The market for initial access brokers has expanded rapidly over the past two years, creating a system that allows advanced threat actors to outsource the early stages of an intrusion, according to new research from Check Point. The report says this growth has made it easier for both nation-state groups and criminal actors to breach a larger number of targets.
Check Point notes that the rise of the IAB economy coincides with the growing use of cyberspace by governments as a tool for projecting power. The firm is urging policymakers and businesses to strengthen identity security, secure software supply chains and improve the resilience of operational technology systems.
“Once considered peripheral players, IABs have become a critical node in the cyber-criminal supply chain, lowering barriers to entry for sophisticated operations and enabling rapid campaign scaling,” Check Point said.
By paying IABs to handle initial access at scale, threat actors can move faster and avoid the risks associated with the early stages of an attack. According to the report, “state-backed groups and sophisticated criminal actors can reduce operational risk, accelerate execution timelines, and scale their campaigns across dozens of targets simultaneously.”
This growing reliance on brokers also complicates attribution. When an IAB is involved, IT teams and investigators often struggle to determine whether an attack was carried out by a government-backed group or by a criminal operation.
For this reason, Check Point says that “IAB activity is no longer a peripheral criminal phenomenon but a force multiplier in the broader offensive ecosystem, one that directly supports espionage, coercive operations, and potential disruption of U.S. government and critical infrastructure networks.”
The report also highlights a sharp rise in IAB activity targeting essential sectors. Healthcare saw nearly 600 percent more IAB-related attacks in 2024 compared with 2023. Government, education and transportation networks were also significantly affected.
Check Point says these increases reflect both higher demand from adversaries for access to sensitive environments and the growing professionalisation of the IAB marketplace, where access to critical systems is treated as a commodity.
The research links this broader trend to rising geopolitical tensions and the changing role of nation-state hacking. “Cyber operations have evolved from opportunistic disruptions and intelligence-gathering into deliberate, coordinated campaigns designed to achieve political, economic, and strategic outcomes,” the report says.
According to Check Point, the line between geopolitics and cyber activity has largely disappeared. State-aligned groups are using digital operations to shape crises, signal intent and impose costs on rivals, often below the threshold of open conflict.
The firm notes that spikes in geopolitical risk are closely followed by spikes in targeted cyberattacks against U.S. government systems.
“Cybersecurity is no longer just a technical issue; it is a strategic imperative,” Check Point said. The report argues that resilience, deterrence and rapid recovery must now be treated as national security priorities on the same level as traditional defence planning.
