Initial Access Broker Market 2024 In Review
Initial access brokers (IABs) have operated a specialised and lucrative market throughout 2024. Cyjax has analysed this market in separate whitepapers and monitored initial access sale listings on prominent English- and Russian-language cybercriminal forums in Q1, Q2, Q3, and Q4 2024. This whitepaper analyses the 2024 IAB market as a whole.
The IAB market in 2024 was worth a minimum of $6.3 million if all observed listed prices were sold at the minimum advertised cost. Similarly, the total of revenues listed in IAB listings was slightly over $3 trillion. This highlights the vast number of organisations which were targeted over the year, as well as the potential value of the IAB market from public listings.
These statistics do not encapsulate IAB activity conducted in private, or through otherwise non-observable means, and there are portions of the IAB market that are impossible to monitor. However, analysed data supports the theory that IABs react to supply and demand, competitively pricing their listings.
The following statistics generalise the main victimology of the overall IAB ecosystem, as well as the prevalence of the most prolific threat actors in the market:
- The top 10 targeted countries were the US (34.12% of all listings in 2024), Brazil (4.65%), United Kingdom (4.13%), Canada (3.38%), France (3.34%), Spain (2.85%), India (2.78%), China (2.59%), Germany (2.55%), and Italy (2.48%).
- The top 10 targeted sectors were professional services (11% of all listings in 2024), manufacturing (8.22%), construction (6.64%), IT (6.42%), education (5.33%), retail (5.29%), financial (5.22%), healthcare (3.60%), government (3.08%), and telecommunications (2.63%).
- The top 10 advertised access types were RDP (24% of all listings in 2024), VPN (23%), RDWeb (10%), Citrix (3%), Forti (3%), Webshell (2%), SSH (1%), AnyDesk (1%), Bot (1%), and Shell (1%).
- The top 10 most active IABs were SGL (7% of all 2024 listings), miyako (5%), Кот Ученый (4%), Pennywise77777 (4%), PirateJack (3%), Croatoan (3%), sandocan (2%), yayo (2%), SASAKI2303 (2%), and ProfessorKliq (2%).
Cyjax has identified potential links between several IAB listings and subsequent extortion attacks by known ransomware and data leak groups such as Play, Lynx, Hellcat, Hunters International, and BlackBasta. These threat groups have listed victim organisation on data-leak sites (DLSs) which directly matched victim organisation names noted in IAB listings, or corresponded to the target information provided such as country, sector, and revenue. Case studies of these incidents are explored in this whitepaper.mphasising the stability and continuity in the IAB ecosystem for the quarter.