Ransomware operators run affiliate programs with revenue splits, support desks, and negotiation playbooks. Access to a mid-size company's VPN sells through brokers with escrow and reputation scores. Stolen browser sessions retail in bulk like a commodity. The dark web economy is not an underworld curiosity; it is a functioning market with specialization, price discovery, and quality control — and for defenders, that is unexpectedly good news. Markets publish signals. If you learn to read what criminals pay for, you learn precisely which of your controls are worth attacking and which are not worth the trouble.
That reframing matters because many security programs benchmark against imagined nation-state adversaries while the attacks that actually land are assembled from purchased parts by economically rational operators. Understanding the parts list is a prioritization tool.
A supply chain of compromise
Cybercrime industrialized by unbundling. Almost nobody runs the whole kill chain anymore:
- ▸Malware developers sell stealers and loaders as subscriptions, complete with support channels and feature roadmaps.
- ▸Traffers specialize purely in distribution — malvertising, cracked-software lures, SEO poisoning — and are paid per install.
- ▸Log markets aggregate infostealer output and sell it by the batch or through subscription search services.
- ▸Initial access brokers (IABs) turn raw credentials into verified footholds — a working VPN login, an RDP session, a webshell — and auction them on forums.
- ▸Ransomware-as-a-service operators provide the payload, the leak site, and the negotiation infrastructure; affiliates who buy access and deploy keep the larger share of any payout.
Each handoff is a market transaction, and each market has prices. Law enforcement actions like the Genesis Market takedown confirmed the scale: that single shop packaged victim browser fingerprints and live session cookies as ready-to-use digital identities.
Stealer logs are the raw commodity
The cheapest input into the whole chain is the infostealer log: an archive of everything a commodity stealer such as RedLine or Lumma grabbed from an infected machine — saved passwords, autofill data, crypto wallets and, most valuably, live session cookies. Cookies matter because a replayed authenticated session walks straight past password and MFA checks. A meaningful share of serious breaches begin as a cheap log harvested from an employee's personal laptop that happened to have a corporate session open.
The defensive translation is specific: shorten session lifetimes for sensitive applications, bind tokens to device posture where your identity provider supports it, move administrators to phishing-resistant passkeys, treat a valid session appearing from an impossible location as an incident, and be honest about unmanaged-device access to corporate SaaS — because that gap is exactly what the log economy monetizes.
Access brokers price your weakest control
IAB listings read like perverse penetration-test reports: access type, industry, country, victim revenue, level of privilege — priced accordingly. Domain-admin access to a large enterprise commands far more than a single user's VPN login at a small firm, because the buyer's remaining work differs by weeks. That pricing is information. Everything that forces an attacker to do more work after initial access — segmented networks, tiered administration, EDR coverage that actually pages someone — reduces what access to you is worth. Unprofitable listings do not get bought.
RaaS economics after the takedowns
Operation Cronos against LockBit in 2024 did something fines never do: it attacked trust inside the market — seizing infrastructure, exposing affiliate details, and revealing that supposedly deleted victim data had not been deleted. Combined with exit scams by other brands, the effect has been churn: rebrands, smaller crews, and a visible shift toward data-theft-only extortion, which needs no encryptor, no decryptor support desk, and less skill. For defenders this changes the drill: exfiltration detection and data governance now matter as much as backup restore times, because the cheapest viable extortion no longer encrypts anything.
Reading price signals as a defender
1. Subscribe to monitoring for your domains and credentials in stealer-log markets, and make automated session revocation the response — not a ticket. 2. Ask your threat-intelligence provider for IAB listings by sector and geography, then tabletop the exact access types being sold rather than hypothetical zero-days. 3. Map your controls against commodity tradecraft in MITRE ATT&CK before worrying about exotic techniques; the market overwhelmingly sells the common paths. 4. Update incident response for the extortion shift: rehearse a no-encryption data-leak scenario end to end, including legal and communications. 5. Revisit quarterly, because criminal markets reprice faster than annual risk assessments.
The strategic value of thinking economically is that it converts security spending from faith into arbitrage. Every control you deploy either raises the attacker's cost of goods or it does not, and the market will tell you which — through the prices it sets and the victims it selects. Boards understand supply chains, margins, and unit economics; describing the threat in those terms unsticks funding conversations in a way CVSS scores never have. The goal is not to be unbreachable. It is to be a bad trade.
