TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Threat Actors

What Is an Initial Access Broker (IAB)? The Ransomware Supply Chain

Initial access brokers are the real-estate agents of cybercrime: they break into organizations, then sell that foothold to whoever wants it — most often ransomware gangs. Here's how the market works.

By TI News Feed Editorial Team8 min readPublished Updated

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

An initial access broker (IAB) is a cybercriminal who specializes in breaching organizations and then selling that access to other attackers, rather than carrying out the final attack themselves. IABs are a pivotal part of the modern cybercrime supply chain. They do the difficult first step — getting a foothold inside a target — and then auction or sell that access on criminal marketplaces, most often to ransomware-as-a-service affiliates who use it to deploy ransomware. This division of labor is one of the main reasons ransomware has scaled so dramatically.

In short: initial access brokers are the wholesalers of intrusion. They specialize in breaking in, package the resulting access as a product, and let someone else do the damage — for a price.

Why initial access brokers exist

Cybercrime has become a specialized economy, and specialization creates efficiency. Breaking into an organization requires different skills than negotiating a ransom or laundering cryptocurrency. By focusing solely on gaining access, IABs become very good at it — and they create a reliable supply of ready-made footholds that ransomware crews and other attackers can simply buy. For the buyer, purchasing access is faster and cheaper than breaching a target from scratch; for the IAB, selling access is lower-risk than running the full attack. The result is a thriving market that industrializes the most time-consuming part of an intrusion.

How IABs gain access

Initial access brokers use the full range of intrusion techniques, favoring methods that scale:

  • Stolen credentials harvested from infostealer logs and credential stuffing.
  • Exposed remote services — brute-forcing or exploiting RDP, VPNs, and other internet-facing access points.
  • Exploiting vulnerabilities in unpatched internet-facing systems and edge devices.
  • Phishing to capture credentials or deliver a foothold.

What IABs sell

The "product" is access, described and priced by how valuable it is:

  • Access type: RDP or VPN credentials, web shells, compromised accounts, or — most prized — domain administrator access.
  • Victim profile: the organization's industry, country, and especially its revenue, since attackers price access by how much ransom the victim could pay.
  • Level of access: a single user account is worth far less than full administrative control.

Listings appear on dark-web forums and marketplaces, sometimes as fixed-price sales and sometimes as auctions, with prices ranging from tens of dollars to many thousands depending on the target's value.

The IAB's role in the ransomware economy

The clearest way to understand IABs is as one link in an assembly line. An infostealer operator harvests credentials; an initial access broker uses them to establish and verify a foothold, then sells it; a ransomware affiliate buys that access and deploys ransomware; the RaaS operator provides the malware and takes a cut. Each specialist hands off to the next. This is why disrupting IABs is so valuable to defenders — they sit at the chokepoint between "credentials exist somewhere" and "an attacker is inside your network."

Why IABs make attacks worse

  • They industrialize access. A steady supply of pre-breached organizations lets ransomware crews attack at scale.
  • They compress timelines. Buying access means an attacker can go from purchase to ransomware in a fraction of the usual time.
  • They obscure the trail. Multiple hands touching an intrusion complicate attribution and response.
  • They monetize "minor" breaches. Access that one attacker can't use is still sellable to someone who can.

How to defend against initial access brokers

Stopping IABs means closing the access vectors they sell — which are the same fundamentals that stop most intrusions:

  • Enforce phishing-resistant MFA on all remote access (VPN, RDP, email), neutralizing stolen credentials.
  • Eliminate exposed RDP and harden VPNs; never leave remote access open to the internet without strong controls.
  • Patch internet-facing systems aggressively via strong vulnerability management.
  • Monitor for exposed credentials with dark web monitoring, and force resets when employee credentials surface in infostealer logs.
  • Deploy EDR and watch for the early intrusion activity that precedes a sale or handoff.

How access is priced

Initial access is a commodity, and like any commodity it's priced by quality and value. Listings on criminal marketplaces typically advertise the victim's country, industry, revenue, and the type and level of access on offer — but rarely the victim's name, which is revealed only to a serious buyer. Prices span an enormous range: low-value access to a small organization might sell for as little as tens or low hundreds of dollars, while domain-administrator access to a large, high-revenue enterprise can command tens of thousands. Brokers often "validate" their access before sale and may offer guarantees or replacements if it stops working, mirroring legitimate commerce. This pricing transparency is itself a signal for defenders: it confirms that attackers explicitly value targets by their ability to pay a ransom, which is why larger and better-resourced organizations face disproportionate interest — and why the appearance of your organization in such a listing is a genuine emergency demanding immediate investigation. It's worth remembering, too, that small and mid-sized organizations are far from safe: their access is cheaper, but it's also easier to obtain and sells in volume, making them a steady staple of the access trade rather than an afterthought.

Where threat intelligence fits

IABs are a prime focus of threat intelligence. Analysts monitor the forums and marketplaces where access is sold, sometimes spotting a listing for access to a specific organization — an early-warning signal that a ransomware attack may be imminent. Tracking IAB activity and the credentials feeding it lets defenders intervene in the narrow window between a breach being sold and ransomware being deployed.

The bottom line

Initial access brokers specialize in breaking into organizations and selling that access to other criminals — most often ransomware affiliates — making them a critical link in the cybercrime supply chain. Fueled by infostealer logs, exposed remote services, and unpatched vulnerabilities, they industrialize the hardest part of an attack and compress the time from breach to ransomware. Closing those access vectors with MFA, hardened remote access, fast patching, and exposed-credential monitoring is the core defense. To track access-broker activity and the credentials behind it, follow our live threat intelligence feed, aggregated from dozens of authoritative sources.

Frequently asked questions

What is an initial access broker (IAB)?

An initial access broker is a cybercriminal who specializes in breaching organizations and then selling that access to other attackers — most often ransomware affiliates — rather than carrying out the final attack themselves. IABs are a key link in the cybercrime supply chain.

How do initial access brokers gain access?

They use stolen credentials from infostealer logs and credential stuffing, brute-force or exploit exposed remote services like RDP and VPNs, exploit unpatched internet-facing vulnerabilities, and use phishing. They favor methods that scale across many targets.

What do initial access brokers sell?

They sell access as a product: RDP or VPN credentials, web shells, compromised accounts, or prized domain administrator access. Listings are priced by the victim's industry, country, and revenue, and by the level of access, on dark-web forums and marketplaces.

How do IABs fit into ransomware attacks?

They're one link in an assembly line: infostealers harvest credentials, IABs use them to establish and sell a foothold, ransomware affiliates buy that access and deploy ransomware, and RaaS operators provide the malware. This division of labor lets ransomware scale.

How do you defend against initial access brokers?

Close the access vectors they sell: enforce phishing-resistant MFA on all remote access, eliminate exposed RDP and harden VPNs, patch internet-facing systems aggressively, monitor for exposed credentials via dark web monitoring, and deploy EDR to catch early intrusion activity.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources:

Related threat intel guides

Threat ActorsWhat Is Ransomware-as-a-Service (RaaS)? How the Model WorksAttacksWhat Is Infostealer Malware? How Info-Stealers Work & SpreadOperationsWhat Is Dark Web Monitoring? How It Works and Why It MattersAttacksWhat Is Credential Stuffing? How the Attack Works & How to Stop It