Cyber Threat Actor: IntelBroker
| Actor Type | Location | Known Incidents |
Criminal
|
Russia
|
4 incidents |
|---|
Profile
IntelBroker is a threat actor known by that alias and has been associated with operations originating from Russia according to the available reporting. The actor has been observed posting stolen data on hacking forums and seeking payment in Monero cryptocurrency for the information obtained. IntelBroker’s activity has been documented across multiple incidents affecting government, healthcare, retail and telecommunications sectors.
The actor’s targeting includes European government institutions such as Europol’s Platform for Experts portal, U.S. legislative bodies via the DC Health Link health insurance marketplace, and U.S. health care plans more broadly. In the retail domain IntelBroker compromised a large Asian and Hispanic grocery delivery service, exposing customer names, addresses, email addresses, phone numbers and order details. Telecommunications firms were also impacted through the exploitation of third‑party vendor cloud storage, leading to the leakage of tens of millions of consumer records from AT&T, T‑Mobile, Verizon and US Cellular. Across these incidents the stated objective has been financial gain, with the actor attempting to sell the exfiltrated data for cryptocurrency.
Observed tactics involve exploiting insecure cloud storage configurations belonging to third‑party vendors, breaching web‑portals that serve as closed user groups for information sharing, and extracting databases containing personally identifiable information. IntelBroker has been seen advertising the stolen data on hacking forums, providing samples to validate the claim and negotiating sales via platforms such as Keybase. No specific malware families or custom tooling are described in the source material, so the TTP description is limited to the noted access vectors and data‑sale behavior.
Attribution to a Russian location is the only geographic detail provided, and no public linkage to a state sponsor or criminal consortium has been established. Representative campaigns include the September 2023 Europol portal breach, the March 2023 DC Health Link incident affecting U.S. House members, the February 2023 Weee! grocery service leak, and the January 2023 telecommunications vendor cloud‑storage compromises that collectively exposed over seventy‑four million consumer records. These events illustrate a pattern of financially motivated data theft across multiple sectors and regions.
