Use a Stealer Log, Go to Prison (Part 1): IntelBroker and Scattered Spider(?) Arrests

On this episode of Leaky Weekly, host and security researcher Nick Ascoli gets into stealer logs and arrests in the last few weeks of threat actor IntelBroker and threat actors who targeted retail companies in the U.K. using the DragonForce encryptor. This is part 1 of a 2 part series, Use a Stealer Log, Go to Prison. Here's part 2: on Apple Podcasts or Spotify.

Here are the resources on the stories:

• 2025 Data Breach Investigations Report (DBIR) (Verizon)
• The Rising Role of Stolen Credentials in Cybercrime: 3 Insights from the 2025 Verizon DBIR (Flare)
• IntelBroker Threat Actor (TheSecMaster)
• Following the Bitcoin Trail: The IntelBroker Takedown (Chainalysis)
• United States of America v. Kai West (“IntelBroker,” “Kyle Northern”) Complaint (U.S. Department of Justice)
• Four arrested in connection with M&S and Co-op cyber-attacks (BBC)
• Retail cyber attacks: NCA arrest four for attacks on M&S, Co-op and Harrods (National Crime Agency)
• UK police arrest four over cyberattacks on M&S, Co-op and Harrods (Reuters)
• Inside DragonForce, the Group Tied to M&S, Co-op and Harrods Hacks (Infosecurity Magazine)
• Inside the Dragon: DragonForce Ransomware Group (Group-IB)

Brought to you by Flare, the world's easiest to use and most comprehensive cybercrime database that integrates into your security program in 30 minutes. Check out what’s on the dark web (and more) about your organization.

Flare now offers Flare Academy training, which is our (free!) training series led by experts that cover critical cybersecurity topics. Check out Flare Academy to keep up with upcoming trainings, check out previous training resources, chat with cybersecurity professionals (including Nick!) in the Flare Academy Community Discord, and more.