The cyber threat landscape in Australia and New Zealand has become critically dangerous in 2025, driven by an escalating market for compromised network access sold on underground forums. Cyble Research and Intelligence Labs identified 92 instances of such sales impacting organizations in both nations, highlighting a mature and commercialized cybercrime ecosystem. These attacks are strategically targeting data-rich sectors, including retail, banking, financial services, insurance, professional services, and healthcare, where valuable customer and financial information is abundant.
Retail organizations have been the primary target, accounting for approximately 34% of all observed initial access sales. This focus reflects threat actors prioritizing sectors that offer the greatest potential for data exploitation and downstream access opportunities. The Banking, Financial Services, and Insurance (BFSI) sector followed, with nine compromised access listings, while professional services firms experienced seven documented incidents. These findings underscore the widespread and evolving nature of cyber threats facing businesses across the region.
Understanding the Access Brokerage Market and Attack Patterns
The marketplace for initial access is characterized by a fragmented ecosystem rather than control by a few dominant actors. While threat actors like “cosmodrome” and “shopify” were identified as prolific sellers, they collectively represented only about 26% of the observed listings. The remaining activity stems from a multitude of opportunistic participants selling access on platforms such as Exploit and Darkforums. This decentralized structure makes it challenging to pinpoint and disrupt individual operations.
Real-world incidents illustrate the tangible consequences of this underground market. In June 2025, the cybercrime group Scattered Spider successfully attacked a major Australian airline, compromising a customer service portal and exposing the personal details of nearly six million customers. Earlier, in March, an actor known as “Stari4ok” advertised access to a large Australian retail chain, listing an approximate 250 gigabytes of data, including a significant user database, for an opening bid of USD 1,500. These examples demonstrate the direct financial incentives and the scale of data compromised through the sale of initial access.
This decentralized access brokerage market emphasizes that initial access sales have become an accessible revenue stream for a diverse range of global threat actors. The market’s resilience and scalability expose organizations across Australia and New Zealand to heightened cumulative cyber risk, a trend expected to continue into 2026. The sophisticated targeting strategies employed by these actors necessitate continuous vigilance and proactive cybersecurity measures from organizations operating within these sectors to protect sensitive data and critical infrastructure.