Sales of access to compromised networks of companies increased 4 times

Group-IB, an international company specializing in the prevention of cyber attacks, investigated the key changes that have occurred in the field of cybercrime in the world and on November 25, 2020 shared its forecasts for the development of cyber threats for 2021. Read more here.

According to the Group-IB Hi-Tech Crime Trends 2020-2021 report, the volume of accesses to corporate networks of companies sold on darknet forums increases annually, but the peak occurred in 2020. It is quite difficult to estimate the total volume of the access sales market in the underground: attackers often do not publish prices, and transactions take place “in private”. However, Group-IB technologies for the study of such sites, including taking into account information deleted and hidden by attackers, allowed us to estimate the total size of the market in the current period (H2 2019 — H1 2020) at $6,189,388, which is four times more than the last period (H2 2018 — H1 2019), when it was $1,609,930.

Group-IB has recorded a trend of participation in this “business” of pro-government groups seeking to find additional funding: they are also starting to sell access to corporate networks. So, in the summer of 2020, lots were published on the sale of access to a large number of networks, including US government departments, defense contractors (Airbus, Boeing, Raytheon, etc.), IT giants and media companies. In total, the author of the post asked for about $5 million for the lots.

In the first half of 2020 alone, hackers put up for sale 277 lots for the sale of access to hacked corporate networks of companies.

The number of sellers has also grown to 63, of which 52 have started their activity this year. For comparison, only 37 access sellers were active in 2018. In 2019, only 50 sellers put up for sale access to 130 companies. In total, the growth in sales of access to compromised networks of companies amounted to 162% compared to last year’s period (138 offers against 362 in the current one).


Analyzing the access sales segment, Group-IB analysts trace geographical and industry correlations with the attacks of cryptographers: the largest number of lots were put up for American companies (27%), and the most attacked industry in 2019 was production (10.5%), and 2020 brought demand for access to government organizations (10.5%), educational institutions (10.5%) and IT companies (9%). It is worth noting that sellers of such “goods” on hacker forums are less likely to indicate attributes such as the company name, location or industry, so it is often impossible to identify the victim and its location without interacting with attackers. Selling access to a company, as a rule, is only a stage in the implementation of an attack: the privileges obtained can be used both to launch an encryption program with subsequent extortion, and to steal data for sale on darknet forums or espionage.