Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Initial access brokers are the elite of the hacking world, compromising systems and then selling access to anyone who can afford it. Here’s how they work and what we can learn from them.
When you read about a major data breach or a disruptive ransomware attack, it’s easy to think that these are the work of a single hacker or hacking group, but the cyber crime ecosystem is far more complex and diverse.
While many hackers do perform all their own work, others rely upon the efforts of initial access brokers, hackers who specialise in compromising networks and then on-selling that access for others to exploit.
It’s a lucrative business, and in many cases, dominated by just a handful of skilled hackers, according to Rapid7’s 2025 Access Brokers Report. In the Russian-language hacking community known as Exploit Forums, just two brokers – “doZKey” and “sganarelle2” – are responsible for more than 65 per cent of all initial access offerings, out of a total of 11 brokers active on the forum over the last six months.
In just one of doZKey’s posts, from November 2024, the hacker offered access to four corporations, two in the UK, and one each in Spain and South Africa. The prices ranged from US$400 to US$1,000 and listed the anti-virus software running on each network.
Other access posts offer even more insight into the target network, from various initial access vectors, such as remote desktop or VPN access, to varying levels of network privilege. It’s a veritable candy store for hackers looking for easy access, but it does beg one question: why don’t these access brokers go further and exfiltrate data themselves?
Caution rules
“Access brokers are motivated not only by financial gain but also by the advantages offered by their specialisation in hacking networks and operational systems. Their role usually focuses on acquiring and maintaining network access (via stolen credentials, compromised VPN/RDP, web shells, etc.) and selling it to other cyber criminals,” Jeremy Makowski, senior threat intelligence researcher at Rapid7 and one of the authors of the report, told Cyber Daily.
According to Makowski, it’s a matter of risk versus reward, and actually stealing data represents additional risk.
“Outsourcing malware deployment and data theft reduces the risk of detection by cyber security entities. This work segmentation makes their operations scalable and more sustainable; a broker can manage dozens of active accesses simultaneously without attracting the intense law enforcement attention often faced by active extortionists or ransomware affiliates. Essentially, they operate as wholesalers in a criminal supply chain, favouring repeatable, low-risk transactions over high-stakes operations,” he said.
Brokers as actionable intelligence
However, while initial access brokers are clearly no less criminal than the hackers they facilitate, they can still be a useful bellwether for network defenders.
As part of their sales pitches, initial access brokers often list what business sector their victims are in, alongside details like the number of employees and yearly revenue. In many cases, these details are scraped from websites such as Crunchbase, which lists those very same details. Is it possible to observe this data, either directly on the hacking forums themselves or via threat intelligence services, such as FalconFeeds, to get ahead of the hackers?
“Organisations can benefit significantly from monitoring underground forums and marketplaces for signs that they are being mentioned or targeted,” Makowski said.
“Even if a company’s name isn’t mentioned, similarities in size, technology stack, or location can show a potential risk. Understanding the type of access (for example: RDP, VPN, Citrix, or cloud credentials) allows cyber security teams to prioritise and focus their defences where they matter most.”
Essentially, if it looks like your network is already compromised, monitoring broker activity could let you close the barn door before the horse bolts – but it calls for swift action.
“When an organisation suspects it is the target of an IAB listing, it should act immediately. First, the information must be verified with internal cyber security teams and trusted threat intelligence partners,” Makowski said.
“Upon confirmation, implement immediate containment measures: secure or disable the compromised access points, enforce multifactor authentication, and reset any credentials that may have been exposed. Follow this by conducting a comprehensive review for related suspicious activity, patching or decommissioning vulnerable services, and engaging incident response specialists to investigate in-depth.”
There is no doubt that initial access brokers are a threat – they are among the major facilitators of cyber crime. However, they may also be the canary in the coal mine, indicating far worse to come.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
