Initial Access Brokers and why they matter

Written by the Center of Security Studies (KEMEA)

Initial Access Brokers (IABs) are specialised cybercriminals who access/infiltrate networks and then sell that access to others, therefore acting as brokers of information (and entry points) in the cybercriminal economy. They don’t execute full attacks themselves but enable ransomware groups, data thieves, and espionage actors to scale operations quickly and effectively – for a price. Hence, IABs are threat actors who gain unauthorised entry into systems so that they can market it in dark web fora. In the dark web underworld, they act as middlemen who exploit exposed Remote Desktop Protocols (RDP), VPN credentials, phishing hacks, or vulnerabilities in email portals.

• Division of Labour: By outsourcing the initial breach, ransomware groups can focus on encryption and extortion, while IABs profit by selling their infiltration outcomes.
• Efficiency: This model accelerates attacks – sometimes within days of access being sold.
• Risk Reduction: IABs avoid the spotlight of executing attacks themselves, lowering their exposure to law enforcement.

• Industry: Business services, retail, and manufacturing are frequent victims, with large organisations increasingly targeted due to higher revenue potential.
• Geography: The U.S. and EU remain a prime target, but South America is also trending upwards.
• Tactics: VPN access surged in 2024, reflecting evolving attack vectors.

• Rapid Attack Deployment: Once access is sold, ransomware operators can strike immediately, if they wish to.
• Hidden Economy: Transactions occur in underground fora, making detection difficult as it is complicated to “follow the money”.
• Escalating Costs: As high-revenue industry and high importance organisations are targeted, the financial impact of IAB-enabled breaches grows exponentially.

• Multi-layered Security: as always, the combination of technical defenses (patching, MFA, network segmentation) with organisational measures (training, monitoring) are of the utmost importance as a base.
• Threat Intelligence: Monitoring dark web marketplaces for access listings provides early warnings.
• Scenario-Based Training: Preparing staff to recognise phishing and credential theft to reduce the likelihood of initial compromise.

Concludingly, IABs have transformed initial access into a service, making cybercrime more scalable and efficient. They are not just hackers but -subsequent- brokers of information and entry points, fueling the underground economy. For defenders, understanding their role is critical to anticipating and mitigating attacks before they escalate.