Initial Access Brokers¶

Ecosystem Overview¶

Initial Access Brokers (IABs) are the supply chain of the ransomware economy. They are specialized cybercriminals who focus exclusively on one phase of the attack lifecycle: gaining initial access to corporate networks. Rather than monetizing that access themselves through ransomware deployment, data theft, or espionage, they sell it to other threat actors who handle the downstream exploitation.

This separation of labor between intrusion specialists and monetization operators mirrors legitimate economic specialization and has several consequences:

• Attribution complexity. The actor who breaches a network is not the actor who deploys ransomware weeks later. This complicates forensic investigations and law enforcement attribution, since at least two independent actors (and often more) are involved in each incident.
• Force multiplication. A single skilled IAB can enable dozens of ransomware attacks. One broker who compromises 50 organizations per year may fuel 50 separate ransomware incidents, each carried out by a different affiliate.
• Lower barriers to entry. Ransomware affiliates no longer need sophisticated intrusion capabilities. They can purchase reliable access and focus entirely on lateral movement, exfiltration, and encryption -- the skills they already possess.
• Market resilience. When a ransomware group is disrupted, its affiliates simply purchase access from the same IABs and join a different ransomware-as-a-service (RaaS) program. The IAB layer persists independently of any single ransomware brand.

The IAB market has evolved from a niche activity on a handful of Russian-language forums circa 2017-2018 to a mature, high-volume marketplace by 2024-2026. Threat intelligence firms including KELA, Group-IB, Flashpoint, and Intel 471 now track IAB activity as a dedicated sub-discipline, and the volume of listings has grown steadily year over year.

How IABs Operate¶

IABs follow a repeatable operational workflow that spans initial reconnaissance through to the sale of validated access. The process can be broken into distinct phases.

Phase 1: Reconnaissance and Scanning¶

IABs conduct mass scanning of public-facing infrastructure to identify vulnerable targets at scale. This is typically automated and indiscriminate -- the goal is volume, not precision.

• Automated vulnerability scanning of internet-facing services: VPNs (Fortinet, Pulse Secure, Cisco), firewalls, RDP endpoints, Microsoft Exchange, Citrix NetScaler, and other edge appliances.
• Shodan, Censys, and custom scanners are used to enumerate exposed services across entire IP ranges and ASNs.
• Credential sources: IABs ingest large volumes of credentials from infostealer malware logs (Raccoon, RedLine, Vidar, Lumma), combo lists from previous breaches, and phishing campaigns they operate directly.

Phase 2: Initial Compromise¶

Once targets are identified, IABs exploit them using well-understood techniques:

• Exploiting known CVEs in VPNs, firewalls, and remote access infrastructure (see TTPs section below for specific CVEs).
• Credential stuffing and password spraying against VPN portals, RDP services, OWA/O365, and Citrix gateways using credentials harvested from infostealer logs.
• Phishing campaigns targeting employees with credential-harvesting pages or malware delivery.
• Brute-forcing RDP endpoints exposed directly to the internet (still surprisingly common, particularly among SMBs).

Phase 3: Access Validation and Persistence¶

Before listing access for sale, professional IABs validate and stabilize the access to ensure reliability:

• Verify the access works consistently and has not been remediated.
• Determine the scope of access: user-level vs. admin-level, single host vs. domain-wide.
• Identify the target organization's industry, country, and estimated revenue (critical for pricing).
• Establish persistence mechanisms: install secondary backdoors, create additional accounts, deploy remote monitoring and management (RMM) tools (AnyDesk, Splashtop, Atera), or plant web shells.
• Some IABs will perform basic lateral movement to elevate from user-level to domain admin before listing, as this significantly increases the sale price.

Phase 4: Listing and Sale¶

IABs list their access on underground forums with structured details:

• Industry of the victim organization
• Country and sometimes region
• Estimated annual revenue (often sourced from ZoomInfo, LinkedIn, or Dun & Bradstreet)
• Access type: VPN, RDP, web shell, Citrix, Active Directory, cloud admin, email
• Access level: user, local admin, domain admin
• Number of hosts/endpoints on the network (indicates blast radius)
• Antivirus/EDR in use (buyers prefer environments without strong EDR)
• Starting bid or fixed price

Sales occur through two primary mechanisms:

• Auction format: Starting bid, bid increment, and "blitz" (buy-it-now) price. Common on Exploit forum.
• Fixed price: Listed at a set price, first buyer takes it. Common on XSS.

Access may be sold as exclusive (one buyer only, higher price) or non-exclusive (multiple buyers possible, lower price, higher risk of detection). Professional IABs typically sell exclusive access, as this protects their reputation -- if multiple buyers hit the same target and the access is burned, the IAB's credibility suffers.

Some high-volume IABs maintain standing arrangements with ransomware affiliates, providing a steady flow of access at pre-negotiated rates. These private deals never appear on public forums and represent a significant portion of the total IAB market that is invisible to researchers.

Workflow Diagram¶

Access Types and Pricing¶

The price of network access varies dramatically based on the type of access, the target organization's profile, and the quality of persistence. The following table summarizes typical pricing observed across major forums from 2023 through early 2026.

Premium Pricing Factors¶

Several variables drive access prices well above baseline:

• Organization revenue: Targets with >$1B annual revenue command 5-10x premiums. Buyers (typically ransomware affiliates) calculate ransom demands as a percentage of revenue, so higher-revenue targets justify higher access prices.
• Industry: Healthcare, financial services, legal, and government organizations attract premium pricing due to higher willingness-to-pay for ransomware victims and regulatory pressure to resolve incidents quickly.
• Geography: US and EU organizations command the highest prices. Targets in countries perceived as having strong cyber insurance coverage (US, UK, Canada, Australia) attract the highest bids.
• Access quality: Domain admin access is worth multiples of standard user access. The difference between "VPN user credentials" and "domain admin with persistence" can be 10-20x.
• Persistence reliability: Access with multiple redundant backdoors, RMM tools installed, and secondary accounts is worth more than a single set of credentials that may be rotated.
• EDR/AV profile: Targets running minimal endpoint protection command a premium because ransomware deployment is more likely to succeed. Conversely, targets with CrowdStrike, SentinelOne, or Microsoft Defender for Endpoint may sell at a discount.

Volume and Trends¶

IAB activity has grown substantially since the market emerged as a distinct specialization around 2017-2018. The following data draws primarily from published reports by KELA, Group-IB, and CrowdStrike.

Annual Listing Volume (Estimated)¶

Most Targeted Industries¶

Based on IAB listing analysis from KELA and Group-IB (2023-2025):

Most Targeted Countries¶

US targets dominate listings due to high organizational revenue, perceived insurance coverage, and the sheer volume of internet-facing infrastructure.

Seasonal Patterns¶

IAB activity shows moderate seasonal variation:

• Spikes after major CVE disclosures: Exploitation waves following Fortinet, Citrix, Cisco, and Ivanti vulnerabilities produce visible listing surges within 2-4 weeks of PoC availability.
• Holiday periods: Slight uptick in listings during Western holiday periods (December-January), likely because organizations are slower to patch and respond.
• End-of-quarter clustering: Some evidence of ransomware affiliates purchasing access near quarter-end, possibly linked to financial reporting cycles of victims.

Relationship to Ransomware¶

IABs are the upstream suppliers in the ransomware supply chain. Understanding this relationship is critical to understanding why both IABs and ransomware persist despite law enforcement pressure.

The Ransomware Supply Chain¶

Economic Dynamics¶

The IAB-ransomware relationship persists because the economics are overwhelmingly favorable:

• IAB revenue: $500-$50,000 per access sale.
• Ransomware revenue: $200,000-$10,000,000+ per successful deployment.
• Return on investment for the affiliate: A $5,000 access purchase that leads to a $2M ransom payment represents a 400x return.

This asymmetry creates persistent, strong demand for IAB services. Even if IAB prices doubled or tripled, they would remain a trivial cost relative to ransomware profits.

Operational Timeline¶

The typical timeline from IAB listing to ransomware deployment:

Total time from IAB listing to ransomware detonation is typically 2-4 weeks, though some fast-moving affiliates (notably former FIN12 / Pistol Tempest) have compressed this to under 48 hours.

IAB-Affiliate Arrangements¶

• Open market sales: IAB lists access publicly; any affiliate can purchase. This is the most visible model.
• Preferred buyer relationships: Some IABs develop standing arrangements with specific ransomware affiliates, providing a steady pipeline of access at pre-negotiated rates. These deals are not visible on public forums.
• IAB-to-affiliate evolution: Some IABs have evolved into full ransomware affiliates themselves, cutting out the middleman. When an IAB realizes the downstream profits dwarf their access sales, the economic incentive to vertically integrate is strong. (CrowdStrike has documented this progression for several actors.)
• RaaS recruitment: Some RaaS programs (notably LockBit and former ALPHV/BlackCat) actively recruited IABs as affiliates, offering favorable revenue splits.

Notable IABs and Forums¶

Forum Ecosystem¶

The IAB market concentrates on a small number of Russian-language underground forums, each with distinct characteristics.

Notable IAB Personas¶

The following are forum handles of IABs that have been identified in published threat intelligence reporting. These represent some of the most prolific or notable sellers active in recent years.

• Fxmsp ("The invisible god of networks"): One of the earliest high-profile IABs, active 2017-2020. Claimed to have compromised networks of major antivirus vendors. Reportedly sold access to over 300 organizations across 44 countries. Charged by the US DOJ in 2020. Demonstrated the viability and scale of the IAB model early on. (Group-IB, DOJ indictment)
• Integra / Integrality: Prolific seller on Exploit forum, active 2021-2023. Known for high-volume listings of VPN and RDP access, primarily targeting US and European organizations. (KELA)
• Novelli: Active on XSS and Exploit, known for selling access to large enterprises. Frequently listed domain admin access at premium prices. (KELA, Intel 471)
• Kelvin Security: A threat group operating as both a data breach actor and IAB, with Telegram presence and forum activity. Targeted government and enterprise networks across Latin America and Europe. Arrests reported in late 2023 in Spain. (Group-IB, Europol)
• Bughunter / various handles: Multiple IABs specialize in exploiting specific CVEs (e.g., Fortinet VPN, Citrix NetScaler) and listing dozens of compromised organizations within days of exploit availability. These "CVE-chasing" IABs are responsible for significant listing spikes after major vulnerability disclosures. (Intel 471)

Reputation and Trust Mechanics¶

Underground forums use reputation systems to facilitate trust in an inherently adversarial environment:

• Forum reputation scores: Post counts, positive transaction reviews, and time on the forum contribute to a seller's reputation. High-reputation sellers command higher prices and faster sales.
• Escrow services: Forums provide escrow where the buyer's payment is held until they confirm the access works. This protects buyers from scam sellers.
• Guarantors: Established forum members vouch for new sellers for a fee, lending credibility.
• Ban and blacklist mechanisms: Sellers who provide non-working access or engage in "ripper" behavior (taking payment without delivering) are banned and blacklisted across forums.
• Deposit requirements: Some forums require sellers to post a financial deposit (e.g., $500-$1,000) to list, which is forfeited if they scam buyers.

TTPs (Tactics, Techniques, and Procedures)¶

Initial Access Methods¶

IABs concentrate on a relatively narrow set of initial access vectors, prioritizing scalability and reliability.

Mass scanning and exploitation

• Tools: Nmap, Masscan, ZMap, custom Python/Go scanners, Shodan/Censys APIs
• Targets: Internet-facing VPN appliances, RDP services, web applications, mail servers
• MITRE ATT&CK: T1190 (Exploit Public-Facing Application), T1133 (External Remote Services)

Credential harvesting and reuse

• Infostealer log markets (Genesis Market before takedown, Russian Market, 2easy, Telegram channels selling Raccoon/RedLine/Vidar/Lumma logs)
• Credential stuffing using combo lists from previous breaches
• Phishing campaigns with credential-harvesting kits
• MITRE ATT&CK: T1078 (Valid Accounts), T1110 (Brute Force), T1566 (Phishing)

Commonly Exploited CVEs¶

The following vulnerabilities have been heavily exploited by IABs based on observed listing spikes correlated with CVE disclosure timelines:

Persistence Techniques¶

Professional IABs invest in persistence to ensure access remains viable until sale and handoff:

• Multiple backdoors: Web shells (China Chopper, ASPX shells, PHP backdoors), Cobalt Strike beacons, and custom implants.
• RMM tool installation: AnyDesk, Splashtop, Atera, ConnectWise Control -- legitimate tools that blend with normal traffic and evade detection.
• Secondary accounts: Creation of new local admin or domain accounts with inconspicuous names.
• Scheduled tasks and services: Persistence via Windows Task Scheduler or systemd services.
• SSH key implantation: On Linux targets, adding SSH authorized keys for persistent access.
• VPN account creation: Adding new VPN accounts to the existing VPN infrastructure.

MITRE ATT&CK: T1505.003 (Web Shell), T1219 (Remote Access Software), T1136 (Create Account), T1053 (Scheduled Task/Job), T1098.004 (SSH Authorized Keys)

Tools¶

Law Enforcement and Disruption¶

Major Actions¶

Genesis Market Takedown (Operation Cookie Monster, April 2023)

Genesis Market was a specialized marketplace selling "bots" -- packages of stolen credentials, cookies, and browser fingerprints harvested by infostealer malware. While not a traditional IAB forum, Genesis Market served a similar function by providing validated credentials that could be used for initial access. The FBI-led operation seized the platform's infrastructure and resulted in 119 arrests across 17 countries. (FBI, Europol)

BreachForums Seizures (2023-2024)

BreachForums, an English-language forum hosting IAB listings alongside data breach sales, was seized by the FBI in June 2023. It was reconstituted under new administration and seized again in May 2024. The cycle of seizure and reconstitution illustrates the resilience of these platforms.

Fxmsp Indictment (2020)

The US DOJ indicted Andrey Turchin, a Kazakhstan national, for operating as the IAB "Fxmsp." He allegedly compromised networks of over 300 organizations and generated over $1.5M in access sales.

Kelvin Security Arrests (2023)

Spanish police arrested members of the Kelvin Security group in December 2023. The group had been active since at least 2020, selling access to government and corporate networks. (Europol)

Challenges to Disruption¶

Despite these actions, law enforcement faces structural challenges in disrupting the IAB ecosystem:

• Jurisdictional barriers: Most IABs operate from Russia or CIS countries that do not extradite cybercriminals to Western law enforcement, provided the IABs avoid targeting domestic organizations.
• Pseudonymous operations: IABs operate under forum handles, communicate via encrypted channels (Jabber/XMPP with OTR, Tox, Telegram), and transact in cryptocurrency.
• Cryptocurrency laundering: Payments in Bitcoin or Monero, often routed through mixers/tumblers, complicate financial tracking.
• Market resilience: When a forum or marketplace is seized, sellers migrate to competing platforms within days. The IAB "supply chain" does not depend on any single marketplace.
• Low individual impact: Arresting a single IAB removes one supplier from a market with hundreds of active participants. The market adjusts quickly.

Defensive Implications¶

The IAB threat model has direct implications for organizational security posture. Defenses should focus on eliminating the access types that IABs sell and detecting the techniques they use.

Priority Defensive Measures¶

Extended Defensive Measures¶

• Vulnerability management for edge devices: Establish a dedicated patching track for internet-facing infrastructure with SLAs shorter than standard patching cycles. Edge devices should be treated as the highest-priority patch targets in any environment.
• Infostealer detection and response: Deploy endpoint protection capable of detecting infostealer malware families (Raccoon, RedLine, Vidar, Lumma). When corporate credentials appear in infostealer log dumps, force password resets and session revocation immediately.
• RDP hygiene: Never expose RDP directly to the internet. Use VPN or Zero Trust network access (ZTNA) as a gateway. If RDP must be exposed, enforce NLA and MFA.
• Threat intelligence monitoring: Subscribe to IAB-focused threat intelligence feeds. Services like KELA, Intel 471, and Flashpoint monitor underground forums for listings that match your organization's profile (industry, geography, revenue range).
• Honeypots and deception: Deploy decoy systems on the perimeter to detect scanning and exploitation attempts that IABs conduct during reconnaissance.
• RMM tool auditing: Monitor for unauthorized installation of remote management tools (AnyDesk, Splashtop, Atera, ConnectWise Control). IABs frequently use these for persistence, and their presence outside sanctioned IT use is a strong compromise indicator.
• Active Directory hardening: Restrict domain admin accounts, implement tiered administration, enable Protected Users group, and monitor for unusual account creation -- all measures that limit the "upgrade path" from user access to domain admin that increases an IAB's sale price.

Market Impact¶

The IAB ecosystem drives demand across multiple cybersecurity product categories. Organizations investing in defenses against IAB compromise are purchasing in the following segments:

Segments with Direct IAB-Driven Demand¶

Key Vendors in IAB-Related Threat Intelligence¶

Sources and Further Reading¶

Primary Intelligence Sources¶

• KELA -- Annual IAB Reports (2021-2025). The most detailed publicly available analysis of IAB market volume, pricing, and trends. kela.io
• Group-IB -- Hi-Tech Crime Trends annual reports. Include IAB market sizing and analysis alongside broader cybercrime trends. group-ib.com
• Intel 471 -- Underground adversary intelligence reports on IAB activity and forum dynamics. intel471.com
• Flashpoint -- Cybercrime forum monitoring and IAB trend analysis. flashpoint.io

Annual Threat Reports¶

• CrowdStrike -- Global Threat Report (annual). Tracks "Access Broker" activity as a dedicated category within the eCrime ecosystem. Introduced the "Spider" naming convention for cybercrime actors, including IABs.
• Mandiant / Google -- M-Trends (annual). Covers initial access trends and IAB-enabled compromises observed during incident response engagements.
• Recorded Future -- Annual Threat Report. Includes analysis of credential markets and IAB ecosystem trends.
• Microsoft -- Digital Defense Report (annual). Covers access broker activity observed through Microsoft's telemetry.

Law Enforcement and Government¶

• FBI / Europol -- Press releases and case documents related to Genesis Market takedown (Operation Cookie Monster, April 2023), BreachForums seizures, and individual IAB prosecutions.
• CISA -- Advisories on commonly exploited vulnerabilities (particularly the annual "Top Routinely Exploited Vulnerabilities" list), many of which are IAB-favored CVEs.
• US DOJ -- Indictments of Fxmsp (2020) and other IAB-related prosecutions.

Academic and Research¶

• Campobasso, M. and Allodi, L. -- "Impersonation-as-a-Service: Characterizing the Emerging Criminal Infrastructure for User Impersonation at Scale" (CCS 2020). Academic analysis of credential markets.
• MITRE ATT&CK -- Technique mappings for IAB-relevant TTPs: T1190, T1133, T1078, T1110, T1566, T1505.003, T1219, T1136.

Cross-References¶

Glossary¶

This glossary defines the acronyms and key terms used throughout the cybersecurity market research site. Use it as a quick reference when navigating segment analyses, pain-point discussions, and opportunity assessments.

A¶

B¶

C¶

D¶

E¶

F/G¶

H¶

I¶

L¶

M¶

N¶

O¶

P¶

R¶

S¶

T¶

V¶

X¶

Z¶