure emphasizes IntelBroker’s calculated approach to minimizing exposure while hinting at potential investigative opportunities.

3. The Minecraft Connection

An unexpected but intriguing element of IntelBroker’s digital footprint is his activity within the Minecraft community, where it was found to have at least two accounts.

Username “ClamAV”: Disclosed on BreachForums in December 2022, this Minecraft account, created in 2020, listed Serbia as the location. Leaked data from 2021 linked the account to VPN or proxy services resolving to the Netherlands and France.

Username “Thick”: In October 2024, IntelBroker collaborated with the YouTube channel The Duper Trooper for a Minecraft video, using the username “Thick,” created in 2010. Data from a Minecraft leak linked the account to an IP registered in Florida, not from a VPN. However, it remains unclear if IntelBroker has been active on this account since its creation or acquired it later.

IntelBroker’s Minecraft user on the NameMC website

4. AgainstTheWest (ATW) Connection

KELA investigated IntelBroker’s initial posts and identified a potential link to the AgainstTheWest hacking group, known for attacking Chinese organizations, due to a striking similarity in writing style and word choice. Further investigation provided more compelling evidence: both actors used the same XMR crypto address in their profiles. This discovery prompted KELA to explore AgainstTheWest’s social media presence, particularly focusing on an email shared by AgainstTheWest in the posts, associated with the riseup.net domain.

• The email was found in the OGUsers hacking forum leak from 2022, associated with the username “minioadmin” (that has no posts).
• Using OSINT tools, KELA linked the email to an empty Facebook profile that is likely an alias.
• Reverse email search revealed the email was registered to a Medium account under the with a single post about vulnerable Jenkins instances from February 6, 2022. On the same day, AgainstTheWest made a similar post on RaidForums.
• KELA’s investigation of the Medium account’s profile photo led to the discovery of a GitHub account with the same image. This GitHub account was associated with an additional riseup.net email address, which appeared in the original BreachForums leak, linked to another user with no posts.
• A reverse email search revealed the new email was linked to a UK Microsoft account, using a name likely an alias.

It’s unclear if the AgainstTheWest persona was operated by multiple individuals, but the findings suggest a possible link to IntelBroker. However, it’s uncertain whether IntelBroker is definitively tied to these social profiles.

IntelBroker’s Tactics: A Blueprint for Modern Cybercrime

Beyond his OSINT traces, IntelBroker’s tactics reveal a methodical approach to cybercrime:

• Initial Access: Exploiting public-facing vulnerabilities like those in Jenkins servers or leveraging stolen credentials from infostealers.
• Persistence and Privilege Escalation: Using advanced techniques to maintain long-term access and exploit higher network privileges.
• Data Exfiltration and Monetization: Focusing on high-value targets, IntelBroker leverages both direct sales and extortion to maximize profits.

Why OSINT Matters in Cybercrime Intelligence

IntelBroker’s profile highlights the growing importance of OSINT and data leaks in understanding modern cyber threats. By analyzing email trails, VPN usage, and unconventional platforms like Minecraft, and investigating cybercrime forums leaks, revealing information on their users, KELA showcases the power of advanced intelligence solutions in exposing hidden networks and connections. These insights not only support law enforcement investigations but also empower organizations to enhance their defenses against evolving threats.

Conclusion: Gaining the Full Picture with KELA

IntelBroker represents the sophistication of today’s cybercriminals—blending technical skill with strategic anonymity. KELA’s research illuminates his methods, uncovering critical OSINT traces and providing actionable intelligence for combating similar threats.

For a deeper understanding of IntelBroker’s operations, connections, and tactics, we invite you to request the full threat actor profile from KELA. Explore how our intelligence solutions can provide clarity in an increasingly complex cyber landscape.

Contact us today to access the full profile and all the profiles mentioned in this blog.