The Cyble Research and Intelligence Labs documented 92 instances of compromised access sales affecting organizations across both regions during the year, revealing a mature and commercialized underground marketplace where stolen credentials and network entry points are openly traded on cybercrime forums.
These attacks have disproportionately impacted data-rich industries, with threat actors maintaining a strategic focus on retail, banking, financial services, insurance, professional services, and healthcare organizations.
The targeting strategy reflects attackers’ understanding of which sectors hold the greatest value, whether measured by customer data volumes, financial information, or downstream access opportunities to additional networks.
Cyble analysts identified that retail organizations emerged as the primary target, accounting for 31 incidents or approximately 34% of all observed initial access sales, a figure more than three times higher than competing sectors.
The BFSI sector followed with nine compromised access listings, while professional services firms experienced seven documented incidents.
The initial access marketplace demonstrates a highly fragmented ecosystem rather than a centralized operation controlled by a small number of actors.
The threat actor known as cosmodrome emerged as the most prolific seller of compromised access during the reporting period, closely followed by an actor operating under the alias shopify.
However, these prominent sellers collectively controlled only approximately 26% of total observed listings, with the remaining activity originating from dozens of opportunistic participants posting access for sale on Russian-language forums like Exploit and English-language platforms such as Darkforums.
Real-world incidents illustrate the tangible consequences of this underground market activity.
In June 2025, the threat group Scattered Spider orchestrated a sophisticated attack against a major Australian airline, compromising a customer service portal and exposing records belonging to nearly six million customers, including names, email addresses, phone numbers, dates of birth, and frequent flyer numbers.
Earlier in March, the actor Stari4ok advertised access to a large Australian retail chain containing approximately 250 gigabytes of data, including a 30-gigabyte SQL database with 71,000 user records, listed with an opening price of USD 1,500.
This decentralized access marketplace demonstrates that initial access sales have become an accessible revenue stream for a diverse range of threat actors globally, reinforcing the scalability and resilience of the underground economy while exposing organizations across Australia and New Zealand to heightened cyber risk throughout 2026.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Cyber Threats Targeting Australia and New Zealand Fueled by Initial Access Sales, and Ransomware Campaigns appeared first on Cyber Security News.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding two actively…
Cybersecurity researchers have issued an urgent warning regarding a critical remote code execution (RCE) vulnerability…
Cyber attackers are shifting tactics against Okta, the popular identity provider. This change redefines initial…
SAP has announced its April 2026 Security Patch Day, releasing 19 new security notes and…
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a critical…
Global travel booking giant Booking.com has confirmed a cyberattack in which unauthorized third parties gained…
This website uses cookies.