U.S. and international law enforcement have detained a British national, believed to be the infamous hacker known as “IntelBroker,” alongside four individuals presumed to be associated with the BreachForums online marketplace for illicitly obtained data. The primary suspect, identified in an indictment as 25-year-old Kai Logan West, was apprehended in France earlier this year, with details of the case only emerging this week from the U.S. Justice Department.
Authorities in France have also arrested four individuals identified by their online aliases: “ShinyHunters,” “Noct,” “Depressed,” and “Hollow.” These suspects are charged with involvement in various high-profile data breaches that have amassed significant financial losses for companies worldwide, collectively amounting to tens of millions of dollars. They reportedly utilized the BreachForums dark web platform to market the stolen data. Although BreachForums faced disruptions in 2023, ShinyHunters reportedly regained control of the domain only to see it shut down again in April 2024 due to suspected exploitation of a MyBB zero-day vulnerability.
The latest arrests form part of a wider campaign by international law enforcement agencies aimed at dismantling global cybercrime operations. With the capture of West—alias Kyle Northern—U.S. officials claim to have apprehended an individual linked with an online group dubbed CyberN[——]. This network is alleged to have caused over $25 million in damages across more than 40 victims and offered stolen data for upwards of $2 million.
Scope of the Allegations
West’s purported criminal activities spanned from late 2022 to early 2023. According to the indictment, he faces charges including wire fraud and conspiracy to commit computer intrusion and wire fraud. Currently detained in France, U.S. prosecutors are pursuing his extradition. The indictment indicates that West frequented BreachForums—referred to as Forum-1—where he purportedly advertised stolen data for sale on 41 occasions and offered hacked information for free another 117 times to establish his credibility within the community. His activity on BreachForums included posting approximately 335 public messages and over 2,100 comments.
The victim list is extensive and varied, encompassing tech giants such as AMD, Apple, Cisco, HPE, and Nokia, as well as established commercial entities like Home Depot, T-Mobile, and AT&T. Other victims include U.S. government agencies such as the Defense Department and Europol, and major financial institutions including HSBC and Barclays Bank.
Methods of Attack
Investigators detailed multiple instances of data theft attributed to West, including allegations of targeting a U.S. telecom company and offering the harvested data for sale. Moreover, in late 2023, he supposedly compromised a municipal government healthcare facility and pilfered sensitive patient data. This data breach reportedly included names, Social Security Numbers, dates of birth, and various health plan details, along with extensive personal information of affected individuals.
Investigation and Identification
West was identified through a meticulous two-year investigation into IntelBroker. Law enforcement executed search warrants, reviewed documentation, and analyzed information from the Bitcoin blockchain. Additionally, undercover officers engaged with IntelBroker, posing as prospective buyers of stolen data, initiating contact in January 2023. Investigators linked a Bitcoin wallet and an account from an online payment processor, Ramp, back to West, both registered under his personal email. Further evidence included an email account using the name Kyle Northern, which contained a driver’s license photo of West.
This case epitomizes the significant challenges faced in cybersecurity, illustrating the potential use of tactics from the MITRE ATT&CK framework, such as initial access and data exfiltration. The ongoing collaboration between international law enforcement underscores the necessity for heightened vigilance and proactive measures among business owners regarding data security.
