Initial Access Broker (IAB)

An Initial Access Broker is a cybercriminal specialist who infiltrates target networks, establishes persistent covert access, and then sells or rents that access to other threat actors rather than monetizing the breach directly. The IAB model, long documented in ransomware ecosystems, emerged as a factor in major DeFi hacks in 2025 and 2026. The division of labor separates the skills of network intrusion from the skills of financial exploitation: one group maintains expertise in zero-day vulnerability exploitation, rootkits, and firewall penetration; another maintains deep knowledge of DeFi protocol mechanics, DEX liquidity, and token conversion paths required to extract value without collapsing markets. Example: The forensic hypothesis emerging from the Resolv Labs March 2026 hack describes a possible three-party IAB chain: Interlock exploiting a Cisco firewall zero-day to establish initial network access; TeamPCP's supply chain attack harvesting AWS credentials through the Trivy CI/CD pipeline; and a DeFi-sophisticated actor using the harvested credentials to execute the minting exploit. Why it matters for compliance: The IAB model means that a blockchain analytics team tracking the on-chain attacker address may be looking at a completely different actor than the group that compromised network infrastructure weeks earlier. Attribution becomes multi-party, making both investigation and regulatory enforcement substantially more complex.

Category: wallets security, compliance, crypto history

Explore the full Web3 Glossary — 2,000+ expert-curated definitions. Need guidance? Talk to our consultants.