RANSOMWARE OPERATION💰 FINANCIAL

br0k3r

1
aliases

Intelligence Profile

Br0k3r is not a conventional ransomware gang, but rather an Iran-linked cyber espionage and access brokerage group leveraging its foothold within victim networks to facilitate ransomware operations. Active since around 2017, the group provides privileged domain access—often sold or shared directly—with known ransomware operators such as ALPHV/BlackCat, NoEscape, and RansomHouse, receiving a portion of each successful ransom payout. Victims have included U.S. schools, municipal governments, financial and healthcare organizations, as well as targets in Israel, Azerbaijan, and the UAE. Br0k3r’s strategy merges espionage with criminal collaboration, allowing them to support both state-aligned intelligence objectives and financial incentives.

Threat Analysis

br0k3r is a ransomware operation that deploys encryption-based extortion against organizations globally. This group maintains a data leak site (DLS) to pressure victims into paying ransom demands.

Financially motivated threat actors like br0k3r prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

External References

Quick Facts

TypeRansomware Operation
Motivation💰 financial
Aliases1

Also Known As

br0k3r

DLS Infrastructure

○ OFFLINEbrok3r7bhcblynwpoymgarr6zwcy4ttfbhkhcmotz4lw2gcsuojgaeqd.onion

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.