Access brokers (also known as initial access brokers) are criminal groups who specialize in selling illegitimate access to corporate networks. These groups breach the networks and then sell the access on to ransomware and other cybercriminal groups.

How do initial access brokers operate?

Initial access brokers (IABs) are skilled at identifying and exploiting vulnerabilities using common hacking techniques to gain unauthorized access to networks. Some of their tactics include social engineering, brute force attacks, along with other attack vectors.

By selling access to networks instead of carrying out the attacks themselves, IABs mitigate the risks associated with launching a ransomware attack and instead focus on breaching networks and capitalizing on their expertise.

IABs operate on dark web forums and underground markets, functioning as individual actors or part of larger organizations. The asking price for IAB services often depends on factors such as the size and type of the target organization and the type of access offered. The clients of these IABs are groups of threat actors who leverage the purchased access to launch ransomware attacks, execute data breaches, and engage in other malicious activities—typically for financial gain.

What do initial access brokers sell?

Initial access brokers sell various types of network access to their clients.


VPNs are used to establish secure connections over the internet. An increase in remote and hybrid working models has increased the usage of VPNs by organizations globally. If VPN servers are not configured correctly, IABs can gain access to system accounts and sell the compromised credentials.

Remote Desktop Protocol (RDP)

RDP is enables users to control a computer via a network connection remotely. IABs sell compromised systems with RDP access enabled, allowing buyers to exploit systems remotely.

Web Shell Attack

Threat actors take advantage of web server vulnerabilities and implant malicious files within web server directories, establishing backdoor access to the web server.

Remote Monitoring and Management (RMM)

Remote Monitoring Management is the set of tools that enable IT service providers to monitor client endpoints, networks, and computers remotely and proactively.

Active Directory

Active directory stores information about resources and items on a network, allowing for easy use and control of information. IABs infiltrate these structured data stores and sell them to buyers to access private networks.

Dangers of Initial Access Brokers

IABs pose a significant risk to network security as they perpetuate the rise of cyber threats, such as malware and ransomware attacks. IABs allow those that lack the technical expertise or resources to hack into systems independently.

IABs also benefit RaaS gangs, such as LockBit and BlackCat, by reducing their workload and accelerating their services. As partnerships between IABs and RaaS gangs grow, both parties gain access to stronger skillsets, clientele, and power. RaaS gangs continue to receive financial compensation while other threat actors are provided with the tools needed to extort organizations and capitalize on cyberattacks.