There is an old question in the criminal underground that explains this entire article: why hack, when someone will sell you the key?
In 2022, the median time between an attacker breaking into a network and handing that foothold off to a ransomware crew was more than eight hours. By 2025, Mandiant's M-Trends 2026 report measured that same handoff at 22 seconds. A window that used to be a working day collapsed into a heartbeat. That collapse did not happen because attackers got faster fingers. It happened because breaking in and cashing out became two separate jobs, done by two separate specialists, connected by a market.
The specialist who does the breaking in, and then walks away without ever deploying a payload, is the initial access broker.
If you work in threat intelligence, or you are figuring out how to break into the field, understanding the initial access broker ecosystem is not optional trivia. It is the early-warning layer of the entire ransomware economy. Access to your network gets bought and sold days or weeks before the encryption starts, and if you know how that market works, you know where to look before the alarm goes off. Let me break down what it is, how the money moves, and how analysts actually track it.
TL;DR
- An initial access broker (IAB) breaks into a network and sells that access; they do not run the ransomware attack themselves.
- IABs are the wholesalers in a specialized cybercrime supply chain: infostealer logs feed brokers, brokers sell to ransomware affiliates and other buyers.
- Access prices range from ~$10 for a raw stealer log to $100,000+ for exclusive domain admin at a large organization.
- Public listing counts fell through 2025, but that reflects law enforcement pressure and a shift to private channels, not less activity.
- Access ads typically surface days or weeks before an attack, which makes IAB monitoring one of the highest-leverage early-warning tools in CTI.

What an Initial Access Broker Actually Is (and Isn't)
An initial access broker is a threat actor who specializes in one stage of an attack: getting unauthorized entry into an organization's network, and then selling that entry to someone else. They find the way in, they often establish persistence so the access is durable, and then they list it for sale. After the sale, their job is finished. They do not encrypt data, they do not run the extortion negotiation, and in many cases they could not; a large share of brokers lack the skills to carry out the downstream attack at all.
Think of them as wholesalers in a supply chain. A wholesaler does not manufacture the product and does not run the retail store. They sit in the middle, moving goods from producer to seller, and they take a margin for doing the part nobody else wants to do. In cybercrime, the tedious part is the initial break-in: the scanning, the credential hunting, the patience. IABs absorb that tedium so their customers can skip straight to the profitable end.
Here is the mental model that trips people up. "Intelligence" tells you it is a sophisticated operation, and "broker" makes it sound like a suit at a desk. The reality is a spectrum. Some brokers are genuinely skilled operators who maintain access to Fortune 500 networks and sell a handful of premium listings a year. Others run a volume business, hoovering up thousands of low-value credentials from stealer logs and flipping them for a few dollars each. What unites them is the niche: they specialize in finding, keeping, and selling the door, and they let someone else walk through it.
Their customers are not only ransomware gangs, though ransomware is the biggest buyer. Access also flows to business email compromise (BEC) crews, fraud groups, data thieves, and state-backed espionage operators. One compromised VPN credential can serve any of them. The broker does not much care who buys it, as long as the escrow clears.
Why the Ecosystem Exists: The Industrialization of Cybercrime
None of this appeared overnight. It is the end state of cybercrime specializing the way any maturing industry does.
The Conti ransomware operation, before it imploded, is the clearest illustration. Leaked internal records showed it ran like a company, with departments for coders, testers, and even penetration testers, each with its own budget. When a criminal enterprise starts issuing budgets to its penetration testing department, the game has changed. That level of specialization made it obvious that the different stages of an attack could be unbundled and outsourced, and the market obliged.
Two things accelerated it. The shift to remote work broadened the attack surface enormously, pushing organizations to expose RDP and VPN to the internet, which handed brokers a much larger pool of doors to try. Around the same time, ransomware evolved into double extortion, encrypting data and threatening to leak it, which pushed ransom payments up and made the whole economy far more profitable. More money meant more players, more players meant more specialization, and specialization meant middlemen.
The result is what analysts now call the commodification of compromise. Each stage of the attack lifecycle, initial access, privilege escalation, lateral movement, exfiltration, extortion, money laundering, can be handled by a different specialist who is very good at their one thing. Escrow and reputation systems reduce the friction of doing business with anonymous criminals. Ransomware groups can buy their way past the hardest early stage and focus on where the money actually is. This is not a group doing everything. It is a supply chain.

The Supply Chain, Step by Step
Put the pieces in order and the machine becomes clear.
It usually starts upstream, with an infostealer infection on some employee's laptop, often a personal or contractor device sitting outside corporate controls. The malware harvests every saved password, session cookie, and autofill entry, packages it into a structured file called a log, and ships it to the operator. That log gets sold on a market for a few dollars.
Next, a broker parses that log, or runs their own scanning and exploitation, looking for the golden ticket: a corporate VPN login, an RDP credential, a domain admin account. They validate it, confirm it still works, and sometimes deepen the access by creating new accounts or planting persistence. Then they write a sanitized listing, "US-based manufacturing firm, revenue $400M, domain admin access," and post it to a forum or a private Telegram channel.
Downstream, a ransomware affiliate buys it. Because the access is pre-validated, they skip the entire initial-access phase and move straight to reconnaissance, privilege escalation, and lateral movement, staging their payload while defenders see nothing unusual. Then the encryption fires, the extortion begins, and, if the group runs double extortion, the stolen data gets posted to a leak site to force payment.
That is the pipeline. And its most dangerous property, from a defender's chair, is the time gap. The credential can be harvested weeks before it is sold, the access can sit dormant before a buyer weaponizes it, and each link obscures the one before it. A logistics firm documented in one red-team investigation had a domain admin account compromised six weeks earlier via infostealer, quietly listed for $6,000 in Monero on Exploit[.]in, cross-posted to a private affiliate channel, and then encrypted by a LockBit-linked strain within four days of the sale. Endpoint tooling was in place the whole time. It caught none of it, because the login was valid and the movement happened during dormant hours.
What They Sell: The Types of Access
Not all access is equal, and the price reflects it. Brokers typically deal in some combination of the following.
Remote access is the bread and butter: RDP and VPN credentials remain the most commonly listed types, because they are the most directly useful to a buyer. Citrix and other remote gateways sit in the same category. Beyond that, brokers sell web shells on compromised servers, admin panel access to management consoles (which became the most common listing type for the government sector in recent tracking), and at the premium end, domain admin privileges on Active Directory, which effectively hands the buyer the keys to every endpoint in the organization. Root-level access to VMware ESXi hosts has its own premium, because encrypting a hypervisor lets an attacker take down every virtual machine at once, which is exactly why ransomware families targeting ESXi became popular.
The value of a listing is set by a few variables: the organization's industry, size, and revenue, the level of privilege being sold, how much effort the access took to obtain, and whether the sale is exclusive or the broker plans to resell it many times. A short-lived, low-privilege user account sold to a dozen buyers is worth almost nothing. Exclusive domain admin at a billion-dollar company is worth a great deal.
How They Get In
Understanding acquisition methods is what lets an analyst reason about exposure, so here is the descriptive picture. This is what the ecosystem does, viewed from the defender's side of the glass.
The dominant fuel is infostealer logs, covered in its own section below. Beyond that, brokers heavily exploit internet-facing infrastructure, and they watch vulnerability disclosures closely. When a critical flaw drops in a widely deployed VPN or gateway appliance, from vendors like Fortinet, Pulse Secure, or SonicWall, or in Exchange or Citrix, brokers move within hours. A concrete example: CISA's advisory on Akira ransomware noted that affiliates were using initial access brokers and brute-forcing VPN endpoints, specifically abusing a SonicWall vulnerability tracked as CVE-2024-40766. RDP brute force and credential stuffing against exposed ports fill out the automated end. Phishing and the direct abuse of valid, leaked credentials round out the toolkit.
The uncomfortable throughline is that most of this relies on things organizations already know how to fix: unpatched perimeter systems, exposed remote access, reused passwords, and missing multi-factor authentication. When one threat intelligence firm reviewed its incident response cases, it found that initial access via valid accounts went unprotected by MFA in well over half of them. The doors brokers sell are, more often than not, doors that were left unlocked.

Infostealers: The Fuel of the Whole Machine
You cannot understand the IAB ecosystem without understanding stealer logs, because they are what feeds it. If IABs are the wholesalers, infostealers are the raw material supplier.
The scale is hard to overstate. KELA's State of Cybercrime 2026 report tracked roughly 2.86 billion compromised credentials circulating across criminal markets in 2025. Flashpoint counted 1.8 billion credentials stolen from 5.8 million devices in the first half of 2025 alone. And the connection to ransomware is not theoretical: Verizon's 2025 Data Breach Investigations Report found that 54 percent of ransomware victims had domain credentials sitting in stealer log marketplaces before the attack landed. The exposure was detectable. The breach was the consequence of nobody detecting it.
The economics are what make it relentless. An infostealer subscription runs around $200 a month under the malware-as-a-service model, which puts industrial-scale credential theft within reach of someone with no technical skill. The resulting logs sell for as little as $10 each on markets like Russian Market and 2easy. For the price of a movie ticket, a buyer gets a package that might hold a VPN password to a corporate network. The infostealer landscape shifts constantly; after RedLine was disrupted, Lumma and StealC rose to fill the gap, and in 2024 the top three families accounted for around 75 percent of over four million infected machines by one count.
The broker's role here is refinement. They take a $10 commodity log, filter it for the enterprise credential buried inside, validate that the access works, and resell it for hundreds or thousands of dollars. Volume in, value out. The deeper mechanics of how stealer logs are built, structured, and traded are a rabbit hole of their own, and one worth understanding if you plan to monitor this space professionally.
What Access Actually Costs
Pricing is where the market's evolution shows most clearly, and it is worth walking through because the numbers scatter depending on when and where you look.
Historically, the commodity end has been cheap. A KELA analysis of listings from 2020 to 2021 put the average price of network access at $5,400 with a median of just $1,000, and noted plenty of small-firm access going for $100 to $200. More recent tracking by Rapid7, covering the second half of 2024 across Exploit, XSS, and BreachForums, landed on an average access price near $2,700, with roughly 40 percent of listings selling for $500 to $1,000. Cheap, high-volume, often poorly validated, and frequently resold.
Then the top of the market moved. When Rapid7 expanded its monitoring across five forums for full-year 2025, it observed a clear shift toward high-value targets and premium pricing, reporting an average base price of $113,275, against an average claimed victim revenue of $3.242 billion. A caveat matters here: those victim-revenue figures are provided by the brokers themselves based on their own research, so treat them as marketing, not audited accounts. But the direction is real. The market is bifurcating into a cheap, saturated volume tier and a smaller, pricier premium tier aimed at large organizations.
| Segment | Typical price | What you get |
|---|---|---|
| Stealer log (raw) | ~$10 | Unvalidated credential dump, often resold |
| Small-firm access | $100 to $200 | Low-privilege or single-service access |
| Commodity network access | $500 to $2,700 (avg) | Validated RDP/VPN, mid-size org |
| Premium / high-value | $6,000 to $100,000+ | Exclusive domain admin, large org, sensitive sector |
For perspective on why this economy is so attractive to buyers, historical figures put the average access price in the low thousands against average ransom payments in the six figures. The cost of the key is trivial next to the value of the room.
Where the Market Lives
Access is traded in a small number of well-known venues, and knowing them is part of an analyst's map.
For years the center of gravity was a handful of forums: Exploit[.]in and XSS[.]is, both Russian-language, alongside the English-language BreachForums. Stealer logs move through dedicated markets like Russian Market and 2easy. And a great deal of the highest-value business happens off public forums entirely, in invite-only Telegram channels reserved for vetted affiliates, where a broker's reputation is the currency that keeps the market functioning. Escrow services and reputation scores exist precisely because these are transactions between anonymous criminals who have every incentive to cheat each other.
That map has been redrawing itself. Rapid7's 2025 tracking found that newer forums took the lead, with DarkForums and RAMP together accounting for around 81 percent of observed access-sale threads in the second half of the year, while the once-dominant XSS and Exploit saw their IAB activity decline sharply. How these communities structure reputation and escrow, and why they fragment and reappear after takedowns, is a deep topic in its own right.
2025 to 2026: A Market Under Pressure
If you only glanced at public listing counts, you might conclude the IAB threat is shrinking. It is not. What is happening is more interesting, and it is a lesson in reading intelligence carefully.
Public IAB listings did decline through 2025. One tracker recorded network-access-sale incidents falling from 449 in Q2 2025 to 425 in Q3, ticking up slightly to 458 in Q4, then dropping further into Q1 2026. But the same analysis was clear that this decline does not reflect reduced ransomware. It reflects structural change in the ecosystem.
Two forces are driving it. The first is law enforcement pressure. Coordinated operations have hit the infrastructure hard: Operation Endgame dismantled core infostealer infrastructure in 2024, and INTERPOL's Operation Secure in 2025 took down roughly 20,000 malicious IPs and domains, seized dozens of servers, and made arrests across multiple countries. Major forums have been seized and disrupted. The catch, documented again and again, is that the ecosystem reconstitutes within days. New forums appear, seized ones rebrand, and the market routes around the damage.
The second force is a migration to private channels. As public forums draw law enforcement heat, the higher-value business moves into invite-only spaces where it is far harder to observe. On top of that, some ransomware groups are simply internalizing their access operations, running their own intrusion work instead of buying it. The access is still being bought and sold. It is just happening where the sunlight does not reach as easily, which is exactly why passive open-source monitoring is no longer enough on its own.
How CTI Analysts Track the IAB Ecosystem
Here is the part that turns all of this from a horror story into a job. The IAB ecosystem is trackable, and tracking it is one of the highest-leverage things a threat intelligence function does, because it operates ahead of the attack.
The core discipline is monitoring. Because access advertisements typically surface days or weeks before a ransomware deployment, an organization watching the right forums and channels can learn that its own network is for sale before the buyer weaponizes it. That is a genuine early-warning window, and organizations without any dark web monitoring simply never see it. Credential leak monitoring works the same way one link upstream: because corporate credentials appear in stealer logs before they are used, watching for your own domains in fresh logs can buy you time to rotate passwords before an intrusion escalates.
On the detection side, the ecosystem leaves signals if you know the pattern. New local or domain accounts, especially with elevated privileges, are a classic broker persistence technique and a major red flag. So is unusual login activity: legitimate accounts authenticating from never-before-seen IP addresses, at odd hours, or brute-force attempts that only belatedly succeed. Behavioral analytics, identity threat detection and response, and lateral-movement monitoring catch what perimeter tools miss, because the whole point of purchased access is that it looks legitimate.
For the professional analyst, this is a well-supported specialty. Intelligence vendors including KELA, Flashpoint, Recorded Future, Cyberint, and SOCRadar publish continuous IAB and credential-exposure tracking, and government advisories such as CISA's #StopRansomware series regularly document IAB-sourced access in named campaigns. Building the habit of reading this frontline reporting is how you stay current, which is part of why CTI Academy runs its own news aggregator, todayincyber.io, to keep the day's signal in one place.
Two of CTI Academy's own environments were built to train exactly these muscles. NullBase is a simulated underground forum where you practice reading listings, tracking broker personas, and correlating handles the way an analyst monitoring the real thing has to, without the risk of operating on live criminal infrastructure. LeakLens puts you inside credential leak and stealer log data so that "check whether your domains are exposed" stops being an abstraction and becomes a workflow you have actually done.

Common Misconceptions
"IABs are just script kiddies." No. While the volume tier includes low-skill operators reselling logs, the brokers who matter are skilled specialists who maintain persistent access to serious targets and treat it as a niche profession. Underestimating them is a mistake.
"Declining listings mean the threat is fading." No. As covered above, falling public listing counts reflect law enforcement pressure and a shift to private channels, not reduced activity. The market went quieter, not smaller.
"This is only a ransomware problem." No. Ransomware is the biggest buyer, but the same access feeds BEC, fraud, data theft, and espionage. Your exposure is not limited to one threat type.
"Our EDR will catch it." Often not. Purchased access uses valid credentials and moves during quiet hours, and it frequently touches identity and VPN systems before it ever reaches an endpoint. The first signal usually shows up in authentication logs, not on the box.
Where CTI Academy Fits
The IAB ecosystem is one of those topics where surface-level awareness and working knowledge are very different things. Reading a glossary entry tells you what a broker is. Being able to monitor for your own exposure, read a listing critically, track a persona across forums, and recognize the access-for-sale pattern before it becomes an incident is a skill, and skills are built by doing.
That is what CTI Academy's Hunter track is for. The initial access broker and underground ecosystem coursework takes you from the concepts in this article into hands-on practice inside NullBase and LeakLens, so you learn to work the market from the analyst's side rather than just reading about it. If you want to stop being surprised by how access gets sold and start seeing it coming, that is where to begin.
Frequently Asked Questions
What is an initial access broker?
An initial access broker (IAB) is a cybercriminal who specializes in gaining unauthorized entry to an organization's network and then selling that access to other threat actors, most often ransomware groups. They handle only the initial break-in and do not carry out the downstream attack themselves.
How do initial access brokers make money?
They sell validated access to compromised networks on underground forums and private channels. Pricing depends on the target's size and revenue, the level of privilege, and exclusivity, ranging from around $100 for small-firm access to well over $100,000 for exclusive domain admin access to a large organization.
How do IABs gain access to networks?
Primarily through infostealer logs (buying stolen corporate credentials), exploiting vulnerabilities in internet-facing VPN and gateway appliances, RDP brute force and credential stuffing, phishing, and the direct abuse of leaked valid credentials. Most methods exploit unpatched systems, exposed remote access, or missing multi-factor authentication.
What is the connection between initial access brokers and ransomware?
IABs supply the foothold that ransomware affiliates use to launch attacks. By buying pre-validated access, ransomware crews skip the hardest early stage and move straight to deployment. Verizon's 2025 data found that 54 percent of ransomware victims had domain credentials in stealer logs before the attack.
How much does network access cost on the dark web?
It varies widely. Recent tracking put the average commodity access price around $2,700, with a large share selling for $500 to $1,000, while a shift toward premium, high-value targets in 2025 pushed average base prices for top listings above $100,000. Raw stealer logs sell for as little as $10.
Can organizations detect when their access is being sold?
Yes, which is what makes this valuable for defenders. Access advertisements usually appear days or weeks before a ransomware deployment, so dark web and credential-leak monitoring can provide early warning. Detection signals inside the network include new privileged accounts and logins from unfamiliar IP addresses or at unusual hours.
Are IAB listings really declining?
Public listings declined through 2025, but analysts attribute this to law enforcement seizures of major forums and a migration to private channels, not to reduced activity. The market has become harder to observe, not smaller.