What is an Access Broker (AB)?

An access broker is a cybercriminal who specializes in breaking into computer systems and selling that access to other attackers.

These specialists focus on the initial compromise—using phishing, stolen credentials, or software vulnerabilities to breach a network and establish a foothold. Once inside, they document what they've gained access to and put it up for sale.

The business model is straightforward. Access brokers advertise their compromised systems on dark web forums, listing details like the target organization's industry, revenue size, the level of access obtained (user account versus domain admin, for instance), and the price. Buyers might be ransomware operators looking for their next victim, data thieves hunting for valuable information, or corporate espionage actors seeking intellectual property.

This specialization makes cyberattacks more dangerous by creating an assembly line for crime. A skilled penetration specialist can focus on breaking in while someone else handles the ransomware deployment or data exfiltration. It also lowers the barrier to entry—groups without sophisticated hacking capabilities can simply purchase ready-made access to high-value targets. The result is more attacks, executed more quickly, against a wider range of victims than would be possible if every criminal group had to handle every phase of an attack themselves.

The access broker role emerged as cybercrime became more organized and specialized in the mid-2010s. While criminals had always traded stolen data and malware tools, the specific practice of selling network access as a commodity grew alongside the ransomware boom around 2015-2016.

Early ransomware operators handled their entire attack chain—from initial compromise to encryption and ransom collection. As ransomware proved highly profitable, the criminal ecosystem evolved toward specialization. Some groups excelled at social engineering or finding vulnerabilities, while others were better at deploying ransomware or negotiating with victims. The marketplace naturally divided along these lines.

Forums like Exploit and XSS became hubs where access brokers advertised their wares, initially with simple text listings and eventually with standardized formats describing their products. By 2019-2020, security researchers were tracking access brokers as a distinct threat actor category, noting that a single broker might maintain access to dozens of compromised networks simultaneously.

The COVID-19 pandemic accelerated this trend. As organizations rushed to enable remote work, security gaps widened, and access brokers found more opportunities. Ransomware-as-a-Service (RaaS) platforms formalized the relationship, with some even maintaining preferred vendor lists of trusted access brokers.

Access brokers fundamentally changed the threat landscape by turning network compromise into a commodity. An organization might have strong defenses against ransomware deployment or data exfiltration, but if an access broker has already sold credentials to their network for a few thousand dollars, those defenses become irrelevant.

The economics are troubling. Access to a small business network might sell for $500-$2,000, while enterprise access with elevated privileges can fetch $100,000 or more. These prices are affordable for criminal groups when weighed against potential ransoms in the millions. The marketplace is efficient enough that compromised access often sells within days of being listed.

Detection is challenging because access brokers typically maintain a low profile after initial compromise. They're not deploying ransomware or exfiltrating massive datasets—they're just keeping the door open. This patience can mean that by the time an organization detects malicious activity, their network access has already changed hands multiple times.

The proliferation of access brokers means that any security weakness—an unpatched VPN, a phished employee, a misconfigured cloud service—can become an entry point not just for one attacker, but for anyone willing to pay. It transforms temporary vulnerabilities into persistent risks.

Plurilock's approach addresses access broker threats through multiple layers. Our penetration testing services identify the exact vulnerabilities that access brokers exploit, from exposed credentials to unpatched systems. We also provide threat hunting and incident response capabilities that detect the subtle persistence mechanisms brokers use to maintain access.

Rather than waiting for an attack to escalate, our teams find and eliminate compromised access before it reaches the marketplace.

With former NSA leadership and intelligence professionals on our team, we understand how these criminal ecosystems operate and where organizations are most exposed.