{ "id": "6a176b48-c575-49e6-976b-e7d12094e935", "created_at": "2026-04-06T00:09:05.9734Z", "updated_at": "2026-04-10T13:11:28.08596Z", "deleted_at": null, "sha1_hash": "8fc8434c51a686dd092f85f377534c673879917a", "title": "Dark Web Profile: CyberNiggers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1107158, "plain_text": "Dark Web Profile: CyberNiggers\r\nPublished: 2024-02-05 · Archived: 2026-04-02 10:35:44 UTC\r\n1. Home\r\n2. Blog\r\n3. Dark Web\r\n4. Dark Web Profile: CyberNiggers\r\n[Update] August 9, 2024: “Revival and Recruitment of CyberNiggers Group”\r\nThe cybersecurity landscape is in a state of flux, marked by flow of illicit activities within hacker forums. Not so\r\nrecent events surrounding the shutdown and subsequent revival of Breach Forums have brought forth a wave of\r\nspeculation, with some viewing it as an FBI HoneyPot, while others see it as an opportune space for continued\r\nillegal pursuits. At the center of this virtual tumult stands a racist threat group that has re-emerged with heightened\r\npotency—CyberNiggers.\r\nCyberNiggers’ Banner on Breach Forums\r\nAmidst the chaos of forum dynamics and the arrest of forum administrators, the once-dormant CyberNiggers has\r\nseized the spotlight. A dominant force in the revamped Breach Forums, this threat group has taken on a renewed\r\nand ominous demeanor. While their recruitment efforts have taken a backseat, a key member\r\nnamed IntelBroker has assumed a prominent role, shouldering the group’s cyber activities.\r\nhttps://socradar.io/dark-web-profile-cyberniggers/\r\nPage 1 of 7\n\nThis resurgence of CyberNiggers raises alarm bells across the cybersecurity community. Their return to the\r\nforefront, coupled with a fresh wave of cyber attacks, underscores the persistent and evolving nature of digital\r\nthreats. In a global landscape where organizations grapple with increasingly sophisticated cyber adversaries, the\r\nactivities of CyberNiggers warrant close scrutiny.\r\nWho is CyberNiggers ?\r\nIn the aftermath of the pompompurin’s arrestment, Cyber Niggers, has emerged as a formidable threat group\r\nwithin the revived Breach Forums. While the forum’s status as a potential HoneyPot remains a topic of debate, the\r\nactivities of CyberNiggers have transcended speculation. The threat group, which is very active both in the forum\r\nand in cyber threat activities, made a name for itself with the General Electrics data they allegedly offered for sale\r\ntowards the end of 2023.\r\nThe racist threat group appears to be a small group, all of whom are currently members of Breach Forums. Still,\r\nthey are pursuing critical targets, especially in the US, and according to a claim by vx-underground, they are also\r\nunder the surveillance of Five-Eyes.\r\nAmidst the group’s activities, a Serbian hacker, IntelBroker, a prominent member, has taken center stage. Tasked\r\nwith shouldering a significant lead within the group, IntelBroker’s solo endeavors have become a focal point.\r\nIntelBroker, One of the members of CyberNiggers\r\nCyberNiggers: Recent Breach Activities\r\nOnce dormant CyberNiggerss have resurfaced, leaving a trail of compromised entities in their wake. The threat\r\ngroup claimed many responsibility for infiltrating prominent organizations, showcasing their ability to exploit\r\nvulnerabilities and compromise sensitive data. Although CyberNiggers, as a parent umbrella, did not resonate in\r\nthe media as much as the name IntelBroker, either the group or IntelBroker’s name was mentioned in the biggest\r\nevents of 2023. This section explores CyberNiggers’ recent breach activities, shedding light on the\r\nspecific organizations targeted and the potential consequences of their exploits.\r\nProminent targets were:\r\nGeneral Electric (GE): CyberNiggers, seems to be led by the prominent member IntelBroker, for this\r\nattack, asserting that they have successfully breached General Electric, a multinational tech giant with a\r\nsignificant presence in various industries. The compromised data allegedly includes sensitive military files\r\nbelonging to the US government’s Defense Advanced Research Projects Agency (DARPA).\r\nA later post about General Electric\r\nWeee Grocery Service: CyberNiggers claimed responsibility for stealing sensitive information from Weee\r\nGrocery Service, a popular online grocery platform. The data breach impacted approximately 11\r\nmillion users, raising concerns about the exposure of personal and financial information.\r\nColonial Pipeline: CyberNiggers was also reportedly behind a significant cybersecurity breach targeting\r\nthe Colonial Pipeline. A group member, identified as “comradbinski,” associated with this breach, also had\r\na history of involvement in various cyber intrusions and joined the platform on August 8, 2023.\r\nhttps://socradar.io/dark-web-profile-cyberniggers/\r\nPage 2 of 7\n\nRevelations on the dark web suggest that premium access to Colonial Pipeline, offered by comradbinski,\r\nincluded critical information such as billing details, private and public keys, passwords, emails, source\r\ncode, PDFs, and database files. The compromised access extends to Blobs, SMTP, Bitbucket, MSSQL, and\r\nAWS S3 Buckets.\r\nAlleged Data Leaks and Access Sales for Colonial Pipeline and other Pipeline companies\r\nAnd many other victims like Accenture, KitchenPal, UsDoT, Vauxhall Motors are posted on the forum as well.\r\nCyberNiggers are publishing many posts on the forums continuously\r\nCyberNiggers’ leaks may pose severe consequences for the targeted organizations and the individuals whose data\r\nhas been compromised. These consequences may include reputational damage, financial losses, and legal\r\nramifications. Moreover, the exposure of sensitive military files, as claimed in the GE breach, raises national\r\nsecurity concerns, highlighting the broader implications of CyberNiggers’ activities.\r\nAs organizations grapple with the aftermath of these breaches, understanding the tactics employed by\r\nCyberNiggers becomes paramount. The next section delves into the historical context of CyberNiggers’ breach\r\nactivities, providing insights into their evolution and methods.\r\nIntelBroker: A Pivotal Figure\r\nAs mentioned above, at the forefront of CyberNiggers stands a phonk-enjoyer hacker, IntelBroker, a notorious\r\nmember with a track record of orchestrating high-profile cyberattacks. Operating within the realm of initial access\r\nbrokering, IntelBroker specializes in identifying and selling access to compromised systems, paving the way for\r\nvarious malicious activities. Details about IntelBroker also shed light on the group.\r\nIntelBroker’s profile picture\r\nBackground:\r\nTrack Record: IntelBroker probably has been an active participant in the cyber threat landscape since at\r\nleast late 2022. Notable breaches attributed to IntelBroker include successful attacks on Weee Grocery\r\nService, Autotrader, Volvo, Hilton Hotels, and AT\u0026T.\r\nMethodology: The modus operandi of IntelBroker mostly revolves around locating and selling access to\r\ncompromised systems. Their focus on the initial access stage of cyberattacks makes them a critical\r\ncomponent in the broader cybercrime ecosystem. Although he first tries to sell the access he has obtained,\r\nwhen he cannot make a successful sale in this area, he probably engages in infiltration efforts of his own\r\nand manages to steal some data; Sample also offers the data it shares for sale on the forum.\r\nIntelBroker of CyberNiggers, selling access for Dunkin Brands, their targets are various\r\nHigh-Profile Exploits:\r\nUS Military: IntelBroker’s claim of breaching General Electric, leading to the alleged compromise of\r\nmilitary files related to DARPA, underscored the group’s and the IntelBroker’s audacious targets and\r\nhttps://socradar.io/dark-web-profile-cyberniggers/\r\nPage 3 of 7\n\npotential national security implications. It was also the time when both the group and IntelBroker made\r\ntheir voices heard the most.\r\nUnique Threat Landscape:\r\nLow Asking Price: The peculiar aspect of IntelBroker’s and CyberNiggers’ recent activities is the\r\nsurprisingly low asking price for access to sensitive information. For instance, the offer to sell access to\r\nDARPA files for $500 raises questions about the authenticity and motivations behind such a seemingly\r\nundervalued proposition. In a tweet, they also stated that they sold sensitive US-based data for $4000. In\r\nother words, it can be said that the price range generally hovers around relatively low numbers.\r\nFocus on Initial Access: As stated above in the Methodology, IntelBroker’s specialization in the initial\r\naccess stage positions them as a crucial player in the broader cyber threat landscape. Their ability to exploit\r\nmisconfigured systems and unprotected databases contributes to the evolving tactics within the cybercrime\r\necosystem.\r\nVPN Access for US based companies\r\nA Potential Ransomware Operation: IntelBroker also stated in a post that it was working on its own\r\nransomware strain. Of course, getting ransomware into the hands of a threat actor specialized in access can\r\ngreatly increase the attack vector and destructiveness. However, it can be said that it previously sold the\r\naccess gained to ransomware groups. So it is an actor who has long been associated with the ransomware\r\nlandscape\r\nIntelBroker’s post about its ransomware progress\r\nSolo Operation: Despite the collective identity of CyberNiggers, IntelBroker stands out as an individual\r\nthreat actor. This distinction raises questions about the extent of their capabilities and the motivations\r\ndriving their solo endeavors.\r\nUnderstanding IntelBroker’s role within CyberNiggers provides valuable insights into the tactics employed.\r\nFurthermore, since the tactics of the group are parallel to IntelBroker and considering that the members of the\r\ngroup can also work individually, understanding IntelBroker’s actions and capacity also provides a general view\r\nof the entire group.\r\nThe Group’s Extent and the Implications on Security\r\nThe cyber onslaught orchestrated by CyberNiggers extends far beyond individual data breaches. This section\r\nexplores the profound implications of the group’s activities on national security and the specific organizations that\r\nhave fallen victim to their sophisticated cyberattacks.\r\nLet’s look at the implications through the General Electrics incident, which is the news that is most covered in the\r\nmedia.\r\nGeneral Electric (GE) and DARPA Compromise:\r\nhttps://socradar.io/dark-web-profile-cyberniggers/\r\nPage 4 of 7\n\nThe alleged breach of General Electric, a multinational industrial giant, and the compromise of military\r\nfiles associated with the Defense Advanced Research Projects Agency (DARPA) raised concerns.\r\nEspecially, GE’s involvement in cutting-edge aerospace technology, including hypersonic jets and military\r\ndrones, amplified the severity of the breach. The compromised information could have potentially provided\r\nadversaries with insights into critical defense projects, posing a direct threat to national security.\r\nPotential Consequences:\r\nMilitary Advantage: The stolen military files could grant adversaries a strategic advantage by exposing\r\nclassified information related to military strategies, troop deployments, weapons systems, and intelligence\r\noperations.\r\nTechnological Innovation at Risk: With GE’s collaboration with DARPA on diverse projects, the breach\r\njeopardizes not only current military initiatives but also the technological innovations that influence\r\nbroader consumer technology.\r\nOperational Impact on Organizations:\r\nReputational Damage: The mere speculation of a breach may have inflicted substantial reputational\r\ndamage on impacted organizations. If confirmed, the companies may face severe financial losses, legal\r\nconsequences, and a decline in public trust.\r\nLegal and Compliance Ramifications: A confirmed breach would trigger legal and compliance\r\nconsequences for impacted organizations. The exposure of sensitive data, like SQL database files, aviation\r\nsystem guidelines, and military documents, could result in legal actions and regulatory penalties.\r\nUnderstanding the extent of the group is a more complicated issue. However, the key point that stands out and will\r\nuncover the rest is financial gain.\r\nPattern of Attacks:\r\nDiverse Target Portfolio: CyberNiggers exhibits a pattern of targeting a diverse portfolio of organizations,\r\nincluding Autotrader, Volvo, Hilton Hotels, and AT\u0026T. This suggests a strategic approach to gather varied\r\nsets of information and potentially fulfill different objectives.\r\nTargeting of US: While NATO-Aligned countries seem to be their main targets, their cyber attacks are for\r\nfinancial gain, not hacktivist visions, even if their cyber attacks may contain political statements. By far,\r\nthe country they target the most is the US. However, they have a diverse list of target countries such as the\r\nUK, South Africa, India, and Turkey.\r\nPolitical Agenda:\r\nRacism: As can be easily understood from the name of the group, they have a racist attitude. Of course,\r\nsuch an agenda may also be interpreted as a language they use to attract attention and create chaos on the\r\nway to their goals, rather than choosing a target based on “being a racist”.\r\nhttps://socradar.io/dark-web-profile-cyberniggers/\r\nPage 5 of 7\n\nExcluding Russia: Although we said above that they are motivated by financial gain rather than a political\r\nagenda, as stated in an interview, the group member IntelBroker seems to be a native Serbian or Russian\r\nspeaker, and it is obvious that Russia is excluded among the group’s targets. According to IntelBroker’s\r\nown statement, it resides in Russia.\r\nUnderstanding the implications of these cyber intrusions extends beyond the immediate impact on targeted\r\norganizations. The potential compromise of national security-related data emphasizes the critical need for\r\nrobust cybersecurity measures and international collaboration to counter such threats effectively.\r\nConclusion: Navigating the Cybersecurity Landscape\r\nThe evolving activities of CyberNiggers, marked by the alleged breach of General Electric and IntelBroker’s\r\nsignificant role, emphasize the dynamic and persistent nature of cyber threats. As organizations and security\r\nprofessionals grapple with emerging challenges, understanding the intricacies of threat groups like CyberNiggers\r\nbecomes paramount. The collective response to breaches, the validation of claims, and the development of robust\r\ncybersecurity measures are crucial components in mitigating the impact of cyber adversaries. The cybersecurity\r\nlandscape demands vigilance, adaptability, and collaborative efforts to safeguard critical infrastructure, national\r\nsecurity, and individual privacy.\r\nSOCRadar Dark Web Monitoring offers an extensive monitoring solution for every surface of the web, allowing\r\norganizations to detect and address threats spanning the surface, deep, and dark web layers. Leveraging our\r\ncapabilities in reconnaissance and threat analysis, we provide practical intelligence to enhance your organization’s\r\nproactive security measures. By combining automated external cyber intelligence with a specialized team of\r\nanalysts, we empower Security Operations Center (SOC) teams to effectively manage threats beyond their\r\ntraditional boundaries.\r\nSOCRadar Dark Web Monitoring\r\nRevival and Recruitment of CyberNiggers Group\r\nA recent post on BreachForums announced the revival and active recruitment for the group CyberNiggers. This\r\npost, made by the moderator, IntelBroker, lays out specific criteria and expectations for potential members, which\r\nincludes racist motivations and a history of cybercrimes, such as providing free leaks or engaging in data\r\nbreaches. The group openly promotes disdain for law enforcement and requires members to maintain operational\r\nsecurity.\r\nThe recent post about new version of CyberNiggers\r\nThis resurgence is noteworthy as it follows significant law enforcement activities that led to arrests and the seizure\r\nof related forum data in the past. The group’s comeback highlights ongoing challenges in combating cybercrime\r\ncommunities that thrive on racial hatred and criminal activities. This development underscores the need for\r\nvigilant monitoring and enhanced cybersecurity measures to mitigate the threats posed by such groups.\r\nPossible MITRE ATT\u0026CK TTPs\r\nhttps://socradar.io/dark-web-profile-cyberniggers/\r\nPage 6 of 7\n\nBelow are possible TTPs with their explanations.\r\nTactic Technique Details / Examples\r\nInitial Access\r\nT1190 – Exploit Public-Facing ApplicationBreaching General Electric and Weee Grocery Service by\r\nexploiting vulnerabilities in public-facing applications.\r\nExecution\r\nT1203 – Exploitation for\r\nClient Execution\r\nUtilizing compromised systems to execute unauthorized\r\ncommands or software.\r\nPersistence\r\nT1098 – Account\r\nManipulation\r\nPossibly maintaining access to compromised systems\r\nthrough account manipulation, as indicated by activities in\r\nvarious organizations.\r\nPrivilege\r\nEscalation\r\nT1068 – Exploitation for\r\nPrivilege Escalation\r\nGaining higher-level privileges through exploitation of\r\nsystem weaknesses.\r\nDefense\r\nEvasion\r\nT1027 – Obfuscated\r\nFiles or Information\r\nLikely obfuscating malicious files or data to evade detection,\r\nas seen in sophisticated cyber attacks.\r\nCredential\r\nAccess\r\nT1003 – Credential\r\nDumping\r\nAccessing credentials, possibly through methods like\r\ndatabase access or system compromise.\r\nDiscovery\r\nT1083 – File and\r\nDirectory Discovery\r\nDiscovering files and directories in the compromised\r\nsystems, as in the case of DARPA files in GE breach.\r\nLateral\r\nMovement\r\nT1078 – Valid Accounts\r\nUsing valid accounts to move laterally across networks,\r\ninferred from the pattern of diverse organization targets.\r\nCollection\r\nT1005 – Data from Local\r\nSystem\r\nCollecting data from compromised systems, as seen in\r\nbreaches of organizations like Colonial Pipeline.\r\nExfiltration\r\nT1041 – Exfiltration\r\nOver C2 Channel\r\nLikely exfiltrating data over a command and control channel,\r\ngiven the nature of their operations.\r\nImpact\r\nT1486 – Data Encrypted\r\nfor Impact\r\nPotential for ransomware use, as mentioned by IntelBroker\r\nor may have led into a ransomware attack..\r\nCommand and\r\nControl\r\nT1132 – Data Encoding\r\nCommunicating with compromised systems using encoded\r\ndata.\r\nSource: https://socradar.io/dark-web-profile-cyberniggers/\r\nhttps://socradar.io/dark-web-profile-cyberniggers/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://socradar.io/dark-web-profile-cyberniggers/" ], "report_names": [ "dark-web-profile-cyberniggers" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d6519c33-32d0-4a3c-b5cd-930ce047c240", "created_at": "2024-04-19T02:00:03.615928Z", "updated_at": "2026-04-10T02:00:03.612469Z", "deleted_at": null, "main_name": "CyberNiggers", "aliases": [], "source_name": "MISPGALAXY:CyberNiggers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0263e1e1-4568-410a-a5e4-6932db1d40da", "created_at": "2024-06-26T02:00:04.854969Z", "updated_at": "2026-04-10T02:00:03.667295Z", "deleted_at": null, "main_name": "IntelBroker", "aliases": [], "source_name": "MISPGALAXY:IntelBroker", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434145, "ts_updated_at": 1775826688, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8fc8434c51a686dd092f85f377534c673879917a.pdf", "text": "https://archive.orkl.eu/8fc8434c51a686dd092f85f377534c673879917a.txt", "img": "https://archive.orkl.eu/8fc8434c51a686dd092f85f377534c673879917a.jpg" } }