Initial Access Brokers Explained

Author: Roman Faithfull, Cyber Intelligence Lead

Introduction

Initial access brokers (IABs) form a key part of the cybercriminal ecosystem. They facilitate access for ransomware groups, data leakers, and advanced persistent threat groups (APTs) into corporate networks. They are highly specialised, and professional, and operate in an established, lucrative market often characterised by rigid rules and conventions. Every ransomware attack or data breach begins with initial access, following the reconnaissance phase of an attack. For a fee, IABs hold the doors open for other bad actors to enter organisations’ networks. This introductory blog provides a top-level overview of IABs and the world they inhabit and will pave the way for future, more nuanced blogs on this world.

What is an initial access broker?

Simply, an IAB is a trader of entry points to corporate networks. IABs buy and sell remote access to the computers, websites, servers, admin panels, databases, or computer systems that organisations use to conduct their business. A thief can’t steal gold from a vault without first gaining access to the vault. Likewise, to encrypt files and directories, or delete, alter, or steal sensitive data, any threat actor must first gain access to the network they wish to attack. An attacker can spend time and resources attempting to gain access to this network, or could instead simply purchase access already gained by an IAB. IABs are specialists at getting into these networks and passing on access to other criminals. 

Figure 1. An initial access broker claims the sale of initial access to an unnamed US-based healthcare company

How do they do it?

Initial access brokers are known to gain access to networks in a variety of ways. They may purchase compromised credentials harvested by stealer malware or found in data dumps on cybercriminal forums and marketplaces. They may scan the internet for exposed, public-facing ports that are protected by default or only basic passwords, or sometimes, by none at all. They may exploit vulnerabilities in unpatched exposed hosts. They may conduct phishing campaigns or drive-by-downloads to spread malware that provides them quiet and continuous access to their target network. Alternatively, IABs may be privilege escalation specialists who purchase access with low privileges from another IAB, increase privilege levels, and sell the now elevated (and more valuable) access to another threat actor. In many instances, it’s a circular economy, with credentials found in stealer logs used to gain access to a host, and then stealer malware installed on this host, which then harvests credentials, and so the cycle continues.

However they do it, the goal of an initial access broker is not to indirectly monetise the access they gain, for example by holding their victim to ransom or stealing and selling its data. Instead, they seek to directly monetise their access, by selling it to another threat actor. 

Where do initial access brokers operate?

Some threat groups have “in-house” agents who gain initial access to the group and pass it off to their “colleagues”. Other groups turn to the open market: the IAB listings found in the Access and Auctions sections of Tor-hosted cybercriminal forums.

Some of these forums have been around for literal decades. The two most prominent, Russian-language Exploit and XSS, are characterised by longevity, strict rules, and competent forum administration and moderation teams. They have been running since 2005 and 2013, respectively. English-language counterparts do exist, though the scene is much less stable, with law enforcement site takedowns and jailed forum administrators a comparatively frequent occurrence. In 2024, the IAB market has coalesced around a handful of mostly Russian-language forums. Several of these are also closed, meaning visitors must pay, or otherwise prove their cybercriminal prowess, to register. Occasionally, initial access listings appear on Telegram channels, but these are even more ephemeral.  

Figure 2. The landing page of the Auctions section of a Russian-language cybercriminal forum

How do they operate?

Initial access listings on cybercriminal forums follow some common conventions. 

Vendors are keen to prevent victims from discovering they have been compromised before the access is sold. As such, they typically obscure the identity of the organisation to which they advertise access by refraining from outright naming them. Instead, they provide a vague description that usually, though not always, lists only the victim’s geography, industry sector, and, importantly, revenue, as well as type and privilege level of the access. Listings may also include the number of employees at the organisation, or present technical information such as the number of hosts or type of antivirus present in the victim’s network, or the type and amount of data available via the access.  

Some IABs sell accesses individually, others sell them in bundles. Some particularly trusted IABs may not even advertise named accesses, and instead rely on pinned posts that only note that they sell initial access; interested buyers must contact them via private message to discover what the vendor has in stock. On many Russian forums, Russian criminal slang and other writing conventions are used to further obfuscate information from those not in the know. 

Figure 3. An initial access broker uses one post to advertise multiple initial access listings 

Why do IABs use cybercriminal forums?

Like any flavour of cybercriminal, IABs face a common challenge: “How do I keep my identity anonymous while also communicating with other criminals?” IABs need to protect their identity but also need to discover and communicate with their target market. Tor-hosted cybercriminal forums, if they are worth their salt, solve these issues. Their encrypted messaging systems, and in-built justice systems such as escrow and “people’s courts”, allow IABs to negotiate trade privately and anonymously, while also being able to appeal to the forum administration should another party try to swindle them. 

Figure 4. The Arbitration section on a cybercriminal forum sees users appealing to the forum administration section to settle their claims against other users

Furthermore, most forums have a reputation system, where points are awarded to legitimate traders upon completion of successful sales. Many forums also feature a deposit system, where users can deposit cryptocurrency, often very large sums, onto their profile, allowing them to “put their money where their mouth is”. As such, users can often discern which actors are credible, without the need to know their offline identity. However, these systems are not infallible and exit scamming remains an issue.  

Perhaps most importantly, IABs also like to use cybercriminal forums because it solves a lot of their marketing problems; cybercriminal forums present a ready-made market for their wares. These forums attract almost every flavour of criminals, from ransomware affiliates, identity fraudsters, carders, and malware developers, to money launders and more. Many would be interested in purchasing initial access to a corporate network. IABs therefore don’t need to create and maintain their platforms to advertise access, they can simply use one that already exists. 

Figure 5. Ransomware operators advertising their ransomware-as-a-service (RaaS) partnership programs advertised on a cybercriminal forum

Why do initial access brokers exist?

If IABs can gain access to networks, it follows that technically competent ransomware operators and affiliates should also be able to do so as well. After all, in many ransomware attacks or data breaches, initial access was gained through publicly exposed entry points, hardly Fort Knox. As such, one may wonder why a threat group would pay for access when it could likely obtain it. 

Though many extortion and data-leak groups do gain initial access “in-house”, the existence of IABs allows for specialisation. They allow other actors to focus on their relative area of expertise, for example, lateral movement, privilege escalation, encryption, exfiltration, or negotiation. Cybercrime is a huge business, and like any business, it has specialists.  Like how a retailer may not manufacture the products it sells, a ransomware group may choose to focus on encrypting its victim’s data, rather than having to spend time conducting reconnaissance and gaining access to its victim’s network. The IAB market allows IABs to get really good at gaining access without having to worry about all the nuances of extorting a victim. They get in, sell on, and cash out. 

Often, once a cybercriminal has gained initial access to a network, they do not actually know which company they have breached. This is especially try if the compromised machine is running on a VPN, Cloud, virtual machine, or other proxy. In this case, they often need to hunt around the victim’s network, conducting network discovery and examining files, to find out the exact identity of the victim. After all, exposed ports visible on network scanners are hardly titled “big bank access here”. In many cases, once an attacker discovers the nature and identity of an access they have gained, they may choose to simply discard it. Maybe it belonged to a company so small it was not worth extorting. Maybe the network was so secure or compartmentalised that the attacker would struggle to pivot to other hosts within it. Or maybe the victim turned out to be based in a country or industry sector that the attacker didn’t wish to target. Instances of discarded access present a waste of time (and potentially money) for an attacker. Instead, threat groups can turn to IABs, who have already worked out the nature of the target environment, country, sector, and revenue of the victim. 

What about the IAB? If they gain access to a valuable network, why don’t they just conduct a ransomware attack or steal data themself? Well, this specialisation works both ways. Much like how a ransomware group may not have the time or resources to trawl the internet searching for exposed hosts or conduct sophisticated phishing campaigns to gain initial access, an IAB may not have the capability or resources to conduct a ransomware attack against the network they have compromised. By selling the access, the IAB keeps their hands clean. They don’t need to worry about getting caught for installing a ransomware executable, stealing data, extorting the organisation, and collecting and laundering a ransom payment; they simply sell the access to another group that specialises in all that, and move on. 

So what?

Hopefully, you now have a much greater understanding of what the initial access broker is, why it exists, where it operates, how, and why. For more information around this threat landscape watch out for the next Cyjax broadcasts in this series. 

Cyjax leverages its linguistic capabilities and years of experience in the field to track all initial access listings across the most prominent and hidden cybercriminal forums. To find out more about our coverage of initial access brokers and the threat landscape they inhabit, visit cyjax.com/demo/