June 24, 2026
I Investigated the Dark Web’s Access Economy. Here’s the Market That Feeds Every Ransomware Attack.
A real OSINT investigation into Initial Access Brokers, the hidden marketplace between your network and the ransomware group that wants it.
By Katriel Moses
4 min read
Most people think ransomware attacks start with a hacker breaking in. They don't. They start with someone buying their way in.
Initial Access Brokers are the middle layer of the cybercrime economy that nobody talks about enough. They compromise networks, through stolen credentials, exposed RDP servers, VPN vulnerabilities, and then sell that access to ransomware groups who do the rest. It's a supply chain. And it runs openly on dark web forums.
I ran one command to find it:
voidaccess investigate "initial access broker dark web forum network access 2024"voidaccess investigate "initial access broker dark web forum network access 2024"Two minutes and thirty-five seconds. 117 entities. Here's what the investigation found.
The pipeline
VoidAccess ran a 13-step automated pipeline across six parallel source categories: Tor search engines, paste sites, GitHub, GitLab, RSS feeds, and enrichment APIs. 49 Tor links returned. 15 pages scraped and processed. 116 entities extracted, enriched, and mapped into 2,283 graph edges.
This is what the dark web access economy looks like when you map it automatically.
The marketplaces
Two primary forums surfaced from Tor scraping directly.
Best Carding World: a dark web forum with active threads on infostealers, RDP and VPS access sales, credential dumps, and malware-as-a-service offerings. Actors TheVikingsofDW, MeaCulpa001, and frenchcarder77 were observed actively trading access in the scraped content. The forum structure reveals the overlap between carding communities and initial access operations, the same actors buying stolen credit cards are also selling network footholds.
Shadow Breach: a marketplace advertising Email Hacking, Website Hack, and content removal services. The presence of crypto payment infrastructure and service listings suggests this is where enterprise network access gets packaged and sold to buyers who don't want to do their own compromising.
These weren't found through clearnet Google searches. VoidAccess scraped them directly over Tor.
The pricing
Five Bitcoin transaction values were extracted at 1.0 confidence directly from forum content:
- 0.5969 BTC
- 0.2492 BTC
- 0.1440 BTC
- 0.1192 BTC
- 0.0890 BTC
At current rates these range from roughly $9,000 down to $1,400. These are the actual transaction amounts appearing in IAB forum threads, what network access sells for at the retail level of the cybercrime economy. A mid-market enterprise network access listing sits around $1,000–$5,000. Ransomware groups then deploy and demand hundreds of thousands in ransom. The math on the business model is obvious.
The tooling ecosystem
Eleven malware families were extracted from the scraped content. Several are well documented. Several aren't.
SpectralViper and FireAnt are publicly attributed to APT32, the Vietnamese state-sponsored threat group also known as OceanLotus. NarwhalRAT, MiasmаWorm, EvilTokens, RokaRolla, and GentleLock are less documented, their presence in IAB forum content alongside known nation-state tooling suggests these forums aren't just criminal marketplaces. Nation-state adjacent tooling circulates in the same ecosystem.
The investigation also extracted APT32, NorthKoreanStateSponsoredActors, and ChineseStateSponsoredActors as threat actor handles from the scraped pages. This isn't coincidence, the same dark web infrastructure that hosts credential markets also hosts discussions of nation-state TTPs. The line between cybercrime and state-sponsored operations is blurrier than most threat intelligence reports suggest.
62 MITRE ATT&CK techniques
Every technique was extracted at 1.0 confidence via regex from scraped content. The full list covers the complete IAB playbook:
Initial access and reconnaissance: T1593 (Search Open Websites), T1598.003 (Spearphishing via Service), T1566.002 (Spearphishing Link), T1204.001 (Malicious Link).
Credential access: T1003 (OS Credential Dumping), T1003.003 (NTDS), T1003.006 (DCSync), T1557 (Adversary-in-the-Middle).
Persistence and evasion: T1546.003 (Windows Management Instrumentation Event Subscription), T1574.001 (DLL Search Order Hijacking), T1027.007 (Dynamic API Resolution), T1553.002 (Code Signing).
Exfiltration: T1041 (Exfiltration Over C2 Channel), T1048.003 (Exfiltration Over Unencrypted Non-C2 Protocol), T1567.002 (Exfiltration to Cloud Storage).
These techniques appear in IAB forum content because buyers need to know what they're getting. The access listing comes with the TTPs used to get it. That's actionable intelligence for defenders, if you know how the access was obtained, you know where to look for persistence.
A current CVE
CVE-2026–5027 was extracted at 1.0 confidence. This is a current vulnerability appearing in IAB forum discussions, exactly the kind of signal that shows up in dark web content before it makes it into mainstream threat intelligence reporting. No further details were available from the scrape, but its presence in an IAB forum context suggests active exploitation interest.
The Ghost Hackers connection
Ghost Hackers appeared in this investigation with the same onion address that surfaced in the RansomHub investigation. The same RaaS broker advertising ransomware services at $250–$600 is operating in the same ecosystem as the initial access forums. This is the supply chain made visible, access brokers, malware-as-a-service providers, and ransomware operators all circulating in overlapping dark web communities.
That connection didn't require manual pivoting. VoidAccess extracted it automatically because both investigations scraped the same infrastructure.
What this means for defenders
The IAB economy is the chokepoint. Ransomware groups are buyers. Initial access brokers are the supply. Disrupting one supplier doesn't stop the market, there are dozens operating simultaneously. But mapping the infrastructure, the actor handles, the tooling, and the pricing gives defenders something actionable.
Specifically from this investigation:
Monitor for RDP and VPN credential exposure. IAB forums are full of FortiNet and Pulse VPN credential listings: T1133 (External Remote Services) is the most common initial access vector being sold.
Hunt for SearchLeak and similar infostealers. These are the upstream data source feeding the credential markets. Endpoint detection for stealers disrupts the supply chain before access gets sold.
Track the Bitcoin transaction pattern. IAB transactions cluster in the 0.1–0.6 BTC range. Wallet addresses extracted from forum content can be cross-referenced against blockchain analytics for infrastructure attribution.
Flag CVE-2026–5027 for immediate patching priority given its appearance in active IAB forum discussions.
The investigation in numbers
- 3 minutes 17 seconds from query to report
- 117 entities extracted
- 2,283 graph edges mapped
- 62 MITRE ATT&CK techniques
- 11 malware families
- 5 Bitcoin transaction values
- 6 onion URLs
- 1 current CVE
- Cost: $0 on free-tier LLM
Running it yourself
pip install voidaccess
voidaccess configure
voidaccess investigate "initial access broker dark web forum network access 2024"pip install voidaccess
voidaccess configure
voidaccess investigate "initial access broker dark web forum network access 2024"Python 3.11+, a free LLM API key from Groq or OpenRouter, and Tor handled automatically. The full markdown report and JSON save to ~/.voidaccess/results/ automatically.
Full source and Docker version: github.com/KatrielMoses/voidaccess
A note on responsible use
Everything in this investigation was scraped from publicly accessible dark web sources. No systems were accessed, no credentials were used, no illegal activity was conducted. This is passive OSINT, the same methodology security teams use daily. VoidAccess includes mandatory content filtering at six layers. The tool is built for defenders.