Initial Access Brokers

What it is

An initial access broker is a criminal who specialises in one stage of an attack: getting in. They break into corporate networks, confirm the access works, and then sell it to other criminals who do the rest. They rarely deploy ransomware themselves. They rarely exfiltrate data. Their product is the foothold.

This specialisation is a relatively recent development. Before about 2019, the same group that broke in usually also did the damage. As ransomware turned into a high-volume business, the economics shifted. Breaking in and exploiting are different skill sets, and dividing the labour was more efficient. The IAB role formalised, and an entire criminal supply chain reorganised around it.

Today, the typical ransomware incident has at least three distinct actors:

• The IAB, who got in.
• The ransomware affiliate, who bought the access, escalated privilege, exfiltrated data, and deployed the encryption.
• The ransomware operator, who runs the brand, the leak site, and the negotiation infrastructure, and takes a cut.

Understanding IABs means understanding the layer of the criminal economy that sits one step before the breach makes the news.

What IABs sell

The product varies, but the listings on forums and Telegram channels follow recognisable patterns.

RDP access into corporate networks. Either compromised employee workstations or, more valuably, jump hosts and domain-joined servers. RDP into a domain-joined system with ordinary user privileges is enough for an affiliate to escalate from there.

VPN credentials. Working credentials for the corporate VPN, often with MFA bypassed via stolen session tokens or compromised MFA devices. VPN access drops the buyer directly onto the internal network.

Domain admin or local admin. The most expensive tier. Pre-escalated access that lets the buyer skip several stages of the attack chain and move straight to lateral movement and ransomware deployment.

Web shell access. A backdoor in a public-facing web application, giving the buyer code execution on the hosting server. Useful for pivoting deeper.

Cloud admin credentials. Stolen access to AWS, Azure, or GCP accounts with privileged roles. As more critical infrastructure has moved to cloud, this category has grown.

Specific application access. Citrix, SAP, ERP systems, customer relationship management platforms. High-value because they often contain regulated data and integrate with many other systems.

The listings typically include the victim's industry, country, revenue, employee count, the type of access available, and a price. Some sellers are explicit about the victim's name. Most use generic descriptions to avoid scaring off buyers or attracting law enforcement attention to specific cases.

How they differ from stealer log sellers

Stealer log markets and IAB markets overlap, but they are not the same.

Stealer logs are bulk dumps of credentials and cookies harvested from infected machines. The buyer gets raw data and has to figure out which credentials are useful, whether MFA blocks the path, and whether the access leads anywhere worth going. Pricing is low (single dollars to tens of dollars per log) and volume is high.

IAB listings are pre-validated access into specific corporate networks. The seller has already confirmed the access works, mapped the environment to some degree, and described what the buyer is getting. Pricing is higher (typically thousands to tens of thousands of dollars) and each listing is unique.

The distinction matters for defenders. A stealer log appearance is an alert to investigate one infected user. An IAB listing is an alert that someone has confirmed working access into the network, has tested it, and is actively shopping it. The threat is later in the kill chain and the response window is shorter.

Many IABs source their access from stealer logs. The pipeline goes: stealer infects user, log gets sold cheaply, IAB buys logs in bulk, IAB tries the credentials against corporate VPNs and remote desktop, the few that work get bundled into IAB listings. A stealer log priced at five dollars can become an IAB listing priced at ten thousand dollars within days.

Where listings appear

The major venues in 2026 are familiar to anyone who has watched the criminal underground for a while.

XSS (formerly DamageLab). Russian-language forum. Long-running. Has a dedicated section for access listings. Reputation system, escrow, and gatekeeping that makes it harder for outsiders to participate.

Exploit. Another Russian-language forum, similar structure to XSS, equally well-established. Both forums have survived periodic disruption.

RAMP. A newer forum that emerged after the Conti leaks accelerated reorganisation in the criminal ecosystem.

Telegram channels. Increasingly the venue for fast-moving listings, especially after disruption of older forums. Less reputation infrastructure, more volume, more variability in quality.

Direct sale via brokers. The highest-value access often does not appear publicly. It moves through trusted relationships between IABs and specific ransomware operations.

A defender monitoring these venues sees a steady stream of listings. The challenge is filtering. Most listings do not name the victim. Industry, country, and revenue range are the primary filters. When a listing matches your profile, the question is whether it is your organisation or a peer.

Pricing patterns

IAB pricing is a useful window into how criminals value access. The factors that move the price are roughly:

• Victim revenue. The most consistent driver. A $10 million revenue company access lists in the low thousands. A $1 billion revenue company access can hit six figures.
• Geography. Western developed markets price higher. Targets in Russia and former Soviet states are usually off-limits in major forums by policy.
• Sector. Healthcare, financial services, and critical infrastructure tend to price higher because ransomware extortion against these sectors yields larger payouts.
• Access type. Domain admin commands more than ordinary user. VPN with MFA bypass commands more than RDP into a single host.
• Freshness. Access verified within the last 24 hours is worth more than access that has been listed for weeks.
• Exclusivity. Some listings are sold once. Others are sold to multiple buyers. Exclusive listings command premiums.

Documented IAB sales over the past several years have run from $1,000 for small businesses up to $100,000+ for major enterprises. The Conti chat leaks of 2022 included internal discussion of IAB purchases and showed prices in this range routinely.

Notable groups and case studies

A few IAB groups and operations have been documented in detail:

UNC2596 (also tracked as Cuba ransomware affiliates). A cluster of activity tied to operations that combined IAB-purchased access with ransomware deployment, attributed by various researchers to actors operating from Russia.

The Conti leaks (2022). Internal chat logs from the Conti ransomware operation showed routine IAB engagement, including specific deals, pricing negotiations, and dissatisfaction when access did not deliver as advertised. The leaks remain one of the richest open-source data sets on how the ransomware ecosystem actually operates.

LAPSUS$ era access brokering. While LAPSUS$ themselves were unusual in many ways, their style of acquiring credentials through bribery and stealer logs and then either using or selling that access influenced how subsequent groups operated.

Mass exploitation IABs. When a vulnerability like MOVEit or Ivanti gets weaponised at scale, some attackers focus on monetising via IAB rather than direct ransomware. They compromise hundreds of organisations, validate access, and list them.

How to detect IAB activity targeting you

The signal-to-noise problem is real. Most listings do not name victims explicitly. Detection involves:

• Forum and Telegram monitoring. Continuous, automated. Manual monitoring at the speed listings appear is not realistic.
• Pattern matching against your fingerprint. Industry plus country plus revenue range plus employee count narrows the match. Specific technologies, mentioned in some listings, narrow it further.
• Watching for specific identifiers. Hostnames, domain names, internal product names, industry-specific terminology that is rare enough to identify your organisation.
• Cross-referencing with stealer log sightings. A spike in your domain in stealer markets often precedes IAB listings by days to weeks.
• Direct mention monitoring. Some IABs are sloppy and use the victim's actual name. When that happens, the alert is unambiguous.

The challenge is that good IABs do not name names publicly. The alert often comes from the buyer's downstream activity (a ransomware deployment with the IAB's signature) rather than from the original listing.

How to respond

If you have credible reason to believe access into your network is being sold:

1. Treat it as an active incident. Not a hypothetical risk. The buyer's plans are not your plans.
2. Hunt for the foothold. Threat hunt across known IAB-favoured access types. Recent VPN logins from unfamiliar geographies. RDP sessions from compromised endpoints. Web shells on internet-facing applications. Cloud account activity from new locations.
3. Rotate credentials aggressively. Especially VPN, RDP-eligible accounts, domain admin, cloud admin, and any account that has appeared in stealer logs in the past 90 days.
4. Invalidate sessions. Force re-authentication everywhere it makes sense. Session cookies bypass MFA.
5. Increase monitoring. EDR thresholds tighter. Network anomaly detection more sensitive. Watch for the next stage of the attack chain (privilege escalation, lateral movement, exfiltration).
6. Engage incident response. Either internal or retained. Treat the timeline as days, not weeks.
7. Notify the right stakeholders. Legal, executive, and depending on jurisdiction, regulators or law enforcement.

The faster the response, the higher the chance the foothold gets closed before the buyer makes use of it.

Best practices

• Continuous IAB monitoring. Daily at minimum. Weekly is too slow given the listing-to-exploitation timeline.
• Phishing-resistant MFA. FIDO2 keys, passkeys, device-bound credentials. Defeats the most common credential-based access types IABs sell.
• Restrict VPN and RDP exposure. Conditional access, geographic restrictions, just-in-time access where feasible.
• Detect lateral movement, not just initial access. Even if an IAB-bought foothold succeeds, the next stage involves recognisable behaviours.
• Audit credential usage. Service accounts that suddenly authenticate from new endpoints. Admin accounts logging in outside business hours. The patterns that an external buyer produces look different from normal behaviour.
• Have an IR retainer ready. When access is being sold, you are minutes-to-hours away from a real incident. Contracts should not be negotiated under pressure.

A note on what IAB listings tell you

When your organisation appears in IAB activity (directly or via fingerprint match), it is rarely the first signal that something is wrong. It is more often the second or third.

The first signal was probably an employee in a stealer log market. The second was either credential reuse alerts or unusual authentication telemetry that did not get prioritised. By the time the listing appears, the foothold has existed for some time.

This is uncomfortable but useful information. Treating IAB monitoring as a backstop rather than the primary detection layer puts the emphasis where it belongs: on closing the upstream signals (stealer log sightings, credential leaks, suspicious authentication) before they ever become a sellable foothold. When IAB monitoring does fire, treat it as evidence the upstream layers missed something, and respond accordingly.