br0k3r
Intelligence Profile
Br0k3r is not a conventional ransomware gang, but rather an Iran-linked cyber espionage and access brokerage group leveraging its foothold within victim networks to facilitate ransomware operations. Active since around 2017, the group provides privileged domain access—often sold or shared directly—with known ransomware operators such as ALPHV/BlackCat, NoEscape, and RansomHouse, receiving a portion of each successful ransom payout. Victims have included U.S. schools, municipal governments, financial and healthcare organizations, as well as targets in Israel, Azerbaijan, and the UAE. Br0k3r’s strategy merges espionage with criminal collaboration, allowing them to support both state-aligned intelligence objectives and financial incentives.
Threat Analysis
br0k3r is a ransomware operation that deploys encryption-based extortion against organizations globally. This group maintains a data leak site (DLS) to pressure victims into paying ransom demands.
Financially motivated threat actors like br0k3r prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.