TL;DR
- International law enforcement coordinated to take down BreachForum, arresting five administrators including IntelBroker (Kai West).
- Breakthrough came when IntelBroker accepted Bitcoin instead of Monero for a controlled purchase, enabling blockchain analysis.
- Chainalysis Reactor helped trace cryptocurrency flows through multiple exchanges, connecting IntelBroker’s digital persona to his real identity.
- The case demonstrates how blockchain analytics, combined with traditional investigative techniques, can effectively pierce cryptocurrency’s perceived anonymity.
On June 25, 2025, in a coordinated international operation, law enforcement struck against BreachForum, one of the most significant platforms for trading stolen data. The French Cybercrime Unit (Brigade de lutte contre la cybercriminalité, BL2C) arrested five suspected administrators of the platform, including the threat actors Shinyhunter, Noct, and Depressed. Simultaneously, the U.S. Attorney’s Office for the Southern District of New York unsealed charges against British national Kai West for his alleged role as ‘IntelBroker’.
IntelBroker served as BreachForum’s owner between August 2024 and January 2025. West was arrested by French authorities in February 2025, following an investigation that demonstrates how advanced blockchain analytics can pierce through cryptocurrency’s perceived anonymity to connect digital personas to real-world identities.
The investigation: How cryptocurrency became a digital fingerprint
The breakthrough in identifying IntelBroker came through a carefully orchestrated undercover operation in January 2023. When IntelBroker offered to sell stolen data, an undercover law enforcement officer reached out to purchase it. While IntelBroker typically insisted on payments in Monero — a privacy-focused cryptocurrency — the officer successfully convinced the threat actor to accept Bitcoin instead. This deviation in payment method would prove to be IntelBroker’s undoing.
The Bitcoin address IntelBroker provided (bc1qj52d3d4p6d9d72jls6w0zyqrrt0gye69jrctvq) revealed his complete financial infrastructure.
Using Chainalysis Reactor, investigators traced cryptocurrency flows that connected multiple exchanges to West’s real identity. The address had received funding directly from Ramp exchange. When investigators obtained account information from Ramp, they discovered the withdrawal was made by an account associated with ‘Kai Logan West’ and included his date of birth—the first concrete connection between the IntelBroker persona and a real-world identity.
Cross-referencing revealed the same Bitcoin address had interacted with Coinbase. Account data showed the Coinbase account was opened under ‘Kyle Northern’, but KYC data ultimately linked back to ‘Kai West’. Analysis also revealed small deposits to CSGO500, an online cryptocurrency casino, and that an Ethereum address IntelBroker advertised (0x0cD1FD1191aeC66F555C0893D29E7c36AeEeb6ab) sent all funds to Changelly exchange.
Following the public release of investigation details, OSINT researchers in the cybersecurity community conducted additional analyses. Through open-source intelligence gathering, researchers identified an associated email address (kyle.northern1337@outlook.com) which led to the discovery of West’s LinkedIn profile. This profile revealed that he had previously worked as a Security Researcher Trainee at the National Crime Agency.
Impact and lessons: Transforming crypto crime investigations
The IntelBroker investigation demonstrates several breakthrough methodologies now reshaping how law enforcement approaches cryptocurrency-enabled crime:
- Immutable evidence: Blockchain transactions create permanent, tamper-proof records analyzable years later.
- Network visualization: Blockchain analysis software like Chainalysis Reactor enable investigators to map complex transaction networks revealing connections impossible to identify manually.
- Cross-platform correlation: Analyzing transactions across multiple cryptocurrencies and exchanges builds comprehensive criminal financial profiles.
- Multi-source intelligence: Combining blockchain analytics with KYC data, OSINT, and traditional investigative techniques creates powerful identification capabilities.
This coordinated approach required unprecedented international cooperation between French authorities who made the arrest, U.S. prosecutors who brought charges, and cryptocurrency exchanges who provided crucial account information.
The takedown sends a powerful message to cybercriminals: cryptocurrency does not provide the anonymity many believe it does, particularly when interacting with regulated exchanges. The case highlights critical operational security failures — accepting Bitcoin instead of Monero, publicly advertising cryptocurrency addresses, and using personal information for exchange accounts — that contributed to West’s identification.
For law enforcement agencies and compliance teams, modern blockchain intelligence platforms now provide comprehensive transaction mapping across blockchains, real-time risk assessment tools, cross-reference analysis capabilities, and standardized intelligence formats facilitating international information sharing.
Building a safer digital future through intelligence-driven enforcement
The IntelBroker case represents a fundamental shift in how law enforcement approaches cryptocurrency-enabled crime. By combining advanced blockchain analytics with strategic undercover operations and international cooperation, investigators penetrated what criminals believed was an anonymous digital ecosystem.
As cybercriminals evolve their techniques, law enforcement must continue advancing analytical capabilities and cooperation frameworks. The lessons from this investigation will inform future efforts against data breach marketplaces, ransomware operations, and other cryptocurrency-enabled crimes.
The IntelBroker takedown proves that sophisticated cybercriminals leave digital footprints that advanced analytics can follow. The blockchain’s immutable ledger serves not just as a foundation for digital assets, but as a powerful tool for justice in the digital age. At Chainalysis, we remain committed to equipping investigators with the full suite of blockchain intelligence capabilities — from advanced analytics to training and expert services — to uncover, pursue and disrupt criminal operations in this evolving landscape.
This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.
The post Following the Bitcoin Trail: The IntelBroker Takedown appeared first on Chainalysis.
