The term Initial Access Broker (IAB) refers to threat actors in the cyber threat landscape who gain unauthorized access to systems and then sell that access to third parties for profit. These actors typically compromise valid credentials or system access to corporate networks, Remote Desktop Protocol (RDP) connections, VPNs, cloud management panels, or email servers.IABs do not directly deploy ransomware or exfiltrate data themselves. Instead, they act as a key link in the cybercrime supply chain by marketing the access they acquire. The access they provide is often used by ransomware groups, Advanced Persistent Threats (APTs), or fraud-oriented actors for second-stage attacks. These attacks may include data exfiltration, ransomware deployment, financial fraud, or corporate espionage.
IAB operations are primarily conducted through dark web forums, Telegram channels, onion-based marketplaces, and closed groups. The pricing of access listings varies depending on the size of the target organization, its industry, infrastructure, and other metrics that influence the potential financial gain.In this context, to better understand the industrial scale of Initial Access Broker (IAB) operations and the commercial structures of threat actors, ThreatMon conducted a comprehensive Open-Source Intelligence (OSINT) investigation covering the period from early 2024 to mid-2025.
We see the full picture of the evolving cyber threat landscape thanks to unique tools for monitoring the infrastructure used by cybercriminals and data from battlefields:
