Jul 07, 2025
Dark Peep #19: IntelBroker Indicted, and Ransomware Goes Corporate
The Dark Web never sleeps—and neither do its actors. In this edition, we explore a string of developments shaping the cyber threat landscape: from the indictment of a notorious threat actor behind dozens of data leaks, to ransomware groups adding legal pressure tactics to their extortion playbooks. Meanwhile, turf wars among threat actors spill into public view, with one actor defacing another’s forum in a display of technical one-upmanship. Whether through courtroom charges or darknet revenge, the ecosystem continues to evolve in unexpected directions.
In the Dark Web, every arrest casts a shadow of suspicion — who’s next to be exposed? Created with DALL-E.
Qilin Rolls Out ‘Call Lawyer’ Like It’s Customer Support
The Qilin ransomware group has introduced a “Call Lawyer” button in its affiliate panel, letting attackers bring in legal consultants during ransom talks. Victims now face not only stolen data and encrypted systems but also legal threats mid-negotiation.
Threat actor announces legal support service for ransomware affiliates.
“The mere appearance of a lawyer in chat can influence the company and raise the ransom amount,” the gang says. “We also offer advice on how to cause maximum financial damage if the victim refuses to pay.”
Qilin is not just pushing ransomware. It is building a criminal helpdesk with malware, spam tools, DDoS add-ons and now a legal department ready to talk terms.
GangExposed Doxes the Doxers
GangExposed, a Telegram channel that popped up earlier this year, says it’s here to expose the real faces behind Trickbot, Conti and Black Basta. So far, it has published chat logs, crypto links and even a birthday party video allegedly featuring six Conti members on a private jet. The clip was supposedly filmed by “TARGET” himself, who now has a ten million dollar bounty on his head.
GangExposed shares alleged leaks from Conti, Trickbot and Black Basta
Conti reportedly tried to erase the footage, but GangExposed claims they kept a copy. Their message? “You do ransomware, we do receipts.” The channel promises more leaks tied to laundering ops, retaliation plans and personal identities.
As with most things on Telegram, trust comes second to drama. The files might be real, or just well-produced fiction. Either way, popcorn is advised.
U.S. Charges Qakbot Operator for Enabling Ransomware Attacks
The U.S. has indicted Russian national Rustam Gallyamov for his role in creating and operating the QakBot malware, used to support ransomware campaigns for over a decade. Prosecutors say he developed Qakbot in 2008 and provided access to ransomware groups including Conti, REvil, and Black Basta.
Created with DALL-E. Visualizing the indictment of Qakbot’s alleged operator
Gallyamov allegedly earned a share of ransom payments by offering initial access to infected networks. The botnet’s reach included over 700,000 devices, with damages exceeding $58 million. Authorities have seized more than $24 million in cryptocurrency tied to the operation.
When Threat Actors Get Threatened
One threat actor compromised a Dark Web forum operated by another and later shared a technical breakdown of the attack on Dread. The intrusion relied on a mix of outdated phpBB software, a deprecated Telegram plugin and a convincingly worded private message.
Defacement mimics a law enforcement takedown. Posted by threat actors after breach.
The crafted link granted admin access, triggered a shell upload and exposed system details. A defaced homepage followed, stamped with the message:
“Before you embark on a journey of revenge, dig two graves.”
The post outlined the exploit method and hinted at previous tension between the parties. A reminder that even in underground spaces, threat actors sometimes turn their tools on each other.
IntelBroker Indicted After Years of Selling Stolen Data
The U.S. has charged British national Kai West, accused of operating under the alias “IntelBroker,” in connection with a long-running data theft and trafficking scheme. According to court documents, West is linked to more than 150 leak posts on BreachForums, a well-known hacker forum, where he allegedly sold or distributed data from telecom firms, healthcare providers and government systems.
Stylized arrest scene referencing the capture of IntelBroker. Created with DALL-E.
Between 2023 and 2025, IntelBroker reportedly caused over 25 million dollars in damages and accepted payments in Monero. He was arrested in France earlier this year, and U.S. authorities are now seeking his extradition. The FBI tied the online identity to West through cryptocurrency tracing, reused email accounts and, eventually, a photo of his driver’s license.
He had claimed to be Serbian. His near-fluent English surprised many. But what surprised no one was how it ended.
This case is also a sharp reminder. The Dark Web still holds a dangerous appeal, especially for younger actors who see notoriety and easy money but overlook the long-term consequences. IntelBroker is only the latest in a growing list of arrested cybercriminals. How many names do you actually remember? How many faces?
Because in the end, it’s rarely fame. It’s usually prison.
Ex-Top Cyber Chiefs Say Stop Naming Hackers Like Pokémon
Former CISA Director Jen Easterly and former NCSC Director Ciaran Martin have called for a vendor-neutral, global standard for naming cyber threat actors. In a recent column, they warned that current naming practices risk glamorizing malicious actors and creating confusion.
Less style, more substance. Created with DALL-E.
While they welcomed Microsoft and CrowdStrike’s recent efforts to align labels, they argued that real progress requires coordination between governments and the private sector. A consistent and neutral taxonomy, they said, would help attribution efforts and improve global cyber defense.
Startup Vibes, Ransomware Core
Alleged VanHelsing ransomware source code sale
SOCRadar has detected a new ransomware source code sale on a Dark Web forum. A threat actor is offering the full source code of VanHelsing ransomware, including:
- Admin web panel
- Built-in chat and blog system
- File server and full database
- Working lockers for Windows, Linux/NAS, and ESXi (from version 2.x to 8)
The package also includes TOR keys, suggesting ease of redeployment for other actors.
The asking price? $10,000 to start.
While the ransomware itself isn’t well-known, offering ESXi compatibility out of the box shows a clear focus on enterprise environments. As always, the appearance of full source code raises concerns about potential forks and copycat variants.
Coinbase Hit by Insider Leak, Extortion, and a $20M Bounty Twist
Coinbase is dealing with the fallout of a data breach that reportedly began in January 2025, not with malware, but with a smartphone. According to Reuters, a contractor working for TaskUs in India was caught photographing customer data off her screen, allegedly in exchange for bribes.
Coinbase puts a $20M bounty on an insider-linked threat actor. Created with DALL-E.
The breach, affecting Coinbase customer support data, led to the dismissal of over 200 employees at the outsourcing firm. But the real headline came later. A threat actor demanded $20 million from Coinbase in exchange for not leaking the stolen data. Coinbase responded with a move straight out of a cyber-thriller: it placed its own $20 million bounty on the attacker.
Public SEC filings now suggest Coinbase knew about the insider risk months before the extortion. Whether the criminal campaign was limited to TaskUs remains unclear, but the implications for trust in outsourced operations are already surfacing.
Turns out, sometimes the biggest exploit is a phone camera.
Stay Ahead, Stay Aware
The Dark Web is no longer a shadowy corner of the internet—it’s an active front where threat actors evolve, compete, and even turn on each other. Insider leaks, ransomware negotiations backed by legal threats, and marketplaces auctioning off full attack kits have turned underground crime into a fast-moving business.
SOCRadar Dark Web Monitoring
In this climate, passive defense is a risk your organization can’t afford. SOCRadar’s Advanced Dark Web Monitoring helps you take back control with real-time access to stolen data, chatter, and threat actor behavior across deep, dark, and surface web channels. Whether you need to safeguard executives, uncover exposed credentials, or monitor suspicious mentions of your assets, it’s all in one platform designed for visibility and action.
When threat actors move fast, your intelligence should move faster.
Related Articles
Subscribe to our newsletter and stay updated on the latest insights!