Mapped and Monetized ThreatMon’s Data-Driven Look at Initial Access Brokers

As the cyber threat landscape continues to evolve, one segment has rapidly industrialized: Initial Access Brokerage (IAB). These cybercriminals specialize in compromising and reselling unauthorized access to corporate networks, VPNs, RDPs, CMS platforms, and email servers—fueling ransomware, data theft, and espionage across the globe.
Between early 2024 and mid-2025, ThreatMon conducted a comprehensive Open-Source Intelligence (OSINT) investigation into the scale and scope of the IAB market. The findings are alarming.

Key Insights from the Report

6,000+ initial access listings were identified across dark web forums and Telegram.
156 countries were affected, with the United States accounting for over 56% of all access listings.
Top sectors targeted:
- Government Administration (23.96%)
- E-Commerce (17.57%)
- Financial Services (14.44%)
- Education (12.92%)
Top marketplaces:
- breachforums.st
- exploit.in
- xss.is
Active actors: miyako, ProfessorKliq, diamond, and sentap.

Global and Industrial Reach

Access brokers are no longer lone hackers—they are organized suppliers within a larger cybercrime ecosystem. Listings often include admin-level access, revenue estimates, and infrastructure details, revealing a mature and monetized threat market. Forums and Telegram channels have become hubs where actors coordinate and sell access with precision.

Countries like India, Indonesia, France, and China follow the U.S. in volume, with attackers exploiting legacy systems, weak credential policies, and misconfigured remote access tools.

Attack Vectors and Techniques

Threat actors leverage:

RDP/RDWeb exploitation
VPN credential abuse
Unpatched CMS vulnerabilities
Webshells and SSH misconfigurations
Infostealers and social engineering

Once initial access is secured, it’s resold to ransomware groups, data extortion gangs, and fraud operators.

Mitigation Strategies

To defend against IAB threats:

Enforce strong credential policies and multi-factor authentication
Conduct regular attack surface assessments
Maintain a strict patch management routine
Monitor dark web platforms and Telegram for threat intelligence
Implement access segmentation and privilege management

Establish a robust incident response framework

The Bottom Line

Initial access has become a commodity in the cybercrime economy. The industrialization of this underground market—powered by organized threat actors and specialized forums—demands proactive, layered defense strategies.

ThreatMon’s report serves as a wake-up call: organizations must take the threat of initial access seriously or risk becoming the next target in this booming black market.