Like safe crackers and forgers before them, breaking into company networks has become a sort-after niche
Initial access brokers (IABs) are some of the most important players in cybercrime. Relied upon by ransomware gangs, spies and scammers, their role is simple: find a way in then sell that access quickly to the next actor in the chain.
IABs specialise in the first stage of a cyberattack: gaining unauthorised entry into an organisation’s systems. Rather than carrying out ransomware attacks, fraud or theft themselves, they sell the access (credentials, accounts, backdoors or some other entry point or foothold) and move on. Sometimes the access is surprisingly cheap, a few pounds per contact, but it would be a mistake to equate IABs with script kiddies.
“Access brokers aren’t necessarily junior,” says Javvad Malik lead CISO advisor at KnowBe4. “It’s a specific niche service they provide in finding a way into an organisation, maintaining that access and selling it to whoever needs it.”
IABs make money by selling access rather than exploiting it. This allows them to avoid the risk and complexity associated with later stages of an attack, such as lateral movement, encryption, negotiation and money laundering.
“Rather than executing the full attack themselves, they sell this access to other cybercriminals on dark web forums and underground marketplaces,” explains Gordon Brebner, technical team lead at Orange Cyberdefense.
You get what you pay for
Some brokers operate independently, building a reputation on specialist forums and marketplaces, others focus on piling high and selling cheap. There are also those who act as suppliers inside ransomware groups, passing on compromised accounts to Ransomware‑as‑a‑Service (RaaS) operations.
Scams aside, it’s a working market; you get what you pay for. Compromised websites or low‑privilege user accounts fetch far less than admin accounts or persistent access to a corporate network.
“The prices can be low because it’s often about volume,” says Malik. “With AI‑powered automated phishing kits and infostealers, many credentials can be stolen with little effort.”
Cheap data may be low‑privilege, poorly validated, short‑lived and maybe sold many times. At the premium end, IABs sell far fewer listings but at much higher prices and with guaranteed exclusivity, focusing on large organisations, sensitive sectors and high‑privilege accounts. There’s also a middle ground where brokers validate records obtained via infostealers to add value, or venture into privilege escalation to get a better price.
“Basic user credentials can sell for less than $20, whereas corporate or business email credentials for a standard user can be obtained for between $50 and $30,” adds Brebner. “At the high end of the scale, privileged accounts like domain admin credentials can cost tens of thousands.”
Three ways in
While the cyber landscape continues to evolve, the core methods remain largely unchanged.
IABs focus primarily on three ways in:
- Unpatched software, particularly internet‑facing VPNs, firewalls, remote access RDP services and web applications;
- Compromised credentials;
- Social engineering, including phishing, MFA fatigue attacks and credential harvesting.
Favoured targets are VPNs, RDP remote access software, unpatched endpoint devices, Active Directory, email gateways, third-party service management platforms, misconfigured firewalls and cloud services. Techniques include leveraging exploits, brute forcing, infostealers, and bribing compromised insiders.
Despite the typically low price per record scraped, automated phishing kits with and can harvest browser passwords, authentication cookies and cloud credentials at scale, generating vast quantities of usable access with minimal effort. This is why it’s one of the main growth areas – and why (unless we’re an admin or a C-level corporate exec) our information is available so cheaply.
Structured and scalable
Access is generally traded via forums, marketplaces and encrypted messaging platforms. Buyers range from ransomware gangs and RaaS affiliates to fraud groups, state-backed espionage operators, scammers and data thieves.
“Marketplaces act like a specialised supply chain rather than a single ‘group does everything’ model,” says Rebecca Taylor, threat intelligence knowledge manager and researcher at Sophos’ Counter Threat Unit.
“Cybercrime markets have long operated in such a way – for example forum ecosystems and marketplaces dedicated to access sales – but this model has become more structured and scalable in recent years with sites like Russian Market and 2easy.”
In these markets and in invite‑only Telegram channels, a broker’s reputation is a crucial asset. A broker with a strong reputation is more likely to deliver working access, provide accurate details and avoid scamming buyers.
Lower‑value infostealer logs are often dumped in bulk on the Dark Web, perhaps by IABs yet to build a reputation, while the premium product is sold privately or directly to ransomware operators. For ransomware gangs, buying access is often cheaper and quicker than developing their own intrusion capabilities.
The evolution of cybercrime
The stratification of cybercrime into distinct roles highlights how far it has evolved into a professionalised, industrial system with checks and balances and division of labour.
“What this shows us is how mature cybercrime has become,” says Malik. “Very much like a legitimate business, we see specialisms being formed such as initial access, privilege escalation, fraud, ransomware, money laundering.”
It’s a system designed to extract the maximum value from victims, adds Taylor. “Initial access is commoditised, escrow and reputation systems reduce ‘market friction’, and ransomware groups can buy their way past the hardest early stage and to focus on where the money is – extortion.”
Brebner is in no doubt that the business model is successful and growing largely because of perverse incentives around ransoms.
“There is a mature, tested business model that cybercriminals are exploiting and refining every day. And as long as businesses continue to pay ransoms, this underground economy will continue to thrive.”
He continues: “For me, this raises questions about the specialist cybersecurity negotiation firms acting as intermediaries that help ‘buy for time’, bring the ransomware price down, and offer expertise based on previous negotiations with specific groups.
“While these firms certainly offer support for struggling victims, there is an argument to be made that they are contributing to the payments that are continuing to go to attackers. This, in turn, is fuelling a self-sustaining industry, supported by both illicit actors and the legitimate professional services that have grown around them.”
Click Here For The Original Source.
