Certification Courses
Hands-On Labs
Threat Intelligence
Latest Cyber News
MITRE ATT&CK Breakdown
All Cyber Keywords
Latest News
Initial Access • TA0001
T1650, Acquire Access
How adversaries purchase existing footholds on target networks through Initial Access Brokers, dark web marketplaces, and cybercrime partnerships, bypassing the hardest part of an attack entirely.
MITRE ATT&CK • Enterprise • T1650
Dark Web Marketplace Simulation
Why It Matters
IABs Fuel the Ransomware Supply Chain
Initial Access Brokers are a key component of the cybercrime ecosystem, offering hassle-free building blocks for ransomware operators who lack the skills or patience to compromise networks themselves. They have shifted from niche forum actors to central wholesalers in the ransomware supply chain.
42% increase in credential listings (Fortinet 2025)Access Prices from $500 to $50,000
IABs sell enterprise network access across a dramatic price spectrum. Low-level web shell access can cost as little as $500, while privileged access to Fortune 500 financial institutions commands $50,000 or more. Pricing depends on sector, privilege level, and detection status.
Premium pricing for high-value targetsFBI IC3: 859,000 Complaints, $16B in Losses
The FBI's Internet Crime Complaint Center received over 859,000 complaints in 2024, with total losses exceeding $16 billion. North America alone accounts for approximately 47% of all ransomware attacks globally, making acquired access a persistent and growing threat.
47% of ransomware targets North AmericaENISA 2025: Vulnerability Exploitation at 21.3%
According to ENISA's Threat Landscape 2025 report, vulnerability exploitation remains the cornerstone of initial access at 21.3%, with widespread campaigns rapidly weaponizing them within days of public disclosure. These exploits often become the access that IABs later sell.
21.3% of initial access via vuln exploitationKarakurt Data Extortion: Acquired Access
CISA issued an advisory in 2022 detailing how the Karakurt Data Extortion Group acquired network access through brokers to conduct data theft and extortion campaigns. This group purchased VPN and RDP credentials from IABs to bypass initial access challenges entirely.
CISA Advisory AA22-283AALP-001: Active IAB Data Leak Site Uncovered
In March 2026, researchers uncovered "ALP-001," a Tor-based data leak site directly linked to an active Initial Access Broker. This discovery highlights that IABs are not only selling access but also actively leaking stolen data to demonstrate access quality to potential buyers.
Rapid7: IABs shifted to high-value targetsTrusted Sources & References
Key Terms & Concepts
What is T1650, Acquire Access?
T1650 is a MITRE ATT&CK technique under the Initial Access tactic (TA0001). It describes how adversaries purchase or otherwise acquire existing access to a target system or network through online services and Initial Access Broker (IAB) networks, rather than developing their own initial access capabilities. This includes purchasing access to planted backdoors, web shells, valid accounts, or access through remote services.
Everyday Analogy
"Imagine someone buying the keys to your house from a locksmith who duplicated them without your knowledge. They didn't pick the lock themselves, they just bought the existing key from someone who already got in. In cybersecurity, this is exactly what Initial Access Brokers do: they compromise a network, keep the 'keys' (credentials, backdoors, web shells), and sell them to the highest bidder. The buyer walks right through the front door while you never knew the lock was compromised."
Initial Access Broker (IAB)
A threat actor who specializes in compromising target networks and then selling that access to other cybercriminals. IABs operate on dark web forums, Telegram channels, and dedicated Tor marketplaces, acting as wholesalers in the cybercrime supply chain.
Ransomware-as-a-Service (RaaS)
A business model where ransomware operators lease their malware and infrastructure to affiliates. These affiliates often purchase initial access from IABs, creating a seamless pipeline: IAB → affiliate → ransomware deployment → profit sharing.
Dark Web Marketplaces
Hidden online platforms (accessible via Tor) where cybercriminals buy and sell stolen data, compromised credentials, exploits, and network access. These marketplaces typically include escrow services, vendor rating systems, and dispute resolution, functioning like e-commerce stores for illegal goods.
Supply Chain Compromise
When adversaries target an organization with the intent of using their trusted relationships to compromise downstream victims. Purchasing access to IT contractors, software developers, or telecommunications providers can enable supply chain attacks that affect hundreds or thousands of organizations.
Valid Accounts
Legitimate user credentials that have been stolen, purchased, or otherwise obtained by adversaries. Valid accounts are highly valued in IAB listings because they are harder to detect than exploit-based access, the system sees a normal user logging in from a new location.
Backdoor Access
Hidden methods for bypassing normal authentication or encryption in a system. IABs sell access to backdoors planted through previous compromises, including web shells, remote access trojans (RATs), and implanted credentials that provide persistent, undetected entry.
Real-World Scenario
Marcus Webb isn't your typical hacker. He doesn't write exploits, conduct phishing campaigns, or scan for vulnerabilities. Marcus is a ransomware operator, and his job starts only after someone else has already done the hard work of getting inside a network.
On a Tuesday evening, Marcus connects to a Tor-based marketplace through his encrypted VPN. He logs in with his established username and scrolls through the latest listings from verified Initial Access Brokers. He's looking for a specific type of target: a mid-sized manufacturing company in the American Midwest, preferably one with limited security monitoring.
After 20 minutes of browsing, he finds it: a listing from a trusted vendor called "ShadowVendor" for MidWest Manufacturing Corp. The listing describes VPN credentials with domain admin privileges, access to 200+ endpoints, and critically, no Endpoint Detection and Response (EDR) solution deployed. The price? $4,000 in Monero (XMR).
Marcus initiates the purchase through the marketplace's escrow system. Within 45 minutes, the cryptocurrency transaction is confirmed, and he receives the credentials via encrypted message. The original access was obtained months ago by a separate threat actor who exploited an unpatched Fortinet VPN vulnerability (CVE-2024-21762) and maintained persistent access, waiting for the right buyer.
That night, Marcus deploys ransomware across 200 endpoints. By morning, MidWest Manufacturing's entire production floor is locked down. The company negotiates for three days before paying a $2.5 million ransom. The total cost to Marcus? $4,000 plus a few hours of work. The ROI is staggering: a 62,400% return on investment.
Before the Breach
- MidWest Manufacturing operates normally with 200+ endpoints
- Unpatched VPN vulnerability exists for months undetected
- No EDR solution monitoring endpoint activity
- IT team unaware that credentials were being sold on dark web
- Standard backup procedures in place but untested for ransomware
After the Breach
- 200 endpoints encrypted, production floor completely halted
- $2.5 million ransom paid to decrypt systems
- Estimated $8M+ total cost including downtime, recovery, and legal fees
- Regulatory investigation and potential compliance penalties
- Reputation damage and loss of customer trust
Step-by-Step: How Acquired Access is Used
Understanding the attacker's process is essential for building effective defenses. Below is the typical lifecycle of how adversaries leverage purchased access, and how defenders can interrupt each stage.
1
Identify Target Organization & Access Requirements
Adversaries define their target based on sector, size, revenue, and security posture. They determine the level of access needed (VPN, RDP, domain admin, web shell) based on their intended secondary objectives.
- Research target organization's technology stack and security investments DETECT
- Determine minimum privilege level needed for secondary objectives PREVENT
- Evaluate target's detection capabilities (EDR, SIEM, SOC coverage) DETECT
2
Locate Initial Access Broker Markets & Forums
Adversaries connect to dark web marketplaces, Telegram channels, and underground forums where IABs advertise compromised network access. They evaluate vendor reputation and marketplace trust scores.
- Monitor known IAB marketplaces and forums for organizational mentions DETECT
- Use dark web monitoring services to identify credential sales early RESPOND
- Track threat actor communications about target organization DETECT
3
Evaluate Available Access Listings
Adversaries review listings based on privilege level (standard user vs. domain admin), detection status (EDR present or absent), sector, number of endpoints, and included access (VPN, RDP, email, backups).
- Assess the validity and freshness of listed credentials through testing DETECT
- Verify whether MFA is enabled on listed access points PREVENT
- Cross-reference listing details with known vulnerabilities RESPOND
4
Negotiate & Complete Transaction
The purchase is completed using cryptocurrency (Bitcoin, Monero) through marketplace escrow systems. The transaction is designed to be untraceable, with the adversary receiving credentials via encrypted messaging.
- Implement blockchain analysis to trace cryptocurrency flows DETECT
- Monitor for unusual account activity during transaction windows DETECT
- Require MFA on all remote access systems without exception PREVENT
5
Validate Acquired Access
After receiving credentials, the adversary tests connectivity, verifies privilege levels, and maps the network environment. They confirm the access is still active and undetected before proceeding to secondary operations.
- Detect anomalous login patterns from new geolocations DETECT
- Alert on privilege escalation and reconnaissance commands DETECT
- Implement conditional access policies based on device and location PREVENT
6
Establish Persistence & Escalate Privileges
The adversary ensures they maintain access even if the purchased credentials are rotated. They create backdoor accounts, deploy remote access tools, and escalate privileges to domain admin or equivalent levels.
- Monitor for creation of unauthorized accounts or scheduled tasks DETECT
- Alert on installation of remote administration tools RESPOND
- Implement privileged access management (PAM) with session recording PREVENT
7
Execute Secondary Objectives
With validated access and established persistence, the adversary executes their primary mission: deploying ransomware, exfiltrating sensitive data for extortion, conducting lateral movement to additional systems, or enabling supply chain compromise of partner organizations.
- Detect mass file encryption or unusual data transfer volumes DETECT
- Deploy network segmentation to limit lateral movement PREVENT
- Execute incident response plan and containment procedures RESPOND
Common Mistakes & Best Practices
Common Mistakes
Reusing compromised credentials across systems. When the same credentials appear in multiple locations, a single purchase on a dark web marketplace can unlock dozens of systems simultaneously.
Not monitoring for leaked credentials proactively. Many organizations discover their credentials are for sale only after a breach has already occurred. Without dark web monitoring, you're flying blind.
Ignoring MFA implementation gaps. Leaving VPNs, RDP, and legacy systems without MFA creates the exact access points that IABs advertise and sell. Even one unprotected entry point is enough.
Failing to audit third-party and service account access. Third-party contractors and service accounts often have elevated privileges but receive less scrutiny, making them prime IAB targets for sale.
Not checking if your credentials are already for sale. Organizations rarely search dark web marketplaces for their own credentials, missing the opportunity to detect and respond before an adversary purchases access.
Best Practices
Implement MFA everywhere. Deploy multi-factor authentication on all remote access points, including VPNs, RDP, web applications, email, and especially privileged accounts. MFA renders most purchased credentials useless.
Monitor dark web for credential leaks continuously. Use dark web monitoring services (e.g., Have I Been Pwned, SpyCloud, Recorded Future) to detect when your organization's credentials appear for sale on IAB marketplaces.
Regularly audit and rotate service accounts. Service accounts with static credentials are prime IAB inventory. Implement credential rotation policies, use managed identities where possible, and audit access quarterly.
Implement zero-trust architecture. Never trust, always verify. Ensure every access request is authenticated, authorized, and encrypted regardless of network location. This minimizes the value of any single purchased credential.
Use credential monitoring and breach detection services. Subscribe to services that alert you when employee or customer credentials appear in data breaches or on dark web forums, enabling rapid response before access is monetized.
Red Team vs Blue Team View
Red Team Perspective
How attackers leverage IAB networks to minimize effort and maximize ROI
- Efficiency over skill: Why spend weeks developing a custom exploit when you can buy domain admin access for $4,000? IABs let ransomware operators focus on deployment and negotiation instead of reconnaissance.
- Specialization: The cybercrime ecosystem has evolved into specialized roles. IABs are the "entry specialists" who compromise networks, while ransomware affiliates are the "monetization specialists" who deploy payloads and extort victims.
- Risk reduction: Purchased access reduces the attacker's operational security risk. The IAB already handled the initial compromise, meaning the ransomware operator's exposure begins only after the purchase, shortening their attack timeline.
- Target selection by ROI: Adversaries evaluate listings like a catalog, choosing targets based on sector (healthcare, finance, manufacturing), size, revenue, and security posture to maximize ransom potential.
- Supply chain leverage: Purchasing access to IT service providers, MSPs, or software vendors allows a single purchase to potentially compromise dozens or hundreds of downstream organizations simultaneously.
Blue Team Perspective
How defenders detect purchased access and prevent credential monetization
- Behavioral analytics: Detect purchased credentials by monitoring for anomalous login patterns, new geolocations, unusual times, first-time access to sensitive systems, or access from known VPN exit nodes.
- Dark web intelligence: Proactively monitor dark web marketplaces, Telegram channels, and paste sites for organizational credentials. Early detection means you can rotate credentials before an adversary completes a purchase.
- Credential hygiene: Enforce unique passwords across all systems, implement phishing-resistant MFA (FIDO2/WebAuthn), and eliminate shared or static service account credentials that become IAB inventory.
- Privileged access management (PAM): Implement just-in-time access provisioning, session recording, and automatic credential rotation for privileged accounts. Even if credentials are purchased, their window of usefulness is minimized.
- Third-party risk monitoring: Continuously assess the security posture of vendors, contractors, and supply chain partners. Monitor for indicators that their access to your environment could be brokered on IAB markets.
Threat Hunter's Eye
Detecting IAB-acquired access requires hunting for behavioral anomalies that distinguish a purchased credential session from legitimate user activity. Below are key indicators and hunting hypotheses.
Impossible Travel / Geolocation Anomaly
A user account logs in from a geographic location that is implausible given the previous login. For example, a login from Eastern Europe within 2 hours of a login from the US Midwest strongly suggests credential use by a different party.
HIGH SEVERITYOff-Hours Privileged Access
Domain admin or service accounts being used outside of normal business hours, weekends, or holidays. IAB purchasers often operate during off-hours to reduce detection likelihood. Monitor for privileged sessions initiated between 10 PM and 6 AM.
HIGH SEVERITYNew VPN/RDP Session from Unregistered Device
A user account establishing a VPN or RDP connection from a device that has never been seen before in the organization. IAB purchasers typically use their own infrastructure to connect, which will not match known device fingerprints.
HIGH SEVERITYDormant Account Sudden Activation
An account that has been inactive for weeks or months suddenly connects and begins accessing sensitive systems. This is a strong indicator that the account's credentials have been sold on an IAB marketplace and the new owner is testing access.
MEDIUM SEVERITYAccess to Sensitive Systems by Non-Typical Users
User accounts accessing systems, shares, or databases they have never touched before. For example, a marketing account suddenly accessing domain controllers or backup servers. This reconnaissance behavior follows credential acquisition.
MEDIUM SEVERITYDark Web Credential Monitoring
Proactively search dark web marketplaces, paste sites, and Telegram channels for your organization's domain, email patterns, and known usernames. Tools like SpyCloud, Have I Been Pwned, and Recorded Future can automate this detection.
PROACTIVE HUNTINGSample Hunting Queries
// Detect logins from new countries for privileged accounts
index=auth src_user=* role="Domain Admin" | stats dc(country) as countries by src_user | where countries > 1
// Detect VPN connections from previously unseen IP ranges
index=vpn action=login | stats values(client_ip) as known_ips by user | join user [search index=vpn action=login earliest=-24h | stats values(client_ip) as new_ips by user] | where NOT match(new_ips, known_ips)
// Detect dormant accounts that suddenly become active
index=auth action=login | stats last_login, latest(_time) as recent_login by user | where recent_login - last_login > 2592000
// Detect off-hours privileged access (10 PM - 6 AM)
index=auth role="Domain Admin" date_hour >= 22 OR date_hour < 6 | stats count by user, src_ip
Take Action
Your Credentials May Already Be For Sale
The most dangerous aspect of T1650 is that by the time you detect purchased access being used against your organization, the breach has already begun. Initial Access Brokers have likely been selling your compromised credentials for weeks or months before an adversary decides to buy them and take action. Proactive monitoring is no longer optional, it's essential.
Questions to consider for your organization:
- ▸ When was the last time your organization checked dark web markets for leaked credentials?
- ▸ Do all your remote access systems have MFA enforced without exception?
- ▸ Are service account credentials rotated regularly, or have they been static for months?
- ▸ Could you detect a purchased credential being used within minutes?
Related MITRE ATT&CK Techniques
Join the Discussion
Have you encountered IAB-acquired access in your environment? What detection strategies worked best for your team? Share your experiences and questions about credential monitoring, dark web intelligence, or zero-trust implementations. The fight against Initial Access Brokers requires collective knowledge and collaboration across the security community.
Key Takeaway: The threat of T1650 is not that adversaries can break in, it's that they can buy in. Every unmonitored credential, every unpatched VPN, and every account without MFA is a product waiting to be listed on a dark web marketplace. Defend your access as fiercely as you would defend your front door.
Acquire Access
MITIGATIONS
DETECTION STRATEGY
DONATE · SUPPORT
ROOT::DONATE
- April 7, 2026
- No Comments