04-13-2025, 09:09 PM
Who Are Initial Access Brokers (IABs)?
Initial Access Brokers, often referred to as IABs, play a key role in the cybercrime underworld. Rather than launching attacks themselves, these threat actors specialize in the first step of the process: breaking into computer systems and networks. Once they’ve secured that initial foothold, they sell access to other cybercriminals, including ransomware operators and data thieves.
Their methods range from brute-force attacks to clever social engineering schemes. But rather than using the access for their own campaigns, IABs hand it off—passing the risk along while still making a profit. This lets them stay focused on what they do best: getting in.
Operating quietly on dark web forums and invite-only marketplaces, IABs often work solo but can also be part of larger criminal organizations like Ransomware-as-a-Service (RaaS) groups. In many ways, they’re the gatekeepers of cybercrime—providing the keys that open the doors to more devastating attacks.
Why Are IABs on the Rise?
The growth of IABs has everything to do with efficiency. As ransomware groups have matured—especially those running as RaaS operations—they’ve found it more effective to outsource the initial breach. By purchasing access from IABs, they can skip the time-consuming work of breaking into systems themselves and jump straight to the attack phase: encrypting data and demanding ransom.
In many cases, these collaborations happen behind closed doors, without public listings or advertisements. That low profile helps IABs fly under the radar of law enforcement, while ensuring they’re consistently in demand among RaaS affiliates who need fast, reliable access.
The result? Faster attacks, fewer delays, and a booming underground industry that thrives on speed and specialization.
Who’s Being Targeted?
Back in 2023, business services were clearly the main focus of IABs, accounting for nearly a third of all attacks. But in 2024, that number has dropped to 13%—not because the threat has disappeared, but because IABs are casting a wider net.
Rather than focusing heavily on a single sector, attackers are now spreading their efforts across multiple industries. This strategic shift makes it harder to predict who might be next—and increases the pressure on all organizations to tighten their defenses.
Geographically, the U.S. remains the top target, thanks to its concentration of high-value companies. But Brazil and France have also seen a noticeable uptick in activity, landing second and third respectively on the list of most-targeted countries.
What's Driving the IAB Business Model?
The pricing of access in the IAB marketplace is as dynamic as the threats themselves. Most corporate access listings fall between $500 and $3,000. While some high-value breaches can command tens of thousands, the average sale in 2023 hovered around $1,979, with a median of just $1,000.
Interestingly, 2024 has seen a slight increase in the average price—now at $2,047—but this is largely due to a few unusually expensive sales. In reality, most listings have gotten cheaper. In fact, 86% are now priced below $3,000, and nearly 60% are under $1,000.
This shift suggests a change in strategy. Rather than waiting for one big payout, IABs are moving toward high-volume sales of lower-cost access points. It’s a numbers game now—and it’s proving profitable. More access points mean more opportunities for attacks, and the potential damage is just as serious, if not more widespread.
What’s Next for IABs?
IABs are evolving fast. Their partnerships with RaaS groups are becoming more streamlined, allowing attacks to launch almost instantly once access is acquired. This coordination means that smaller organizations—once seen as too minor to bother with—are now firmly in the crosshairs.
With a shift toward lower-priced, high-volume sales, IABs are expanding their reach and maximizing profits. At the same time, their quiet, behind-the-scenes role offers a level of protection, helping them evade detection and legal consequences.
As this model matures, the threat they pose continues to grow. Expect more targeted attacks, faster operations, and increasing pressure on companies of all sizes to stay vigilant.
Now more than ever, cybersecurity teams need to stay ahead of the curve—through continuous monitoring, staff training, and updated threat intelligence on the latest tools, tactics, and procedures.
If you’re interested in a deeper dive into IAB operations, including access types and defense strategies, don’t miss the talk "Initial Access Brokers – A Deep Dive" by security researcher Adi Bleih at the RSA Conference on April 30th at 2:25 PM (HT-W09). It’s one session worth adding to your schedule.
Initial Access Brokers, often referred to as IABs, play a key role in the cybercrime underworld. Rather than launching attacks themselves, these threat actors specialize in the first step of the process: breaking into computer systems and networks. Once they’ve secured that initial foothold, they sell access to other cybercriminals, including ransomware operators and data thieves.
Their methods range from brute-force attacks to clever social engineering schemes. But rather than using the access for their own campaigns, IABs hand it off—passing the risk along while still making a profit. This lets them stay focused on what they do best: getting in.
Operating quietly on dark web forums and invite-only marketplaces, IABs often work solo but can also be part of larger criminal organizations like Ransomware-as-a-Service (RaaS) groups. In many ways, they’re the gatekeepers of cybercrime—providing the keys that open the doors to more devastating attacks.
Why Are IABs on the Rise?
The growth of IABs has everything to do with efficiency. As ransomware groups have matured—especially those running as RaaS operations—they’ve found it more effective to outsource the initial breach. By purchasing access from IABs, they can skip the time-consuming work of breaking into systems themselves and jump straight to the attack phase: encrypting data and demanding ransom.
In many cases, these collaborations happen behind closed doors, without public listings or advertisements. That low profile helps IABs fly under the radar of law enforcement, while ensuring they’re consistently in demand among RaaS affiliates who need fast, reliable access.
The result? Faster attacks, fewer delays, and a booming underground industry that thrives on speed and specialization.
Who’s Being Targeted?
Back in 2023, business services were clearly the main focus of IABs, accounting for nearly a third of all attacks. But in 2024, that number has dropped to 13%—not because the threat has disappeared, but because IABs are casting a wider net.
Rather than focusing heavily on a single sector, attackers are now spreading their efforts across multiple industries. This strategic shift makes it harder to predict who might be next—and increases the pressure on all organizations to tighten their defenses.
Geographically, the U.S. remains the top target, thanks to its concentration of high-value companies. But Brazil and France have also seen a noticeable uptick in activity, landing second and third respectively on the list of most-targeted countries.
What's Driving the IAB Business Model?
The pricing of access in the IAB marketplace is as dynamic as the threats themselves. Most corporate access listings fall between $500 and $3,000. While some high-value breaches can command tens of thousands, the average sale in 2023 hovered around $1,979, with a median of just $1,000.
Interestingly, 2024 has seen a slight increase in the average price—now at $2,047—but this is largely due to a few unusually expensive sales. In reality, most listings have gotten cheaper. In fact, 86% are now priced below $3,000, and nearly 60% are under $1,000.
This shift suggests a change in strategy. Rather than waiting for one big payout, IABs are moving toward high-volume sales of lower-cost access points. It’s a numbers game now—and it’s proving profitable. More access points mean more opportunities for attacks, and the potential damage is just as serious, if not more widespread.
What’s Next for IABs?
IABs are evolving fast. Their partnerships with RaaS groups are becoming more streamlined, allowing attacks to launch almost instantly once access is acquired. This coordination means that smaller organizations—once seen as too minor to bother with—are now firmly in the crosshairs.
With a shift toward lower-priced, high-volume sales, IABs are expanding their reach and maximizing profits. At the same time, their quiet, behind-the-scenes role offers a level of protection, helping them evade detection and legal consequences.
As this model matures, the threat they pose continues to grow. Expect more targeted attacks, faster operations, and increasing pressure on companies of all sizes to stay vigilant.
Now more than ever, cybersecurity teams need to stay ahead of the curve—through continuous monitoring, staff training, and updated threat intelligence on the latest tools, tactics, and procedures.
If you’re interested in a deeper dive into IAB operations, including access types and defense strategies, don’t miss the talk "Initial Access Brokers – A Deep Dive" by security researcher Adi Bleih at the RSA Conference on April 30th at 2:25 PM (HT-W09). It’s one session worth adding to your schedule.
