{
	"id": "836e15e3-2862-49ae-bfd6-ba2f5ed8ff2a",
	"created_at": "2026-04-06T01:31:10.13382Z",
	"updated_at": "2026-04-10T03:20:29.973334Z",
	"deleted_at": null,
	"sha1_hash": "143b4e08e5cdbe702c6fb667378b0b0c4f8bde7c",
	"title": "Access Brokers: Their Targets and Their Worth | CrowdStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1604050,
	"plain_text": "Access Brokers: Their Targets and Their Worth | CrowdStrike\r\nBy CrowdStrike Intelligence Team\r\nArchived: 2026-04-06 01:27:21 UTC\r\nAccess brokers have become a key component of the eCrime threat landscape, selling access to threat actors and\r\nfacilitating myriad criminal activities. Many have established relationships with big game hunting (BGH)\r\nransomware operators and affiliates of prolific ransomware-as-a-Service (RaaS) programs. The CrowdStrike\r\nIntelligence team analyzed the multitude of access brokers’ advertisements posted since 2019 and identified trends\r\nin targeting preferences, as well as insights into the perceived value of different victims.\r\nTop Targets\r\nhttps://www.crowdstrike.com/blog/access-brokers-targets-and-worth/\r\nPage 1 of 7\n\nhttps://www.crowdstrike.com/blog/access-brokers-targets-and-worth/\r\nPage 2 of 7\n\nAccess brokers have advertised organizations from more than 30 different sectors, demonstrating an eclectic range\r\nof targets. Among these, the academic, government and technology sectors were the most frequently advertised,\r\naccounting for a combined 49% of the total advertisements.\r\nThe academic sector has historically been a popular focus of ransomware operations, with intrusions timed to\r\ncoincide with the start of a new school term to cause the greatest disruption and in turn encourage a quick ransom\r\npayment. Almost 40% of the academic sector advertisements were for access to U.S.-based institutions, with a\r\nspike in activity noted in August 2021 that coincides with the start of the new semester.\r\nGeographically, advertisements for access to U.S.-based entities far surpass those for all other countries, claiming\r\n55% of the total. Organizations based in Brazil and the UK secure second and third spots with 8% and 7%,\r\nrespectively.\r\nThis geographic targeting trend corresponds with other eCrime activity, including data theft campaigns that\r\nfrequently result in stolen credentials being traded online in criminal underground marketplaces. Access brokers\r\nare known to purchase such credentials and abuse them to acquire access.\r\nControversial Targets\r\nhttps://www.crowdstrike.com/blog/access-brokers-targets-and-worth/\r\nPage 3 of 7\n\nThe healthcare sector has been a divisive target among eCrime actors during the past two years because of the\r\nCOVID-19 pandemic. Some adversaries actively avoided operations against frontline services in particular.\r\nAccess brokers showed varying interest in targeting the sector — it sits in joint fourth place alongside financial\r\nservices for the total number of identified advertisements, but the timing of the advertisements fluctuated.\r\nOnly one advertisement was posted for a healthcare entity in Q1 2020 — coinciding with the emergence of the\r\npandemic — yet several were posted in Q3 2020 and Q1 2021. The increase corresponded with news of successful\r\nvaccination programs, potentially prompting increased interest among eCrime adversaries. Law enforcement\r\nscrutiny of cybercrime targeting critical infrastructure, which includes healthcare, also likely impacted supply and\r\ndemand for access to this sector.\r\nThe energy sector was another controversial target in 2021. The fallout from the Darkside ransomware incident\r\nagainst Colonial Pipeline in May 2021 had a knock-on effect on access brokers, as criminal forum moderators\r\nimposed restrictions on ransomware-related discussions. Since ransomware operators account for a high\r\nproportion of access brokers’ customer base, the ban likely impacted sales for some brokers. Many switched to\r\nprivate communication channels, selling only to trusted buyers and hindering efforts to track who was selling to\r\nwhom.\r\nDespite the Colonial Pipeline incident prompting these changes, demand for access to the energy sector never\r\ntruly waned, though the asking price for access briefly dipped.\r\nWhat Is Access Worth?\r\nSeveral factors determine the worth of access, and asking prices vary significantly among sectors, countries and\r\naccess brokers. Access with elevated privileges typically attracts a higher asking price, as does access to large\r\ncorporations with higher annual revenues or advertisements by more-established access brokers. Some brokers\r\nauction the access, offering a “buy-it-now” price or attempting to encourage a bidding war.\r\nThe sectors attracting the highest average asking price for access were government, financial services, and\r\nindustrial and engineering organizations. The most advertised sector does not necessarily attract the highest asking\r\nprice; for example, access to the academic sector was, on average, priced at $3,827 USD. In comparison, the\r\ngovernment sector — which was the second most advertised — attracted an average asking price of $6,151 USD.\r\nhttps://www.crowdstrike.com/blog/access-brokers-targets-and-worth/\r\nPage 4 of 7\n\nOrganizations based in the U.S., the UK, and Canada on average attracted higher asking prices than other\r\ncountries, reflecting the demand in targeting these locations. It is worth noting that the advertised price is not\r\nnecessarily what’s paid, and the majority of access brokers appear open to negotiation.\r\nhttps://www.crowdstrike.com/blog/access-brokers-targets-and-worth/\r\nPage 5 of 7\n\nFluctuations in asking prices are also common and often reactive to the market. CrowdStrike reported an increase\r\nin asking price among access brokers in April 2021, with some corporate entities attracting five-figure sums,\r\nindicating that threat actors likely receive a significant return on their investment. When the same access is being\r\nadvertised by two different access brokers, variations in the asking price are also observed.\r\nConclusion\r\nThe advertisements provide an interesting snapshot of an increasingly lucrative component of the eCrime\r\necosystem, where reputation and timing both play important roles. There is almost certainly an opportunistic\r\nelement to access broker operations, such as the availability of exploitable vulnerabilities or the validity of stolen\r\ncredentials that facilitate intrusions.\r\nThe fallout from the Colonial Pipeline incident and its impact on access brokers’ sales appears to have been short\r\nlived, as in Q4 2021 and Q1 2022 CrowdStrike Intelligence has witnessed a resurgence in advertisements and the\r\nemergence of new brokers. Purchasing access saves time and resources for many eCrime adversaries, and the\r\ndemand for these is almost certain to remain high throughout 2022.\r\nCrowdStrike Falcon® Intelligence Recon, CrowdStrike’s digital risk protection solution, goes beyond the dark\r\nweb to include forums with restricted access on the deep web, breach data and messaging apps — all resources\r\ncommonly used by access brokers to trade or advertise. CrowdStrike Falcon® Intelligence Recon provides\r\ncustomers with an increased level of situational awareness and helps uncover potential malicious activity before\r\neCrime adversaries have the chance to exploit it.\r\nhttps://www.crowdstrike.com/blog/access-brokers-targets-and-worth/\r\nPage 6 of 7\n\nThe CrowdStrike eCrime Index (ECX) also remains a valuable tool used to identify significant events that affect\r\nthe eCrime ecosystem, including fluctuations in the value of accesses. Monitor the ECX regularly in the\r\nCrowdStrike Adversary Universe to make sure you stay up to date on these trends.\r\nAdditional Resources\r\nLearn more about CrowdStrike Falcon® Intelligence Recon by visiting the product webpage and\r\ndownloading the data sheet.\r\nFind out how to stop adversaries targeting your industry — schedule a free 1:1 intel briefing with a\r\nCrowdStrike threat intelligence expert today.\r\nLearn how to monitor access brokers to help prevent breaches by downloading this white paper.\r\nLearn about the powerful, cloud-native CrowdStrike Falcon®® platform by visiting the product webpage.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ to see for yourself how true next-gen AV\r\nperforms against today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/access-brokers-targets-and-worth/\r\nhttps://www.crowdstrike.com/blog/access-brokers-targets-and-worth/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.crowdstrike.com/blog/access-brokers-targets-and-worth/"
	],
	"report_names": [
		"access-brokers-targets-and-worth"
	],
	"threat_actors": [],
	"ts_created_at": 1775439070,
	"ts_updated_at": 1775791229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/143b4e08e5cdbe702c6fb667378b0b0c4f8bde7c.pdf",
		"text": "https://archive.orkl.eu/143b4e08e5cdbe702c6fb667378b0b0c4f8bde7c.txt",
		"img": "https://archive.orkl.eu/143b4e08e5cdbe702c6fb667378b0b0c4f8bde7c.jpg"
	}
}