Initial Access Broker Listings as a Defender's Reading List

Threat Intelligence

Initial Access Brokers post detailed listings of compromised orgs on Russian forums, with prices that reveal what attackers value. Reading these listings is one of the highest-signal activities a defender can do.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 5, 2024 · 7 min read

An IAB listing on Exploit or XSS reads like a real estate ad written by someone who has actually toured the property. "US-based logistics, $400M revenue, Citrix VDI access, domain user, ~12K endpoints, EDR is SentinelOne but the agent is unhealthy on roughly 8 percent of hosts. Starting price $4,500." Every line of that listing tells you exactly what the broker thinks is interesting and what they think is broken.

We pull listings weekly for clients in financial services, healthcare, and manufacturing. Not to buy them, but to understand what attackers see when they look at the kind of org we defend. The listings are remarkably consistent in format, and the pricing is rational enough that you can reverse-engineer the threat model from market data.

Pricing tiers and what they reveal

• $300 to $1,500: domain user via VPN or RDP into a small business, basic AV, low revenue. The fast-food tier of compromise.
• $1,500 to $5,000: domain user into mid-market, EDR present but unmanaged or misconfigured, revenue $50M to $500M.
• $5,000 to $15,000: privileged access (local admin, helpdesk, sometimes Tier 2), Fortune 1000 or regulated industries, mature EDR present but bypassed.
• $15,000 to $50,000+: domain admin or hypervisor access, large enterprise, often with proof-of-life screenshots showing AD structure or ESXi inventory.

The premium tier matters most. When a broker prices an access at $30K, they are signaling that downstream affiliates will pay because the org is large enough to extract a $5M to $20M ransom. The price is essentially a forward indicator of which sectors and revenue bands are about to get hit.

What makes an access "premium"

Brokers compete on detail. A premium listing typically includes the EDR vendor (so the buyer knows what to evade), proof of domain count via screenshots of dsa.msc, employee count via internal portals, financials via 10-K or LinkedIn estimates, and crucially, dwell-time evidence (a Mimikatz dump from last week, a directory listing of file shares, a sample of mailboxes). Brokers who fake listings get ratio'd by other forum members and lose access to the marketplaces. The top tier listings are largely accurate.

The pattern we see most often in premium listings: the access was obtained through an exposed Citrix, RDWeb, or VPN portal with a single-factor or weak-MFA configuration, sometimes via session cookies stolen from infostealer logs. The broker then escalated to domain user via Kerberoasting or via a cached credential they pulled from a service account password reuse. From there, two weeks of patient enumeration before the listing went up.

Reading the listings as a control gap audit

When we onboard a new client, one of the first artifacts we produce is a hypothetical IAB listing for their environment. What would a broker write about you, today, given what is in your perimeter? It forces a particular kind of honesty. The CISO who tells us "we have MFA everywhere" looks differently at a draft listing that reads "VPN MFA enforced for employees but legacy contractor portal at vendors.example.com still on password+PIN."

Operational and legal reality

Defenders do not buy from these forums. The legal and ethical risk is not worth the marginal intelligence gain, and most of the intel-grade information is visible in the listing teasers without any purchase. What you need is a vendor or analyst with established forum presence, monitoring the right channels (Exploit, XSS, RAMP, Telegram backchannels for the brokers banned from the larger forums), and producing weekly summaries indexed by sector and access type.

If you are running this in-house, you need at least one analyst with Russian language skills, a hardened VM environment for browsing, and clear legal review of what is allowed in your jurisdiction. For most clients we recommend buying this as a service rather than building it.

The signal in IAB listings is the same signal you need from any threat intel function: not who is attacking, but what they consider valuable about you. The brokers will tell you if you read carefully.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.