Initial Access Brokers (IABs) specialize in gaining unauthorized entry into computer systems and networks, then selling that access to other cybercriminals. This division of labor allows IABs to concentrate on their core expertise: exploiting vulnerabilities through methods like social engineering and brute-force attacks.
By selling access, they significantly mitigate the risks associated with directly executing ransomware attacks or other complex operations. Instead, they capitalize on their skill in breaching networks, effectively streamlining the attack process for their clients.
This business model enables IABs to operate with a lower profile and reduced risk, while still profiting from their technical skills. Operating primarily on dark web forums and underground markets, IABs can function independently or as part of larger organizations like Ransomware-as-a-Service (RaaS) gangs.
They act as a crucial link in the cybercrime ecosystem, providing the initial foothold needed for ransomware gangs, data thieves, and other malicious actors to carry out their operations. The pricing of their services is dependent on the target’s size, the level of access granted, and the perceived value of the compromised system, typically conducted within the dark web.
The rising prominence of Initial Access Brokers (IABs) is directly tied to their ability to streamline and accelerate ransomware operations, particularly Ransomware-as-a-Service (RaaS) schemes. By handling the complex task of initial network infiltration, IABs allow ransomware groups to focus solely on data encryption and extortion, effectively scaling their attack capabilities.
This efficiency is further amplified by the growing trend of IABs working directly for RaaS affiliates, enabling near-instantaneous attacks upon access procurement, eliminating the time-consuming process of establishing a foothold.
This symbiotic relationship benefits both sides. RaaS groups gain speed and efficiency, while IABs secure a consistent stream of work, often bypassing the need for public advertising on dark web forums.
This reduced visibility provides a layer of protection from law enforcement scrutiny, as their activities are less exposed compared to those operating on open marketplaces. This combination of increased operational efficiency for ransomware groups and reduced risk for IABs has fueled the rapid expansion and influence of IABs within the cyber crime ecosystem.
In 2023, the business services sector was clearly the most targeted industry, although it is still in the top 3 in 2024 with 13% there is a much wider spread of industries being targeted. Whereas in 2023 the business services sector took up a whopping 29% of attacks, that number stood at just 13% in 2024. The same is true for the other industries showing diminished percentages. This could be due to IABs broadening the industries that they are targeting.
As usual the USA is a prime target, for its economic and technological power making high value targets. Notably, Brazil and France secured the second and third spots respectively, indicating high value targets in both countries.
To see what types of businesses are being targeted in more depth read our guide to IABs here.
The Initial Access Broker (IAB) market demonstrates a dynamic pricing structure, generally offering corporate access between $500 and $3,000. While 2023 saw an average listing price of $1,979, skewed by occasional high-value targets reaching tens of thousands of dollars, the median price remained significantly lower at $1,000, with a majority of listings below $3,000.
In 2024, cybercriminals are increasingly targeting smaller victims. While they’ve generally lowered the prices for selling access to hacked systems, with 86% costing under $3,000, the average price has actually gone up to $2,047. This higher average is misleading because a few very expensive sales are skewing the number.
As the chart shows, the vast majority (58%) of access deals now cost less than $1,000 – a big change from 2023. Furthermore, expensive access options are less common, now making up only 7% of what’s for sale.
This strategic price reduction, coupled with a decrease in high-value listings, suggests a change in IAB tactics. They are now focusing on volume, offering numerous lower-priced access points that, in aggregate, can yield substantial financial gains.
Despite the lower individual prices, the sheer quantity of available access points poses a significant threat, potentially causing widespread damage and proving more lucrative than a smaller number of high-priced sales. This shift indicates an evolution in the IAB market, prioritizing accessibility and volume over individual high-value transactions.
To see detailed information on the TTPs being used by IABs, read our guide here.
The rise of Initial Access Brokers (IABs) is driven by a confluence of factors that enhance the efficiency and profitability of cyber crime. Their specialization in initial network infiltration allows ransomware groups and other malicious actors to focus on later stages of attacks, streamlining operations and increasing the scale of potential damage.
The growing trend of direct collaboration between IABs and Ransomware-as-a-Service (RaaS) affiliates further accelerates attack timelines, creating a more efficient and dangerous cyber criminal ecosystem.
The evolution of IAB pricing strategies also reveals a significant shift in tactics. IABs are increasingly focusing on volume, offering numerous lower-priced access. This strategy maximizes potential financial gains by providing a wider range of attack vectors, making cyber crime more accessible and potentially more damaging.
This shift, coupled with the reduced visibility afforded by operating outside of public dark web forums, provides IABs with a significant layer of protection from law enforcement.
Looking ahead, we can expect IABs to continue playing a pivotal role in the cyber crime landscape. Their ability to provide readily available access points will likely fuel the growth of ransomware and other financially motivated attacks. The trend towards lower-priced, high-volume access sales suggests that smaller organizations, previously considered less attractive targets, will face increasing risk.
Furthermore as IABs mature their tactics, and strengthen ties with RaaS affiliates, the speed and efficiency of cyber attacks will continue to increase. Therefore, proactive cyber security measures, including threat intelligence on up to date TTPs, continuous monitoring, and employee training, will become increasingly critical in mitigating the growing threat posed by IABs.
For detailed insights into contemporary IAB tactics, including access types, privilege usage, and recommended protective measures, consult the comprehensive IAB guide or attend our talk at this year’s RSA conference by Adi Bleih, Security Researcher titled Initial Access Brokers – A Deep Dive on April 30th at 2:25pm in HT-W09. You can add it to your schedule here.
