What Are Initial Access Brokers (IABs)?

Cyberattacks rarely begin with encryption or data theft. They often start with a quiet exchange: one threat actor selling unauthorized access to a compromised network. This is the role of Initial Access Brokers (IABs). These actors specialize in gaining entry to systems and then selling that access to other threat actors, often ransomware operators.

A threat actor sells access to a ransomware operator on the dark web.

IABs do not launch full-scale attacks. Instead, they focus on breaching networks using exposed services, stolen credentials, or vulnerabilities in remote access infrastructure such as RDP, VPN, or email portals. Once they gain a foothold, they monetize it by listing the access for sale on dark web forums or private communication channels.

At SOCRadar, we continuously monitor underground sources to uncover these access listings. Our threat intelligence platform correlates dark web activity, credential leaks, and vulnerability exploitation to give defenders early warning. When access to a company is for sale, the real attack is usually only days away.

In this blog post, we explain how Initial Access Brokers operate, what makes their activity so critical in the cybercrime economy, and how “Initial Access Intelligence” can help organizations stay one step ahead.

Who Are Initial Access Brokers?

Initial Access Brokers (IABs) are specialized threat actors who focus solely on the earliest phase of a cyberattack. Their goal is not to steal data or deploy ransomware directly. Instead, they compromise corporate networks and then sell that access to other attackers. This model has turned initial access into a service, and it has become one of the most efficient entry points for large-scale cybercrime.

IABs typically operate in a highly structured way. First, they identify vulnerable targets using techniques like credential stuffing, vulnerability scanning, or phishing. Once they gain access, they validate its quality, maintain persistence through webshells or remote administration tools, and then prepare it for sale.

The access they sell varies. It might be a single set of VPN credentials, a compromised domain administrator account, or even full access to an enterprise network. IABs often include metadata in their listings, such as company size, revenue estimates, geographic location, and type of access. These details help buyers match access types with their own goals, especially in ransomware operations where quick domain-wide control is critical.

By outsourcing the intrusion phase to IABs, ransomware operators and other threat actors can scale their operations faster. In effect, IABs have become a core part of the cybercrime supply chain.

SOCRadar actively monitors dark web marketplaces and closed communities where access-for-sale listings appear. Our analysts have observed a consistent increase in both the volume and diversity of IAB offerings, affecting organizations across nearly every sector.

How Initial Access Sales Are Shaping the Global Threat Landscape?

According to SOCRadar’s Advanced Dark Web Monitoring module, the trade of unauthorized access has steadily intensified across the cybercrime underground. When analyzed over a two-year period, the number of initial access listings has more than doubled, with volumes in early 2025 showing over a 100% increase compared to the same quarter in 2023.

Line chart illustrating the quarterly increase in initial access listings detected on dark web sources, based on SOCRadar’s monitoring data from Q1 2023 to Q1 2025.

Geographical Concentration

Access listings remain highly concentrated across a small set of regions. The United States alone accounts for approximately 24.7% of all observed access-for-sale advertisements. Combined with the United Kingdom (5.3%) and India (4.3%), the top three countries represent more than 34% of global listings.

Horizontal bar chart showing the percentage distribution of initial access listings by country, based on dark web data.

This disproportionate targeting reflects the combination of digital infrastructure size, remote access exposure, and monetization potential. Economically advanced and digitally connected countries appear to be the primary hunting grounds for Initial Access Brokers.

Industry Targeting

Targeting by sector shows a similar pattern of concentration. Retail trade alone accounts for around 15.8% of all observed listings. When paired with electronic shopping and mail-order services (13.6%), e-commerce as a whole represents close to 30% of the initial access trade.

Bar chart showing the top 10 industries most frequently targeted in dark web initial access listings, based on SOCRadar’s monitoring data.

Collectively, the top five industries represent over 46% of all identified access listings. These sectors typically combine high operational dependency with exploitable digital footprints, making them attractive to brokers seeking fast-turnaround sales.

How Do Initial Access Brokers Operate?

Initial Access Brokers use a range of techniques to compromise networks, often focusing on exposed attack surfaces and weak authentication. Their operations are opportunistic but increasingly automated and scalable. Most IABs follow a structured workflow: identify a target, gain access, establish persistence, and sell.

Common Access Methods

1. Credential Theft and Reuse
   IABs rely heavily on stolen credentials obtained through infostealer malware, phishing campaigns, or previous breaches. These credentials are tested against VPNs, RDP servers, webmail portals, and remote management tools. If multi-factor authentication is not enforced, access is often immediate.
2. Exploiting Known Vulnerabilities
   Public-facing services with unpatched CVEs are common entry points. Vulnerabilities in Citrix ADC, Fortinet FortiGate, VMware ESXi, and Microsoft Exchange have been widely used by brokers. IABs monitor vulnerability disclosures and rapidly exploit exposed systems, sometimes within hours of a proof-of-concept release.
3. Brute Force and Credential Stuffing
   Automated tools allow brokers to test large credential sets against known login portals. Weak password policies and reused credentials significantly increase success rates. Once access is verified, the broker extracts additional information to enhance the value of the listing.
4. Phishing and Loader Malware
   Some IABs use phishing emails to deliver lightweight malware loaders that establish initial footholds. These loaders often act as droppers for more advanced tools like Cobalt Strike or enable access through reverse shells. In some cases, the malware itself is customized to match the buyer’s targeting preferences.
5. Persistence Techniques
   After gaining entry, IABs work to maintain it. Common methods include:
   • Creating hidden local admin accounts
   • Deploying webshells on accessible web servers
   • Planting remote access software with altered configurations
   • Modifying registry keys or startup scripts for stealth

Establishing persistence ensures the access remains valuable even if initial credentials are reset or network changes occur.

Access Monetization

Once access is stable and verified, the broker prepares it for sale. Listings often appear on dark web forums, encrypted chat groups, or invite-only marketplaces. A typical listing includes:

Dark web post offering VPN, RDWeb, and Citrix access to industrial, educational, and government organizations in the United States, Austria, and Malaysia, with domain-level credentials and revenue-based pricing. (SOCRadar Dark Web News)

• Target industry and country
• Estimated revenue or employee count
• Type of access (e.g., “VPN + Domain Admin”)
• Persistence level
• Price (ranging from $200 to $10,000+)

While some IABs operate anonymously, others build reputations over time and receive repeat business from ransomware affiliates. This level of specialization has created a marketplace where access is priced and packaged like a commercial product.

Screenshot of a dark web marketplace offering RDP access listings, with search filters and multiple U.S.-based admin-level systems available for purchase.

SOCRadar tracks these access listings in real time. By correlating them with credential leaks, exposed services, and known vulnerabilities, we provide contextual intelligence that helps organizations understand their exposure before attackers take the next step.

More Cases: Real-World Intrusions Linked to Initial Access Brokers

Initial access doesn’t always begin with a clear advertisement on a dark web forum. Sometimes it’s a set of VPN credentials quietly harvested by infostealer malware, a remote desktop login offered in a private Telegram channel, or leaked employee accounts resurfacing on breached credential markets.

These events often point to the involvement of actors operating like Initial Access Brokers (IABs)–whether through direct sales or indirect hand-offs to ransomware affiliates. The following real-world cases illustrate how dark web exposure and broker-style activity enable some of the most disruptive cyberattacks seen in recent years.

Alleged Dark Web Access Trade Linked to Schneider Electric Breach

In November 2024, Schneider Electric was targeted by a threat actor known as Hellcat, who claimed to have breached the company’s internal Jira system. The attacker exfiltrated over 40 gigabytes of project documentation and hundreds of thousands of user records. In underground posts, the incident was referred to as “Baguette”, a name chosen to mock the company’s French origin.

The claim of the Schneider Electric breach posted on HellCat’s Dark Web platform (Source: SOCRadar Dark Web News)

The intrusion did not involve a known vulnerability or exploit. Instead, the attacker appeared to use valid employee credentials, likely obtained through infostealer malware. This method is widely associated with Initial Access Brokers, who frequently collect or purchase stealer logs to gain entry into corporate environments.

Although no access listing was publicly identified, Hellcat is suspected to operate on BreachForums and has been linked to other cases involving unauthorized access to enterprise systems. The use of stolen credentials, the absence of technical exploitation, and the focus on project data all suggest a broker-style intrusion with data theft as the primary goal.

This case underscores the importance of detecting infostealer infections and monitoring underground activity for exposed credentials. Even without a formal access listing, the presence of corporate logins in criminal marketplaces can silently open the door to severe data breaches.

Alleged Shell Access to U.S.-Based Intelligence Entity Offered on Dark Web

Hacker forum post offering alleged Shell access to a U.S.-based organization (Source: SOCRadar Dark Web News)

SOCRadar identified a dark web post in which a threat actor claimed to sell unauthorized shell access to an intelligence-related organization based in the United States. The access was described as Linux-based, and the target’s estimated revenue was listed as $1 billion. Although the organization was not named, the nature of the offer suggests a high-value environment. The actor provided no technical details and requested private contact for negotiation. The listing reflects typical Initial Access Broker tactics, where credential-based or misconfigured remote systems are quietly offered for sale.

A Ransomware Group Recruits Access Brokers for Enterprise Network Intrusions

Dark web forum post offering partnership to access brokers, with focus on RDP, VPN, and domain access to enterprise environments. (Source: SOCRadar Dark Web News)

SOCRadar analysts identified a dark web forum post in which operators of the Desolator Ransomware openly called for partnerships with initial access brokers. The post specifically requested valid RDP, VPN, or domain-level access to mid-to-large organizations, offering a revenue-sharing model instead of upfront payments.

This reflects the growing reliance of ransomware groups on brokers who can deliver ready-made access to enterprise networks. By outsourcing the intrusion phase, such actors reduce operational risks and shorten the path to deployment. The recruitment post also detailed advanced ransomware capabilities, including Active Directory propagation and anti-forensic techniques, underscoring the potential impact once access is handed over.

Cases like this demonstrate how initial access has evolved into a distinct and highly valuable phase of the cyberattack lifecycle. Whether access is obtained through insiders, stolen credentials, or malware infections, the ability to detect and understand these early-stage intrusions has become critical. This is where Initial Access Intelligence plays a vital role.

What Is Initial Access Intelligence?

A high-impact cyberattack often starts with a quiet intrusion. This intrusion might involve a compromised VPN credential, an exposed remote desktop service, or a forgotten vulnerability in a customer-facing system. These weak points are typically exploited not by ransomware gangs directly, but by specialized actors whose role is to gain access and sell it. Understanding how these intrusions begin is the purpose of Initial Access Intelligence.

Initial Access Intelligence refers to the process of detecting, analyzing, and contextualizing the tactics, techniques, and procedures that threat actors use to gain their first foothold in a target environment. It focuses specifically on the entry phase of the cyber kill chain, before payloads are delivered or lateral movement begins.

This intelligence discipline involves several core elements:

• Tracking access-for-sale activity: Monitoring forums, encrypted channels, and marketplaces where compromised infrastructure is advertised.
• Identifying exposure vectors: Analyzing how threat actors gain entry—through stolen credentials, phishing kits, open RDP/VPN, webshells, or CVE exploitation.
• Correlating pre-attack behaviors: Linking malware infections, initial scans, or stolen credential logs to specific threat actor campaigns.
• Detecting staging activity: Observing backdoor installations, beaconing traffic, or infrastructure setup used to prepare for further compromise.

Initial Access Intelligence is distinct from general threat intelligence because of its timing. It provides value before the main attack takes place. It reveals intent, not just execution.

For example, discovering that access to a healthcare provider is being offered on a dark web forum—with administrator-level credentials and a persistent RDP backdoor—offers defenders a short but critical window of opportunity. This signal may arrive days or weeks before a ransomware group uses that access to deploy encryption tools or exfiltrate sensitive data.

The scope of Initial Access Intelligence also includes:

• Vulnerability trends in attack paths frequently exploited by initial access brokers
• Analysis of stealer logs to identify credentials harvested from specific corporate environments
• Mapping of attacker infrastructure used for scanning, enumeration, or initial access payload delivery
• Detection of tools like Cobalt Strike or legitimate remote management utilities being staged early in an attack

Initial Access Intelligence allows security teams to shift their focus from response to prevention. It helps identify who might be targeting an organization, how they are getting in, and what level of access they are able to obtain. When applied correctly, it can stop ransomware, data theft, and other high-impact threats before they begin.

Technical intelligence means little without the right visibility. To prevent unauthorized access before it happens, defenders need to see what attackers see. That starts with understanding the organization’s digital footprint—every exposed asset, misconfigured gateway, or forgotten domain that could become an entry point.

SOCRadar External Attack Surface Management

SOCRadar’s External Attack Surface Management module enables this visibility by continuously mapping external-facing systems. It reveals common access points targeted by Initial Access Brokers, such as unsecured VPNs, open RDP servers, and outdated software exposed to the internet. Closing these paths early helps eliminate the very foundations of access-for-sale listings.

Beyond infrastructure, threat actors often rely on stolen identities. SOCRadar’s Dark Web Monitoring tracks underground forums and marketplaces where access to corporate environments is actively traded. These insights help organizations detect when they are being targeted, long before the actual attack begins.

SOCRadar Identity & Access Intelligence

To complete the picture, Identity & Access Intelligence enables defenders to investigate how credentials are compromised and misused. By analyzing billions of leaked records and stealer data, this module reveals which users, accounts, or access points have already been exposed. It connects identities with access patterns, offering detailed intelligence on where and how attackers might log in next.

When these layers come together, security teams move from reactive investigation to proactive defense. They gain the tools to detect exposure early, understand attacker behavior, and shut down access before it’s sold.

Hackers don’t hack. They log in.