Access to enterprise networks is for sale on the dark web. The sellers are initial access brokers (IABs), and they sell initial access vectors (IAVs) in underground marketplaces.
The IABs are often among the most accomplished hackers. The buyers could be less competent hackers who would struggle with that initial access, or competent hackers who want to save time and get straight down to business. That’s the key point: cybercrime is a business.
Researchers at Rapid7 analyzed the access broker business in three major forums (XSS, BreachForums, and Exploit) between July 1, 2024, and December 31, 2024. It is worth noting that XSS is currently off-line – a result of the ongoing battle between law enforcement and criminal business.
Separately, the hacker known as IntelBroker has been arrested, and his extradition sought. As an access broker, he primarily sold his IAVs on BreachForums, which he briefly owned from August 2024 to January 2025. He was arrested in France in February 2025, and US DoJ charges were unsealed on June 25, 2025.
Rapid7’s primary purpose for analyzing forum activity was to better understand “the shifting tactics and priorities within the cybercriminal underground.” At the same time, the history of the forums demonstrates the effectiveness of law enforcement disruptions.
The analysis has three primary takeaways around the number of options available in the access package on offer, the most popular access vectors on sale, and the pricing and range of prices.
Nearly three-quarters of IAV sales offered a choice of different initial access vectors (IAVs), while 10% offered a combined bundle of the different IAVs. The most prevalent IAVs on offer were VPNs at 23.5% and Domain User at 19.9% (both of which are typified by absent or inadequate MFA), and RDP at 16.7).
It is almost, not entirely, impossible to determine which company relates to an advert. It would be good if it were possible. “Make no mistake,” say the researchers, “a business in this predicament is essentially being compromised twice over, by broker and buyer, and at no point has their security solution been able to detect either form of illicit access. All of this, before stopping to consider what, exactly, the broker has stolen for themselves on their way out the door – assuming they ever left.”
It is somewhat easier to recognize victims in small countries. “It’s going to depend largely on how unique the company is,” explains Antony Parks (threat intelligence at Rapid7, and one of the report’s researchers). “So, if it’s the kind of company that is, say, a materials company based in Madagascar with a revenue of $5 billion, that’s the kind of company that’s probably pretty unique.”
It’s still tricky, since there is no guarantee the broker’s description is accurate. Just as a ransom amount is pitched at the maximum the criminal believes a victim is willing or able to pay, so an IAV is brokered on the revenue of the victim – it would make sense for the broker to exaggerate his claims. Reach, however, does not seem to be a factor in pricing. Access to victims with an attractive supply chain, including MSPs, doesn’t seem to command a higher price.
“If I had to take a swing at why we don’t see increased price for these,” comments Parks, “it’s likely because both broker and buyers are looking for intrusion into the ultimate target. Access into a third party, while potentially lucrative, still requires additional work to gain access to the ultimate target.”
With no easy way to identify and forewarn the victims appearing on the broker forums, greater responsibility falls on law enforcement to disrupt the entire IAB ecosphere. Noticeably, XSS was taken down shortly after the period of Rapid7’s research; and at the time of writing, has not returned. BreachForums has a history of disruptions and comebacks (the latest of which occurred in May 2025).
“We’re already seeing some actors bringing back elements of XSS, but according to reports, there is suspicion around those new emergences of XSS. We see similar suspicion around new manifestations of BreachForums,” says Parks. “As law enforcement agencies take down and control these dark web forums, it really creates doubt that the forums will be places where they are safe to conduct their illicit businesses. So, even as these big names in the dark web spaces come back online, I think that it’s likely that we’re going to see confidence in the stability and security of these different dark web forums decrease.”
Related: SAP Zero-Day Possibly Exploited by Initial Access Broker
Related: Iranian APT Operating as Initial Access Provider to Networks in the Middle East
Related: Google Analyzes Activity of ‘Exotic Lily’ Initial Access Broker
Related: Enterprises Warned of Growing Risk Posed by Initial Access Brokers
