Understanding initial access markets: A brief history

Aaron Goldstein
February 23, 2024

For cybercriminals, there are so many ways to infiltrate a corporate network. Unfortunately, one of the easiest ways is also one that’s on the rise: using purchased compromised credentials. Initial access markets are often the source for these credentials.

In this blog series, we will be exploring initial access markets and brokers, how they work, their history, the techniques involved, and ultimately, how to defend against them. For part one, we will begin with what initial access markets are and their history.

What are initial access markets?

Initial access markets are illicit online marketplaces where initial access brokers and cybercriminals buy and sell access to compromised computer systems. These markets are often hidden within the dark web or accessed through specialized forums and communities.

In practice, initial access markets serve as a crucial component of the cybercrime ecosystem, enabling obtained attackers to quickly gain entry into systems without needing to perform the initial compromise themselves. This facilitates faster, more impactful cybercrime, and signifies the increasing commoditization of cybercrime techniques.

What do initial access markets provide?

In these markets, cybercriminals can purchase various credentials and other means of access, including:

  • Remote Desktop Protocol (RDP) Access: This involves purchasing access credentials to computers or servers that have RDP enabled, allowing the buyer to remotely control the system.
  • Secure Shell (SSH) Access: Similar to RDP access, SSH access provides remote control over Unix-based systems.
  • Virtual Private Network (VPN) Access: Some attackers compromise VPN credentials, which can give them access to internal networks of organizations.
  • Web Shell Access: Web shells are malicious scripts uploaded to compromised web servers, allowing attackers to execute commands and manage the server remotely.
  • Botnets: In some cases, attackers sell access to devices infected with malware, which can be controlled collectively to launch coordinated attacks, such as DDoS (Distributed Denial of Service) attacks.

How do attackers gain these credentials?

The credentials found on initial access markets are generally obtained during a prior breach or phishing attack. When an adversary can gain full access to a corporate network, they can not only steal company data and financial information but also employee and potentially customer credentials.

These credentials come with a lot of weight. Due to password reuse and other bad security hygiene, one set of credentials could be used to access nearly all a person’s business and personal applications. The potential fallout is enormous, and for the attacker, the opportunities are endless.

The history of initial access markets

The history of initial access markets is intertwined with the evolution of cybercrime and the underground economy. While exact dates for the emergence of such markets may vary, their development can be traced back to the early days of the internet and the rise of cybercriminal activities. Here's a brief overview:

Early underground forums (1990s - 2000s)

In the early days of the internet, underground forums and IRC (Internet Relay Chat) channels served as hubs for hackers and cybercriminals to share information, tools, and illicit services. These forums facilitated discussions about hacking techniques, vulnerabilities, and eventually, the buying and selling of access to compromised systems.

Development of exploit kits (2000s - 2010s)

With the emergence of exploit kits like Blackhole, Angler, and others, cybercriminals gained the ability to automate the exploitation of vulnerabilities in web browsers and plugins. These kits were often rented out or sold on underground forums, providing attackers with a means to compromise systems en masse.

Growth of dark web and specialized markets (2010s - Present)

As law enforcement agencies cracked down on visible underground forums, cybercriminals migrated to the dark web, where they could operate with greater anonymity. Dark web marketplaces like Genesis AlphaBay, Hansa, and others became notorious for hosting a wide range of illegal goods and services, including stolen data, malware, and access to compromised systems.

Over time, specialized markets dedicated to specific aspects of cybercrime emerged. This includes initial access markets, where cybercriminals buy and sell access to compromised systems. These markets often operate similarly to legitimate online marketplaces, with ratings, reviews, and escrow systems to facilitate transactions.

Continuous evolution (Present)

As cybersecurity measures improve and law enforcement agencies intensify their efforts to combat cybercrime, initial access markets and other underground activities continue to evolve. This includes the adoption of encrypted communication channels, cryptocurrency payments, and other tactics to evade detection.

Throughout their history, initial access markets have played a significant role in the cybercrime ecosystem, providing cybercriminals with a convenient means to monetize their activities and enabling sophisticated attacks against individuals, businesses, and organizations.

Read part two of this series to learn about what techniques are used in initial access markets, both before and after sale.

To learn more about initial access markets, register for our webinar deep dive on the topic.

Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Why I Joined Todyl: Spotlight on David Dewey
How Todyl addresses the "Pandemic 11"
Understanding AMSI bypass techniques

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.