Hackers Capitalize on Inexpensive Initial Access Broker Marketplace for Illegal Activities

In a chilling revelation, a recent study by Rapid7 has shed light on the thriving market of initial access broker services on the dark web. The report, which covered a six-month period from July 1 to December 31, 2024, paints a startling picture of the ease with which threat actors can acquire these services.

The study analyzed three cybercrime forums: Exploit, XSS, and BreachForums. Among these, BreachForums stood out as a popular platform, with its relaunch in July 2025 after an offline period around April 15, 2025. The forums have been subject to multiple law enforcement actions, including takedowns and arrests of individuals alleged to be involved in running the site.

The most common initial access vector on offer across these packages was compromised accounts, accounting for a significant 23.5% of sales. VPN accounts, which can help attackers evade detection due to their valid credentials and ability to blend in with expected VPN traffic, appeared in 23.5% of sales. Remote desktop protocol was the third most common initial access vector, accounting for 16.7% of sales. Domain user accounts were the second most common, accounting for 19.9%, while domain admin accounts were less common, accounting for 5.5% of sales. Interestingly, the remaining 17.5% of brokers only offered a single form of access with no privilege included.

The average base price of a sale across the forums analyzed was just over $2700. Over a third (39%) of these sales were priced between $500 and $1000. Around three-quarters (71.4%) of brokers offered multiple options with each sale.

The study also highlighted some notable individuals in the dark web market. Kai West, a British national, was charged with offenses related to his alleged involvement in operating BreachForums in June 2025. West was the most prolific poster to BreachForums in the six-month period analyzed, with his account making up 19.05% of all sales over the period. The person who took over the role of chief administrator in July 2025 during the relaunch of BreachForums and was the most active seller under the pseudonym IntelBroker from July 1, 2024, to December 31, 2024, is known as IntelBroker.

The ease of access and affordability of these services have made them a worrying trend in the cybercrime landscape. Initial access broker services are not only inexpensive but also easy to obtain for threat actors of any skill level. As the dark web market continues to evolve, it is crucial for organizations to stay vigilant and strengthen their cybersecurity measures to protect against these threats.

Hackers Capitalize on Inexpensive Initial Access Broker Marketplace for Illegal Activities