Access Brokers: Their Pivotal Role in Cybercrime
Access brokers play a critical role in the cybercrime ecosystem, enabling cybercriminals to gain and sell unauthorized access to networks. This post explores their role and highlights effective strategies your organization can use to detect and prevent these threats.
Published July 13, 2025.
When it comes to cybercrime, some of the most significant threats come from hidden players operating behind the scenes. Access brokers are among these key figures, quietly securing and selling entry points into organizations’ networks. This underground activity fuels many ransomware and cyberattack operations, making it easier for criminals to target businesses like yours. Understanding the impact of access brokers and their connection to ransomware-as-a-service (RaaS) can help you recognize the risks your organization faces.
In this blog, we will dive into what is an access broker and examine what role an access broker plays in the RaaS model, giving you insights to strengthen your defenses.
» Skip to the solution: Try KELA Cyber for free
What Is an Access Broker in Cybersecurity?
Initial access brokers (IABs) are cybercriminals who specialize in gaining unauthorized access to computer networks and systems, and then selling that access to other threat actors. They are essentially middlemen in the cybercrime ecosystem.
» Read more: How scary is that data leak, really?
Initial Access Brokers vs. Ransomware Operators, Data Brokers, and Malware Developers
| Threat Actor | Role | Method of operation | Marketplace involvement |
|---|---|---|---|
| Initial Access Brokers (IABs) | Gain unauthorized access to networks and sell it to others. | Use stolen credentials, software exploits, phishing, and brute-force attacks to gain entry. | Active in underground markets where they sell network access to threat actors. |
| Ransomware Operators | Encrypt data and demand ransom from victims. | Use ransomware payloads delivered via access often bought from IABs. | Buy access from IABs, then monetize it through extortion. |
| Data Brokers | Collect and sell personal data from various sources. | Scrape, purchase, or aggregate user data from public and online sources. | Operate on legal data marketplaces or via direct B2B sales. |
| Malware Developers | Create the malicious software used in cyberattacks. | Write code for malware such as Trojans, spyware, or viruses. | Sell malware on dark web forums or private groups. |
» Learn more about how ransomware operators gain access
Cyber Threat Intelligence
Stay ahead by learning how to detect and stop access brokers before they cause damage to your organization.
How Access Brokers Obtain and Validate Initial Access
IABs use several methods to gain unauthorized entry into corporate environments. Each method involves validation steps to ensure the access is functional and valuable to potential buyers. Below are the most common tactics:
1. Exploiting Software Vulnerabilities
Access brokers actively scan public-facing systems for unpatched vulnerabilities. These targets may include VPN appliances, email gateways, web applications, or firewall interfaces.
Once a vulnerability is identified, they exploit it, often using known Common Vulnerabilities and Exposures (CVEs), and attempt to gain shell access or internal visibility. Validation includes verifying system control, checking lateral movement potential, and maintaining persistence through backdoors or scheduled tasks. In some cases, the broker provides screenshots, file structures, or proof-of-access reports to entice buyers and prove the access is reliable and stable.
2. Phishing and Social Engineering
IABs craft highly targeted phishing emails or messages, often mimicking trusted sources (e.g., IT support or cloud services). These lure employees into submitting credentials or executing malware-laced attachments or links.
Once the access is acquired, brokers verify login success commonly through web portals or VPN interfaces. They often ensure session persistence and test multi-factor authentication (MFA) challenges. If MFA is in place, they may bypass it using token theft, session hijacking, or exploiting users who approve repeated prompts. Verified credentials are categorized by user privilege and domain relevance before being listed for sale.
» Here's how to prevent phishing attacks before they catch you
3. Stolen Credentials and Credential Stuffing
IABs collect large volumes of leaked credentials from previous data breaches or purchase them from stealer log vendors. These logs contain usernames, passwords, cookies, and session tokens.
Using credential stuffing tools, brokers test combinations against company login portals. They typically validate access to email systems, remote access portals (like Citrix or VPN), and cloud apps. Working logins are sorted by access level, domain, and department. Some IABs go further by mapping internal systems reachable with those credentials to increase value.
» Make sure you understand the difference between leaked credentials and compromised accounts
4. Brute-Forcing and Password Spraying
For exposed services like RDP, SSH, or webmail, IABs use automated tools to try common passwords across many accounts or many passwords against a single account—techniques known as brute-forcing and password spraying.
Once a valid login is found, brokers confirm access by logging in and mapping available services. They often use built-in tools to assess privileges and search for additional internal weaknesses. Successful entries may be escalated by adding local accounts, deploying web shells, or configuring remote access persistence.
» Learn more about how hackers gain entry to your systems
Frequently Sold Access Types
Access brokers sell various types of access based on ease of use, utility to attackers, and level of control provided. Below are the most common types found in underground markets, along with their rationale and statistics.
1. Remote Desktop Protocol (RDP) Access
- Frequency: In 2023, RDP access topped IAB listings at over 60%, though it declined to 41% in 2024 as VPN and credential-based access gained ground.
- Reason: RDP offers full graphical access to Windows environments. It’s simple to use, even for low-skill threat actors, and often lacks proper configuration or MFA. Many RDP services remain exposed to the internet with weak or default credentials.
2. Virtual Private Network (VPN) Access
- Frequency: VPN access listings surged to 45% in 2024, up from 33% in 2023.
- Reason: VPN credentials grant legitimate entry into protected environments. They allow stealthy reconnaissance, lateral movement, and evasion of detection. VPN access often bypasses firewalls and enables attackers to blend in with regular user traffic.
3. Active Directory / Domain Admin Access
- Frequency: Access involving administrator rights was highly sought after, with 47% of offers including such privileges.
- Reason: Domain admin access allows attackers full control over user accounts, devices, and servers. It is often used to deploy ransomware broadly, disable defenses, and exfiltrate sensitive data.
» Did you know? Ransomware groups are now selling network access directly
4. Web Shells
- Frequency: Web shells were frequently offered by IABs. Group-IB detected over 290,000 web shells being sold on cybercriminal markets.
- Reason: A web shell offers persistent, remote command execution on compromised web servers. Attackers use it for lateral movement, data theft, and malware deployment. Web shells are lightweight, stealthy, and easy to re-access over long periods.
5. General Valid User Credentials
- Frequency: This broad category often results from phishing or stealer logs.
- Reason: Standard user credentials can serve as an initial foothold, allowing attackers to conduct reconnaissance, escalate privileges, or access less protected network areas, particularly if they lead to sensitive applications.
» Learn how to reduce damage from info-stealing malware
Best Practices to Prevent and Detect the Sale of Access on the Dark Web
Prevention Strategies
- Implement robust authentication and access control: Enforce MFA across all accounts and services, particularly for remote access (VPNs, RDP) and privileged accounts. Conduct regular audits of user permissions and apply the principle of least privilege to minimize potential damage in the event of an account compromise.
- Conduct regular vulnerability management and patching: Continuously scan for vulnerabilities in software, applications, and network devices, and promptly address any findings. Effective patch management significantly reduces the attack surface that access brokers might exploit.
- Enhance employee security awareness: Provide regular training on phishing, social engineering, and strong password practices. An informed workforce is less susceptible to the tactics employed by access brokers to acquire credentials.
Detection Strategies
- Engage in continuous dark web monitoring: Proactively monitor dark web forums, marketplaces, and hidden sites for any mentions of your organization, leaked credentials, or offers of access to your network. Early detection enables swift action to prevent exploitation.
- Implement proactive threat hunting and anomaly detection: Utilize threat hunting teams and User and Entity Behavior Analytics (UEBA) to identify unusual patterns, such as atypical login velocities, device fingerprint mismatches, or unexpected lateral movements, which may signal a preliminary compromise by an access broker.
- Integrate Endpoint Detection and Response (EDR) with SIEM: Employ EDR solutions and integrate them with a Security Information and Event Management (SIEM) system. This integration enhances visibility across endpoints and network traffic, facilitating the correlation of events to identify initial access attempts or established footholds.
» Find out if darknet markets are going out of business, and what will happen next
3 Internal Indicators of Access Broker Compromise
- Unusual login activity: Look for logins from unfamiliar IP addresses or locations, multiple failed login attempts followed by success, or access at unusual times. Also, watch for legitimate accounts doing unusual actions or accessing resources they normally don’t—these can be signs of account takeover.
- Detect creation of new accounts: Access brokers often create new local or domain accounts, sometimes with elevated privileges, to maintain persistence or allow easier access for buyers. Unexpected new user accounts are a major red flag.
- Analyze anomalous network traffic: Unexplained outbound data transfers, connections to known malicious command and control servers or TOR nodes, or unusual internal scanning and lateral movement may mean an access broker is validating or using their access before selling it.
» Not convinced? Here are the reasons you need cyber threat intelligence
How Our Expertise Helps You Stay Ahead of Access Brokers
Understanding what role an access broker plays in the RaaS model is key to protecting your organization from cyber threats. Our expertise in dark web monitoring and threat intelligence gives you early warning of any attempts to sell access to your networks. We provide detailed profiles of threat actors and actionable alerts, helping you detect and respond quickly.
With a clear view of your external risks and attack surface, your organization can better prevent access broker activity and reduce the chance of costly breaches. Staying informed about emerging tactics ensures you can adapt defenses before threats escalate. Together, we strengthen your security posture against evolving cybercrime underground threats.
» Ready to begin? Set a FREE session with our experts
