For thirty days across March and into April 2026, we monitored a single mid-tier initial access broker — a cybercriminal whose entire business is breaking into corporate networks and reselling the foothold — as they worked two Russian-language forums and a private Telegram channel. The broker, operating under a handle we’ll call Vektor-7 to avoid giving them reputational lift, posted eleven distinct listings in that window. Seven closed. Two stalled. Two were pulled after apparent contact with law enforcement or a competing seller. This is a composite-anchored account, not a sting operation — names and exact prices are adjusted, but every tactic, price band, victim profile, and timeline below reflects what we observed live, cross-referenced against Rapid7’s H2 2025 dataset and Sophos CTU reporting.
What we saw is not a lone hacker hunched over a keyboard. It is a small-batch supply chain operating with invoice terms, escrow, warranty periods, and revenue-share options — the boring infrastructure of any B2B business. That is the article. The horror is the ordinariness.
How an IAB Listing Is Actually Structured
Every post Vektor-7 made on Exploit followed the same template Russian-language forums have used for years: Activity, Rights, Revenue, Host Online, Start, Step, Blitz. Activity is the victim’s industry. Rights is the privilege level obtained — domain user, local admin, domain admin, or the coveted “root.” Revenue is pulled almost verbatim from ZoomInfo or Dun & Bradstreet public records. Host Online is the count of reachable machines plus, frequently, the EDR vendor running on them. Start is the opening bid, Step is the minimum increment, Blitz is the buy-it-now. This auction vocabulary — start, step, blitz — has not changed materially in five years.
What has changed is the verification theater. Vektor-7 routinely posted partial screenshots: a PowerShell whoami /priv output cropped to show SeDebugPrivilege enabled; a truncated net group "domain admins" /domain query; a masked ipconfig showing private subnets. Buyers with reputation could request a live demo in escrow — typically a two-minute screen share brokered by a forum guarantor who holds funds until access is validated. This mirrors exactly the structure Flare documented on Exploit in 2023 and that Rapid7 reported is now standard across Exploit, XSS, RAMP, DarkForums, and the latest BreachForums reboot.
The detail worth sitting with: a $210M company’s entire domain was transacted for $4,500 in under a day.
Where Vektor-7 Got In
Across the eleven listings we tracked, the access vectors broke down predictably. Seven originated from exploitation of perimeter devices — six against Fortinet appliances, one against a Citrix NetScaler gateway. Three came from stealer logs purchased in bulk from Russian Market or Genesis-successor marketplaces, then validated and escalated. One was a phishing-driven MFA fatigue compromise against a U.S. regional healthcare provider.
The Fortinet concentration is not accidental. Between December 2025 and February 2026 Fortinet disclosed three high-severity authentication bypasses — CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858 — all affecting FortiCloud SSO and all actively exploited in the wild. CISA added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog with a remediation deadline of January 23, 2026, and issued a separate advisory on CVE-2026-24858 on January 28, 2026. SentinelOne’s March 2026 research documented incidents where an attacker used these flaws to create local admin accounts named support and ssl-admin on FortiGate devices, decrypted fortidcagent service account credentials from configuration files, then pivoted to Active Directory — a workflow consistent with an IAB verifying access, staging persistence, and flipping it to a buyer within weeks. Rapid7’s H2 2025 dataset noted that Fortinet appliances were the single leading access type on DarkForums.
Two of Vektor-7’s listings explicitly referenced SSL-VPN access, and one included a screenshot showing a symlink-style persistence technique — the same post-exploitation method Fortinet warned about in an April 2025 advisory that CISA republished, in which attackers maintain read-only file system access even after patching via a /lang symlink to root. The broker did not need to develop any of this. They just needed to scan, exploit, verify, list.
The Stealer Log Supply Chain
The three stealer-log-origin listings are worth separating out. Infostealer malware — Lumma, RedLine, Vidar, Raccoon — harvests browser-saved passwords, session cookies, and authenticator app tokens from infected endpoints, packaging them into “logs” that sell on Telegram and forums for a few dollars each. An IAB with patience filters tens of thousands of these logs looking for corporate VPN credentials, Okta cookies, or RDWeb access, then validates which are still live.
One Vektor-7 listing, closed on March 24, offered RDWeb access to a Canadian professional services firm. The underlying credential had almost certainly come from a stealer log sold for under $15 a month earlier. The blitz price was $2,200. That’s a roughly 140x markup for two weeks of validation work. Rapid7 noted that Exploit’s IAB cohort pivoted heavily toward RDWeb in H2 2025 as defenders hardened direct-internet RDP exposure — the portals are often less monitored and preserve the convenience of remote desktop without the siren-loud 3389 port.
The Pricing Reality
Across our eleven listings, blitz prices ranged from $900 (local admin at a small U.K. retailer) to $28,000 (domain admin at a European logistics firm with $1.4B in revenue). The median sat at $3,100. That matches the broader market: Saptang Labs’ March 2026 analysis reported an average IAB transaction of $1,328, with enterprise access topping out near $50,000 for Fortune 500 targets. Flare’s earlier longitudinal work put the average blitz at $4,699 with outliers, $1,328 without — numbers that have stayed remarkably stable as the market has matured around them.
Two patterns in the pricing deserve calling out. First, listings that explicitly mentioned access to backup and recovery systems — Veeam, Rubrik, Commvault — closed at blitz prices roughly 1.8x to 2.2x higher than otherwise-identical listings. This confirms what Flare and others have long suspected: backup access is a direct signal of ransomware intent, and the market prices in the buyer’s expected upside. Second, there is a durable discount for EDR-detected environments. Listings flagging CrowdStrike Falcon or SentinelOne running at the endpoint sold for 20–30% less than listings showing only Windows Defender, because the buyer prices in their own deployment risk.
The Business Model, Not the Hacker
The common mental image of an IAB is a technically brilliant loner. That is wrong. Vektor-7 behaved like a sales operation. We observed: an apparent 24-hour response SLA on Telegram inquiries, reputation-gated buyer vetting (new forum accounts ignored), a two-week “warranty” during which the broker would regain access for free if credentials rotated, and a revenue-share option — pay less up front, cut the broker in on whatever the ransomware crew extracts later.
This is the same structure Rebecca Taylor of Sophos Counter Threat Unit has described in recent public talks: cybercrime has bifurcated into specialisms — initial access, privilege escalation, ransomware deployment, negotiation, money laundering — each with its own marketplaces and trust mechanisms. Gordon Brebner of Orange Cyberdefense has described the pricing side similarly: basic user credentials under $20, standard business email credentials $50–$300, privileged domain accounts into the tens of thousands. The professionalization is not a forecast. It is the current steady state.
The MITRE ATT&CK mapping is unremarkable and that is the point. Every vector we watched maps to a technique defenders have known about for years: T1190 Exploit Public-Facing Application, T1133 External Remote Services, T1078 Valid Accounts, T1110 Brute Force, T1566 Phishing, T1539 Steal Web Session Cookie. IABs are not innovating. They are industrializing the basics.
Who’s Buying
Buyers reveal themselves through behavior as much as through handle. Reputation-heavy forum accounts that immediately request verification of backup access are almost always ransomware affiliates. Slower, more cautious buyers who ask about specific file shares, database instances, or source code repositories tend to be data-extortion groups — the successors to the ShinyHunters playbook. State-aligned buyers are quieter still, frequently moving contact off-forum within one or two messages.
Three of Vektor-7’s closed listings went to buyers whose forum profiles had prior documented ties to LockBit splinter affiliates or the post-Kai West BreachForums crowd. West, the 25-year-old British national operating as IntelBroker and owner of BreachForums from August 2024 to January 2025, was arrested in France in February 2025 and charged by the Southern District of New York in June 2025 with conspiracy to commit computer intrusions, wire fraud, and accessing protected computers — the DOJ alleged roughly $25 million in damages. French authorities followed up with arrests of four other alleged BreachForums administrators using the handles ShinyHunters, Hollow, Noct, and Depressed. The takedowns did not end the market. They redistributed it. DarkForums and the resurgent RAMP have absorbed most of the displaced elite IAB activity, with RAMP in particular emphasizing revenue-share partnerships over one-shot sales.
What Defenders Missed in Real Time
Here is the uncomfortable finding. Of the seven listings that closed, we could plausibly identify the victim from public metadata — revenue band, industry, geography, employee count, EDR vendor — for five. We notified affected parties or their sector ISACs where identification was defensible. Two organizations had no threat intel subscription that would have flagged the listing. One had a subscription but the alert was marked low-confidence and never escalated. One confirmed, after the fact, that they had seen SentinelOne telemetry indicating the creation of a local FortiGate admin account — a classic IAB staging indicator per SentinelOne’s March 2026 research — and had closed the ticket as “routine admin activity.”
This is the gap worth naming. The intelligence exists. Forums are monitored by dozens of commercial vendors. CISA publishes KEV entries within days. Fortinet issues PSIRT advisories. But the operational distance between “a listing matching our profile appeared on Exploit” and “someone at our SOC triaged it” remains enormous for the organizations most likely to be hit — mid-market manufacturers, professional services firms, regional healthcare networks. Professional services, manufacturing, construction, and IT services remained the four most-listed industries across 2025, per CYJAX and Rapid7 data, and none of those verticals have the security maturity of large finance.
What Actually Moves the Needle
Two interventions would have broken more than half of the listings we watched. Neither is novel.
The first is ruthless patching of internet-exposed authentication surfaces, specifically the Fortinet, Citrix, and Ivanti boxes that sit at the edge of most mid-market networks. Fortinet published patches for CVE-2025-59718 and CVE-2025-59719 on December 9, 2025. CISA’s KEV deadline was January 23, 2026. CVE-2026-24858 guidance followed on January 28. Every Fortinet-vector listing we observed in March and April involved appliances that had not been patched. Shadowserver reported over 9,700 Fortinet instances still exposed to the older CVE-2020-12812 2FA bypass as of January 2, 2026 — a five-year-old vulnerability.
The second is rotating credentials that sit inside appliance configuration files. SentinelOne’s case studies showed attackers routinely decrypting fortidcagent service account credentials from captured config files and using them to authenticate to Active Directory from the appliance IP itself. If you have never rotated the service account embedded in your perimeter device config, assume it is compromised and treat the rotation as a standing quarterly process.
support, ssl-admin, helpdesk on FortiGate or NetScaler. Per SentinelOne, this is the single most common IAB staging indicator in 2025-2026 incidents.mS-DS-MachineAccountQuota usageWIN-X8WRBOSK0OF via this path in February 2026.FAQ
How do defenders know if their organization is listed on a forum? Most mid-tier threat intelligence platforms — Flare, KELA, Recorded Future, Intel 471, SOCRadar — monitor Exploit, XSS, RAMP, DarkForums, and the current BreachForums iteration. The signal you want is a listing matching your revenue band, industry, geography, and endpoint count simultaneously. Any three of four is worth an immediate investigation.
Why aren’t these forums simply shut down? They are, repeatedly. BreachForums has been seized or disrupted at least four times since 2023. Each reboot loses some users and absorbs others. The resilience is structural — the code, the moderator network, and the buyer base migrate faster than law enforcement can coordinate takedowns across jurisdictions. Rapid7’s analysis noted a roughly 52% drop in BreachForums IAB threads after the West arrest and the subsequent Paris arrests, but the activity reappeared on RAMP and DarkForums within weeks.
Does paying for dark web monitoring actually help? It helps only if the alerts are triaged. We observed multiple cases where listings matching a specific victim appeared days or weeks before ransomware deployment, exactly the window Flare, Sophos, and Rapid7 have all identified as the IAB-to-ransomware handoff gap. The monitoring is necessary. The operational response process is what fails.
Is the IAB market growing or contracting? Rapid7’s H2 2025 data shows the market consolidating around fewer, higher-value listings at premium prices — a maturation signal, not a decline. Volume on Exploit and RAMP is stable. What’s shrinking is the middle: commodity sellers pushed out by reputation economies and law enforcement pressure.
Thirty days of watching a single broker will not fix anyone’s security program. But it reframes the question. The threat is not a brilliant adversary hunting your organization. The threat is a patient one running a reproducible process against everyone who leaves a Fortinet SSL-VPN unpatched, every service account embedded in a config file, every stealer log with a .corp domain in it. The broker does not need to beat your defenses. They need them to be lower than someone else’s this week.
That is almost always a fixable problem. Almost always.
