Initial Access Broker (IAB)

Definition

Cybercriminal specialists who focus exclusively on gaining unauthorized access to organizational networks and then selling that access to other threat actors — most commonly ransomware operators — through dark web marketplaces rather than monetizing the access themselves.

Technical Details

Initial Access Brokers represent a specialized layer in the cybercriminal ecosystem that emerged prominently around 2018-2019 and became a major market segment by 2021. IABs typically gain access through phishing campaigns, exploitation of unpatched vulnerabilities in internet-facing systems (VPN appliances, RDP, Citrix, Exchange), credential stuffing using leaked credential databases, or purchasing credentials from infostealer malware operators. Once access is established, the IAB verifies the access quality, identifies the victim organization's size and revenue, and lists the access for sale. Pricing on IAB listings varies based on several factors: the size and perceived revenue of the victim organization, the level of access obtained (domain admin vs. standard user), the security products deployed in the environment (antivirus products that might detect buyer activity), and the sector (healthcare, financial services, and government typically command premiums). Access listings typically range from a few hundred dollars for small organizations to tens of thousands for Fortune 500 companies with domain admin access. Payment is typically in Monero or Bitcoin through escrow services on cybercriminal forums like RAMP, Exploit, or XSS. IABs commonly specialize in particular access vectors. Some focus on compromised VPN credentials (particularly Fortinet, Pulse Secure, and Citrix vulnerabilities that generated large numbers of valid credentials), while others specialize in compromised RDP servers, corporate email accounts, or web shells on internet-facing servers. The operational security of established IABs can be sophisticated — they avoid encrypting or stealing data (to minimize legal exposure and detection) and simply maintain persistence through legitimate remote access tools before handing off to buyers. The IAB market enables ransomware-as-a-service groups to scale operations massively without needing in-house initial access capabilities. LockBit, ALPHV, and other major RaaS operations explicitly state that they purchase access from IABs. This creates a division of labor that makes the ransomware ecosystem more resilient — disrupting ransomware operators doesn't necessarily disrupt the IABs supplying them.

Practical Usage

From a threat intelligence perspective, monitoring IAB forums provides valuable early warning when organizational access is being sold. Services like Recorded Future, Intel 471, and Cybersixgill monitor these forums and can alert when a specific organization's network access appears in listings. The lag between when an IAB lists access and when a ransomware operator purchases and deploys ransomware can be days to weeks — providing a potential detection window. Defensively, organizations should focus on the access vectors IABs most commonly exploit. Vulnerability management should prioritize internet-facing VPN appliances, remote desktop services, and email platforms above all other assets. The Cybersecurity and Infrastructure Security Agency (CISA) maintains a Known Exploited Vulnerabilities catalog that IABs commonly exploit. Requiring MFA on all VPN and remote access entry points dramatically reduces the value of compromised credentials to IABs, since credential-based access becomes unusable without the second factor. Incident responders frequently encounter IAB activity as a precursor to ransomware deployment. In post-incident investigations, evidence of IAB tools like webshells, Cobalt Strike beacons, or AnyDesk/ScreenConnect installations that predate the ransomware event often indicates the initial access was purchased. Understanding the IAB relationship helps establish the correct incident timeline and may reveal additional compromised credentials or access vectors that the ransomware operator didn't use but that the IAB established.

Examples

• After Fortinet disclosed a critical VPN vulnerability (CVE-2018-13379), IABs harvested over 500,000 valid VPN credentials and sold them in bulk on cybercriminal forums, with many later used in ransomware attacks.
• In the months before the Colonial Pipeline ransomware attack, an IAB had sold DarkSide operators access to Colonial's VPN using a compromised legacy VPN account that lacked MFA.
• IABs listed access to multiple US school districts for as little as $200-500 apiece in 2022-2023, with buyers typically being ransomware affiliates who knew education sector organizations had poor backup practices and high pressure to restore services.

Related Terms