The middlemen powering modern cybercrime

by Black Hat Middle East and Africa
on
The middlemen powering modern cybercrime

When most people imagine a cybercriminal, they picture a lone hacker or a tightly knit criminal gang conducting an attack from start to finish. 

But more and more, the cybercrime ecosystem resembles a supply chain. Different actors specialise in different services, selling their expertise to whoever is willing to pay. One group steals credentials; another gains access to corporate networks; someone else develops malware. Others provide phishing infrastructure, malicious hosting services or cryptocurrency-enabled financial channels.

The result is a criminal economy that resembles a legitimate business ecosystem.

According to Europol, cybercrime has evolved into a mature Crime-as-a-Service market, enabling threat actors to acquire tools, infrastructure and expertise rather than develop every capability themselves.

The people selling the keys

One of the most important players in this ecosystem is the Initial Access Broker, or IAB.

These actors specialise in gaining access to organisations and then selling that access to others. Europol describes how compromised credentials and network access are routinely traded through criminal platforms, while ransomware groups increasingly rely on external providers to obtain footholds inside target organisations. 

Think of them as estate agents for cybercrime: 

  • Their product is access.
  • Their customers are ransomware groups, extortion gangs, espionage actors and fraud operators.

Recent research from Rapid7 found that IABs are increasingly targeting larger organisations, with average victim revenues and asking prices rising across underground forums. The report also found that Remote Desktop Protocol (RDP), VPN and RDWeb access remained among the most commonly advertised access types, reflecting continued demand from downstream criminal groups.

For ransomware operators, buying access can be significantly faster and less risky than conducting the initial compromise themselves.

Crime as a service

Access is only one part of the supply chain.

Europol's assessments describe a criminal ecosystem populated by ransomware affiliates, malware-as-a-service providers, IABs, phishing operators, crypter developers, and bulletproof hosting providers.

This model has dramatically lowered barriers to entry.

According to the Canadian Centre for Cyber Security, ransomware-as-a-service and affiliate programmes have reduced the technical expertise required to launch attacks, while IABs have increased operational efficiency by reducing the time and effort needed to compromise victims. 

So attackers no longer need to build everything themselves. They can assemble an operation from a catalogue of services.

The economics of specialisation

The success of this model comes down to economics: specialisation creates efficiency.

A ransomware developer can focus entirely on improving malware. An IAB can focus on identifying vulnerable organisations. Hosting providers can focus on keeping infrastructure online. Each participant becomes more effective because they concentrate on a single task.

Legitimate industries have worked this way for a long time – and cybercrime is following the same path. 

Europol describes ransomware affiliate programmes as the dominant organisational model for modern ransomware operations – with affiliates often working alongside malware-as-a-service providers and IABs to maximise reach and profitability. 

That professionalisation helps explain why ransomware is still resilient in spite of arrests, infrastructure seizures and sanctions targeting major groups. Because removing one actor from the ecosystem doesn’t necessarily disrupt the others.

Following the money

The final layer of the supply chain is financial.

Criminal organisations still need ways to receive, move and cash out proceeds from their campaigns. 

According to Chainalysis, cryptocurrency continues to play a central role in ransomware payments, with funds moving through a combination of exchanges, personal wallets, cross-chain bridges and other parts of the crypto ecosystem before ultimately being converted into usable assets.

This financial layer often gets less attention than ransomware groups themselves, but it’s a critical component of the cybercrime economy. Without mechanisms for moving and monetising illicit proceeds, cybercriminal business models become much harder to sustain.

Why should you care about the middlemen? 

Because they have a serious impact on the threat landscape. 

The barrier to entry for attackers continues to fall. Criminals no longer need elite technical skills or years of experience to launch sophisticated campaigns – they can acquire the capabilities they need through specialist providers operating across underground forums and marketplaces. 

That means that as a defender, you’re not facing individual attackers. You’re facing an interconnected network of suppliers and customers.

And ecosystems are often more resilient than the organisations attempting to disrupt them.

The modern cybercriminal doesn’t always build an attack from scratch. Instead, they assemble one.

Share on

Join newsletter

Join the newsletter to receive the latest updates in your inbox.


Follow us


Topics

Sign up for more like this.

Join the newsletter to receive the latest updates in your inbox.

Related articles