The Case of the IntelBroker: A Masterclass in Applying the Investigative Mindset

Written By Tony Moore

In February 2025, the U.S. filed charges against West, citing conspiracies to commit computer intrusions, wire fraud, and intentional damage to protected computers. The scope spanned from breaching healthcare providers (threatening patient care) to harvesting telecom marketing data and selling it on underground forums.

The Cybercrime Investigative Institute emphasizes multiple modalities to expand the investigators “investigative mindset”. Once such modality is the 3-legged Stool approach, or what I call the Triad: Infrastructure, Communications, and Finance. This triad anchors how we break down complex cases, allowing us to see hidden connections, anticipate offender behavior, and develop layered investigative strategies.

A very recent case clearly illustrates the value of this approach. United States v. Kai West, also known as “IntelBroker”, was an alleged cybercriminal based in the United Kingdom who orchestrated a sweeping conspiracy that compromised networks and stole sensitive data. He was accused of peddling stolen information for cryptocurrency profits. His story isn’t just a narrative of technical exploits, it’s a case study in deception and greed.

Let’s unpack this investigation using the infrastructure-communications-finance model to show how such a complex scheme was ultimately dismantled.

  1. Infrastructure: The Digital Playground of IntelBroker

Every cybercrime investigation can begin with either of the three triads in the 3-legged Stool approach, but we’ll begin with the infrastructure West used to facilitate his crimes.

Compromised Servers & Misconfigurations

  • West exploited improperly configured servers belonging to third-party vendors. For instance, a U.S. telecommunications company’s data was stored by an internet service provider in Manhattan, which failed to secure its software (“Software-1”), allowing anyone to access it without login credentials.

  • Between December 29, 2022, and January 6, 2023, West downloaded over 3,500 files and even deleted around 45 to cover tracks or inflict extra damage.

Exploited APIs

  • In another breach, West targeted an API used by a company (Victim-4), obtaining internal communications. APIs meant to facilitate legitimate data exchange became his vector for unauthorized data extraction.

Hacking Forums as Operational Bases

  • The true infrastructure of modern cybercrime often isn’t just compromised hardware but online communities that enable it. West operated primarily on a notorious hacking forum (dubbed here “Forum-1”), which reemerged multiple times after law enforcement takedowns.

  • Forum-1 was more than a discussion board: it offered a marketplace to sell data, a reputation system using “credits,” and private messaging channels to negotiate illicit sales.

Virtual Private Networks (VPNs)

  • To obscure his tracks, West used VPNs, ensuring his IP addresses were masked when posting stolen data, accessing compromised systems, or logging into cryptocurrency platforms.

By meticulously mapping this infrastructure, investigators saw how IntelBroker moved from breach to breach, building a layered architecture of compromise. It also highlighted the fragile link in the offender’s infrastructure: reliance on external platforms and misconfigured servers a vulnerability investigators exploited to trace the attacks.

2. Communications: How IntelBroker Ran His Enterprise

Communications are the nervous system of any conspiracy. For West, this involved orchestrating everything from recruitment to sales.

Online Persona and Group Dynamics

  • Under the alias “IntelBroker,” West ran a hacking collective known as “The Boys” and later “CyberN[------].”

  • He used Forum-1’s public threads to recruit, declaring missions like a modern criminal manifesto. His recruitment posts doubled as marketing, showing off past breaches to entice skilled accomplices.

Forum-1 Messaging and Reputation

  • Over two years, IntelBroker started at least 158 public threads offering stolen data. About 41 threads involved U.S. company data explicitly for sale.

  • His prolific posting (over 335 threads started and 2,100 comments) cemented his street creeds and notoriety. Giving away smaller data leaks for “Forum-1 credits” was strategic as it boosted his status and unlocked deeper trust with potential buyers.

Private Deals and Undercover Stings

  • While public posts drummed up attention, West frequently moved negotiations to private messages. This was where the real deals were struck.

  • In March 2023, an undercover law enforcement officer posed as a buyer, purchasing patient healthcare data from West for about $1,000 in Monero. IntelBroker promptly provided download links containing personal and insurance details of over 56,000 individuals.

Use of Alternate Identities

  • Beyond “IntelBroker,” West also used the alias “Kyle Northern.” Emails linked to both names revealed not only operational communications but personal school records, linking his digital and physical identities.

These communication channels, both overt and covert, gave investigators countless entry points from undercover buys to tracking language patterns and signature blocks that tied West’s many exploits together.

3. Finance: Following the Cryptocurrency Trail

No investigative mindset is complete without following the money. Cybercriminals may operate behind screens, but their need to profit is usually what betrays them.

Payment Demands in Privacy Coins

  • IntelBroker consistently demanded payment in Monero (XMR) — a cryptocurrency designed to obscure transaction histories and user identities. For example, he priced some stolen telecom data at a “five digit sum in XMR,” roughly equivalent to over $1.5 million.

  • This choice obviously reflected his advanced understanding of blockchain obscurity. Unlike Bitcoin, Monero’s transactions are not publicly visible on a transparent ledger.

Blockchain Analysis of Mistakes

  • Yet ironically, it was cryptocurrency that helped federal agents nail West. In January 2023, West was convinced by an undercover agent to accept Bitcoin for an API key the less private currency. The Bitcoin wallet (“BTC Wallet-1”) that received payment had been seeded or received funds from another wallet created via Ramp Financial Services, tied to a provisional U.K. driver’s license for “Kai Logan West.”

  • Investigators followed this breadcrumb through to a Coinbase account registered to “Kyle Northern,” but verified under West’s real name and date of birth.

The Broader Damage: $25 Million in Losses

  • The financial footprint of IntelBroker’s schemes was massive. Victimized companies collectively spent at least $25 million responding to breaches, hiring forensic firms, and funding credit monitoring for impacted customers.

The money trail, when paired with the infrastructure and communications, completed a holistic picture that for investigators, left no doubt about West’s identity and culpability.

The Investigative Mindset at Work

What does this case teach investigators?

  • Think in Layers: The investigation didn’t hinge on a single smoking gun but layered indicators from IP overlaps to matching YouTube interests that tied West’s personal email to IntelBroker’s public persona.

  • Map Infrastructure Aggressively: Knowing how West used VPNs, misconfigured servers, and forums allowed law enforcement to predict where he’d strike next.

  • Follow Communications to Build Context: His forum posts, recruitment messages, and private negotiations provided insight not only into what he did, but why — the ego, the quest for notoriety, the sense of invincibility.

  • Financial Pressure Points Are Key: Even privacy coins have weaknesses. However, Off-ramps like exchanges and mistakes like accepting Bitcoin expose real-world identities.

Reflections: A Cautionary Tale

What’s chilling is how normal this has become. Thousands of aspiring hackers on forums like Forum-1 view IntelBroker not as a cautionary tale but as an idol. That’s precisely why, at the Institute for Cybercrime Investigations (i2c1), we stress rigorous, adaptive, layered thinking. It’s not just about catching one criminal — it’s about understanding an entire ecosystem so we can protect individuals, companies, and critical infrastructure from being the next Victim.

So as you study this case, apply the framework:

  • Map the infrastructure to see where vulnerabilities lie.

  • Trace communications to unravel networks of trust and conspiracy.

  • Follow the money to dismantle profit motives and unmask identities.

Because cybercrime is evolving fast — and our investigative mindset must evolve faster.

Want to learn more? Join our next Tactical Cybercrime Investigations course at the Cybercrime Investigative Institute (CCI), where we dive deep into cases like IntelBroker’s, teaching you how to apply these principles hands on. Together, we’ll stay one step ahead of the digital predators.

Tony Moore