Definition
Initial Access Brokers (IABs) are specialized cybercriminals who breach corporate networks but do not monetize the intrusion themselves. Instead, they sell the "access" (e.g., valid VPN credentials, RDP sessions, or webshells) to other criminal groups, typically Ransomware operators, on Dark Web forums.
Purpose and Core Idea
IABs represent the specialization of labor in the cybercrime ecosystem. By focusing solely on breaking in, they lower the risk for ransomware gangs, who can simply buy access to a Fortune 500 company for $2,000–$10,000 and immediately deploy their payload.
Mini Case Study: Genesis Market
Until its seizure by the FBI, Genesis Market was the premier automated shop for IABs.
- The Product: They didn't just sell passwords; they sold "Digital Fingerprints" (browser cookies, User-Agents).
- The Impact: An attacker could buy a "bot" for $10, import the cookies into their browser, and log in to a victim's corporate Slack or Gmail without triggering Multi-Factor Authentication (MFA), because the session appeared to come from the victim's own trusted device.
- The Lesson: This forced CTI analysts to track not just credential leaks, but session token theft.
Usage in Real CTI Workflows Analysts monitor IAB listings on forums (e.g., Exploit[.]in, XSS[.]is). A listing titled "Access to US Manufacturing Company, Revenue $5B, Citrix Access" does not name the victim, but CTI teams use the revenue and technology data to determine if their organization is the target.
Relation to Other CTI Frameworks IABs facilitate the "Initial Access" tactic in MITRE ATT&CK and fuel the Ransomware-as-a-Service economy.