Access brokers, also known as initial access brokers or IABs, obtain and validate access to a target system. They use a repeatable playbook that combines credential theft, vulnerability exploitation, and dark web monetization.
IABs are experts at penetrating networks at scale and confirming that access to systems are stable. Access is then sold to cybercriminals, who use it to carry out ransomware, data theft, and fraud.
Who are access brokers?
Access brokers have one primary task: acquiring and packaging access points inside organizations. While not running full campaigns themselves, they are suppliers in the cybercrime economy, providing ransomware groups, data-theft crews and other buyers with footholds into target organizations.
These brokers advertise on dark web forums, encrypted channels and specialized initial access markets with information such as company size, geographic location, mode of access (VPN, RDP, SaaS, domain admin), and cost. They can make everything from low cost remote desktop accounts for small businesses to high value access to domains for big enterprises.
How do access brokers gain initial access?
IABs leverage a combination of opportunistic and targeted strategies to compromise networks and user accounts. Typical practices include:
- Obtaining credentials from infostealer malware logs, large credential dumps, or dark web credential markets.
- Launching phishing and social engineering campaigns to harvest VPN, email, or SaaS login details.
- Using brute force and credential stuffing attacks against exposed remote services (like VPN, RDP, and webmail), especially when multi-factor authentication (MFA) is weak or missing.
- Exploiting unpatched vulnerabilities in internet-facing systems such as VPN appliances, web applications, email gateways, or edge devices.
Most access brokers connect several sources in a chain. For example, an attacker can buy stealer logs, launch a social engineering attack to discover the emails that are associated with each log, and then use those credentials to access corporate portals for higher-value access.
How do access brokers validate and enrich access?
To maximize profit while boosting their reputation, access brokers have to demonstrate that access is real, stable, and beneficial for buyers. Validation and enrichment could mean testing a leaked corporate email on SaaS, VPN and OWA portals to verify credentials. This allows IABs to:
- Assess privilege level, domain membership, and list available resources to classify access (user, admin, domain, application level).
- Map the environment and collect metadata, including the number of endpoints, AD structure, installed security tools, and business functions.
- Access brokers then catalog that information into listings that describe the access type, sector, region and chance of lateral movement, making it easy for the buyers to consider ROI and attack paths.
Where are the initial access sales and trade opportunities?
The bulk of initial access sale transactions happen within dark web forums, invite-only channels, and specialized marketplaces that are being created around the sale of compromised access. Listings usually include VPN, RDP, Citrix, email, SaaS, and domain access and the price can be driven by company size, privilege, industry, and risk of detection.
By working directly with ransomware-as-a-service (RaaS) affiliates, some IABs avoid posting ads publicly while providing access tailored to specific verticals or geographies. This helps reduce their exposure while providing ransomware operators fast and pre-confirmed pipelines into high-value networks.
Why does this ecosystem matter for defenders?
By initiating the first stage of the attack chain, access brokers enable even less skilled intruders to exploit organizational defenses. The sheer volume and relatively low cost of access listings allows an assortment of threat actors to purchase footholds and pivot immediately to ransomware, data theft or business email compromise.
Defenders need to treat access brokers as an external supply chain: continuously monitoring for exposed credentials, unpatched internet-facing assets, and mentions of their organization in dark web markets. Leveraging dedicated dark web monitoring and data breach detection tools helps security teams identify when they have become a target of access brokers and take action before that access is sold and weaponized.
