Initial Access Broker (IAB)
What is Initial Access Broker (IAB)?
Initial Access Broker (IAB)A cybercrime specialist who obtains unauthorised access to corporate networks and sells that access to other criminals, especially ransomware affiliates.
Initial Access Brokers (IABs) form a distinct layer of the cybercrime economy. They specialise in obtaining footholds in organisations via phishing, infostealer logs, valid VPN or RDP credentials, web-shell deployment, or exploitation of public vulnerabilities (Citrix, Fortinet, Pulse Secure, Ivanti, Microsoft Exchange). Access is then listed on Russian-speaking forums such as Exploit and XSS, on Telegram channels, or sold privately. Listings include the victim's industry, revenue, country, and access type, with prices from a few hundred to tens of thousands of dollars. Their main buyers are ransomware affiliates, business-email-compromise crews, and crypto-theft groups. IABs dramatically accelerate intrusions and explain why patching and credential hygiene are so important.
● Examples
- 01
An IAB advertises VPN access into a US healthcare provider on a Russian-speaking forum for 5,000 USD.
- 02
Multiple ransomware groups including Conti and LockBit relied on IABs to scale their campaigns through 2021-2023.
● Frequently asked questions
What is Initial Access Broker (IAB)?
A cybercrime specialist who obtains unauthorised access to corporate networks and sells that access to other criminals, especially ransomware affiliates. It belongs to the Defense & Operations category of cybersecurity.
What does Initial Access Broker (IAB) mean?
A cybercrime specialist who obtains unauthorised access to corporate networks and sells that access to other criminals, especially ransomware affiliates.
How does Initial Access Broker (IAB) work?
Initial Access Brokers (IABs) form a distinct layer of the cybercrime economy. They specialise in obtaining footholds in organisations via phishing, infostealer logs, valid VPN or RDP credentials, web-shell deployment, or exploitation of public vulnerabilities (Citrix, Fortinet, Pulse Secure, Ivanti, Microsoft Exchange). Access is then listed on Russian-speaking forums such as Exploit and XSS, on Telegram channels, or sold privately. Listings include the victim's industry, revenue, country, and access type, with prices from a few hundred to tens of thousands of dollars. Their main buyers are ransomware affiliates, business-email-compromise crews, and crypto-theft groups. IABs dramatically accelerate intrusions and explain why patching and credential hygiene are so important.
How do you defend against Initial Access Broker (IAB)?
Defences for Initial Access Broker (IAB) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Initial Access Broker (IAB)?
Common alternative names include: IAB, Access broker.
● Related terms
- defense-ops№ 901
Ransomware Gang
A financially motivated cybercriminal group that develops, operates, or distributes ransomware to extort organisations through file encryption and data leak threats.
- defense-ops№ 268
Cybercrime-as-a-Service (CaaS)
An underground service model in which specialised criminal vendors sell tooling, infrastructure, or expertise so customers can run cyber attacks without building capabilities themselves.
- attacks№ 821
Phishing
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.
- malware№ 531
Info Stealer
Malware that harvests credentials, cookies, tokens, crypto wallets, and other sensitive data from an infected device and exfiltrates it to the attacker.
- attacks№ 232
Credential Stuffing
An automated attack that replays large lists of username/password pairs leaked from one service against other services, exploiting password reuse to take over accounts.
- malware№ 902
Ransomware-as-a-Service (RaaS)
A criminal business model in which ransomware operators rent their malware and infrastructure to affiliates who carry out attacks and share the proceeds.
● See also
- № 624LockBit
- № 215Conti Ransomware
- № 099BlackCat / ALPHV
- № 535Initial Access
- № 098Black Hat Hacker
- № 271Dark Web
- № 664Medusa Ransomware