Your company’s network access may already be listed for sale on a dark web marketplace, complete with your revenue, industry, host count, and security posture. The buyers are ransomware affiliates, and the price is often less than a used laptop.
Somewhere on a dark web forum right now, a listing describes a company much like yours. It specifies the number of hosts on the network, the annual revenue, the industry vertical, the type of remote access available, and even the security products installed. The seller is not the person who will eventually encrypt your files or contact your executives with a ransom demand; they are an intermediary who broke in, conducted reconnaissance, and decided the opportunity was worth more as a product than as a personal exploit. The listing price sits somewhere between $500 and $3,000, and the buyer will almost certainly be a ransomware affiliate who prefers to purchase access rather than earn it.
This is the business of the initial access broker (IAB), and it has become one of the most consequential developments in the ransomware economy. According to Chainalysis’s 2026 Crypto Crime Report, IABs received at least $14 million in on-chain cryptocurrency payments in 2025. That figure represents just 1.7% of the $820 million collected by ransomware actors over the same period, a ratio that suggests extraordinary returns for the ransomware operators who purchase access rather than develop it themselves.
The economics of outsourced intrusion
The ransomware supply chain has industrialized, and initial access brokers sit at the beginning of the production line. Rather than spending weeks or months identifying vulnerable targets, conducting reconnaissance, and establishing footholds, ransomware affiliates can browse listings on forums like XSS, Exploit, and Ramp the way a procurement officer might browse a supplier catalog: access comes pre-verified, prices are fixed or negotiable, and according to research from KELA, most listings sell within one to three days of being posted.
What happens after the sale follows a predictable timeline. KELA’s analysis of ransomware incidents traced back to IAB listings found that victims typically appeared on ransomware leak sites between 23 and 36 days after their network access was first advertised. That interval represents the time required for a buyer to complete the transaction, move laterally through the environment, exfiltrate data, and deploy encryption. For the organizations whose access was sold, the attack felt sudden, but the clock had been running for weeks.
The price of access has fallen dramatically as the market has matured. Data cited in the Chainalysis report shows that the average price for network access dropped from approximately $1,427 in early 2023 to just $439 by the first quarter of 2026, a decline that reflects what happens in any market with oversupply. Automation, AI-assisted tooling, and the proliferation of infostealer malware have flooded dark web marketplaces with credentials and access vectors, depressing prices even as demand from ransomware operators remains strong.
What gets listed
The most common access types involve remote desktop protocol and VPN connections. RDP access accounts for roughly half of all listings, while VPN access has doubled year over year as organizations increasingly rely on remote access infrastructure. The remainder includes web shells, compromised credentials for cloud services, and vulnerabilities that enable remote code execution.
The listings themselves read like product specifications. Sellers describe the victim’s estimated annual revenue, the number of endpoints accessible from the initial foothold, the level of privileges obtained, and often the specific security products running on the network. That last detail matters: Kaspersky’s 2025 threat statistics note that a substantial portion of compromised endpoints have only basic protection, signaling an easier path to deployment than environments protected by enterprise endpoint detection. A listing that notes “only Windows Defender” effectively advertises a lower barrier to exploitation.
The United States remains the most targeted geography, accounting for nearly a third of listings, with France and Brazil emerging as increasingly popular targets. The concentration of activity in specific regions suggests that brokers are focusing their efforts on markets where the combination of target density, financial capacity, and enforcement gaps creates favorable conditions.
The supply chain behind the breach
Initial access brokers occupy a specific niche in the ransomware-as-a-service ecosystem. Europol’s Internet Organised Crime Threat Assessment describes IABs, alongside crypter developers and dropper-as-a-service operators, as “key enablers” for high-tier cybercriminals, reducing the barrier to entry for ransomware affiliates who may lack the technical sophistication to breach networks independently but have the capital to purchase access and the operational capacity to execute extortion.
The relationship between IABs and ransomware groups ranges from transactional to embedded. Some brokers sell to whoever pays, advertising openly on forums where their reputation can attract buyers, while others work directly for ransomware operations or their affiliates, providing exclusive access that never appears in public listings. Kaspersky’s analysis notes that valid accounts represented 31.4% of initial attack vectors in 2024, with many of those credentials stolen by malware and subsequently sold through IAB channels.
The convergence of access brokerage and ransomware is visible in the data. Chainalysis found that spikes in IAB payment activity typically precede increases in ransomware payments and victim leak site posts by approximately 30 days. Access gets purchased, and a month later names start appearing on extortion blogs. That lag represents a potential detection window for organizations monitoring dark web activity, though few have the visibility to exploit it.
When brokers get caught
Law enforcement has increasingly targeted IABs as a pressure point in the ransomware supply chain. In January 2026, KELA documented the case of “r1z,” an initial access broker later identified as Jordanian national Feras Albashiti. Over years of activity on the XSS forum, r1z sold access to at least 50 companies, along with hacking tools and malware capable of disabling endpoint detection products. An undercover FBI agent purchased compromised network access and malware directly from the actor, enabling investigators to link the online persona to a real identity and build a criminal case. Albashiti was extradited to the United States and pleaded guilty.
The r1z case illustrates both the professionalization of the IAB market and its vulnerabilities. Brokers who maintain long track records on forums leave digital trails that can eventually be correlated across platforms, and operational security failures, whether reusing contact information or exhibiting distinctive writing patterns, create attribution opportunities that patient investigators can exploit. But for every broker who gets caught, the economics of the market ensure that others will take their place.
What this means for brand protection
The existence of initial access brokers creates a form of exposure that traditional security monitoring often misses. An organization may have no indication that its network has been compromised until ransomware deploys, but the access enabling that attack may have been advertised for sale weeks earlier. The listing itself constitutes a form of brand impersonation in reverse: rather than criminals pretending to be your company, they are selling your company as a product.
For organizations whose brands carry significant value, the implications extend beyond the immediate security incident. A company whose network access appears on an IAB listing has already suffered a reputational exposure, even if the listing never leads to a ransomware attack. The information disclosed in typical listings, including revenue, employee count, security posture, and access type, represents exactly the kind of intelligence that competitors, journalists, or regulators might find concerning.
Dark web monitoring services can detect when an organization’s access appears for sale, but the window for response is narrow. The one-to-three-day sales cycle that KELA documented means that by the time a listing is discovered, the access may already have changed hands. The more effective intervention is upstream: monitoring for credential exposure from infostealer malware, detecting unauthorized access before it can be packaged for sale, and hardening the remote access infrastructure that IABs most commonly exploit.
The Bottom Line
The 30-day gap between IAB activity and ransomware deployment is a structural feature of the market that defenders can exploit — but only with the visibility to detect listings before a buyer acts on them. The brokers have industrialized the first step of ransomware attacks. The question is whether defenders can industrialize their response.
