When a company is hit by ransomware, the event announces itself. Files lock, a note appears, a countdown starts, and within days the victim's name is on a leak site. This is the part of the cybercrime economy everyone can see, and it is the part almost every report describes.
It is also the part that is shrinking.
In 2025, ransomware operators received more than $820 million in on-chain payments, an 8% decline on the year before, according to Chainalysis. The share of victims who paid fell to roughly 28%, an all-time low. Yet attacks did not fall with payments: claimed victims rose by about 50% over the same period. More companies hit, fewer of them paying. The loud market is getting louder and less profitable at once.
That contradiction is the way into the part of the market no one can see. When extortion pays less, value migrates to where it can be realised more quietly. Running in parallel to the ransomware economy is a market in stolen corporate access and data that operates without ransom notes, without leak sites, and often without the victim ever knowing. It is priced, structured, and traded like any commodity market, and its core is silent by design, because every party to a transaction in it has a reason to keep it that way.
What follows is a map of that market. It is not built from claims about a hidden underworld. It is built from the parts of the market that are documented, priced, and periodically seized by law enforcement, and from what the behaviour of those visible parts tells us about the rest. We rely throughout on published threat-intelligence and law-enforcement reporting, not on access to criminal forums.
Reading a criminal economy as an industry
To make sense of a market this opaque, it helps to borrow the tools analysts use on legitimate industries. Three carry most of the weight here.
Porter's Five Forces examines the structural pressures that shape any market: how easily new players enter, how much bargaining power suppliers and buyers hold, what substitutes compete for the same demand, and how intense the rivalry is between incumbents. Strategic-group analysis clusters the participants of an industry by the strategy they pursue rather than the product they sell. PESTLE scans the external environment — political, economic, social, technological, and legal forces — that lets a market flourish or pushes it to change shape.
None of these were designed for crime, and that is precisely why they work. Applying them treats the participants as rational businesses responding to cost, incentive, and competition, which is what the evidence shows them to be. The same logic underlies the map later in this piece: a perceptual map, the tool analysts use to position competitors against each other, plots the market on visibility against value and puts the silent segment exactly where the economics place it — highest value, lowest visibility.
Proof it exists: the visible edges
The instinct on hearing "invisible market" is to discount it. So begin with the parts that are not invisible at all.
There is an exchange for corporate access. Initial-access brokers (IABs) compromise an organisation and sell the foothold to whoever wants it. This is a tracked market with reported prices. Rapid7's 2025 analysis put the average access listing at about $2,700, with 71% offering privileged access. Then, in the second half of 2025, the reported average base price jumped to roughly $113,275. The cause was not a sudden change in the value of access; it was a supply shock. The BreachForums marketplace collapsed and a prominent forum administrator was arrested, and prices moved the way any market's prices move when supply is disrupted. Markets that react to supply shocks are markets.
A listing reads like a product page. It states the victim's sector and country, an approximate revenue band, the type of access on offer — remote-desktop, VPN, a compromised email account, a cloud console — and the level of privilege, with administrator rights commanding the premium. Group-IB has tracked the number of active brokers climbing from 262 to 380 in a single year, with 70% of offers being remote-desktop or VPN access and 47% carrying administrator rights. The move up-market that Rapid7 recorded — fewer commodity listings, more premium access to organisations whose buyers expect a large return — is the same up-market drift any maturing industry shows. The broker never has to commit the follow-on attack. They sell the door and let someone else decide what to do with the room.
There is a commodity supply of credentials. Infostealer "log shops" sell the raw material: passwords, browser cookies, and session tokens harvested from infected machines. A single log is not one password. It is the full contents a stealer could read in the seconds it ran: saved browser credentials, autofill data, cookies and session tokens, cryptocurrency wallet files, and a system fingerprint. Before the FBI seized it in Operation Cookie Monster in April 2023, Genesis Market had carried on the order of 135 million such listings since 2018, and its innovation was to sell the fingerprint as a live subscription — a buyer could replay the victim's exact browser environment, cookies included, and walk past multi-factor authentication because the session was already authenticated. Its successor, Russian Market, moved past five million logs available on a single day in early 2023, selling from as little as $2, with roughly 85% recycled from existing sources. At two dollars each, the economics only work at volume, which is exactly what infostealer-as-a-service supplies. We have walked through how that supply is generated in how modern infostealers work.
There is a catalogue for the data itself. Breach forums sold corporate databases by auction and at fixed price; in February 2025, twenty million OpenAI account records were advertised on one. Individual records trade against something close to a published rate: a US Social Security number for $1 to $6, a payment card with security code for $10 to $40, a verified cryptocurrency-exchange account for upward of $1,100. These are not anonymous drop sites. Mature forums run reputation systems, vouching, and escrow — the same trust machinery any marketplace needs when neither party can go to court. Some data is posted free, to build a seller's standing or to damage a target; the valuable material is sold privately. The free dumps are the advertising; the real business is quieter. And the forums are seized and reappear, again and again, which tells you the demand outlasts any single venue.
And there is a legitimate-grey template whose prices reveal the market's value structure. Zerodium, the exploit-acquisition firm, was the first to publish a price chart for zero-day vulnerabilities, historically ranging from $5,000 to $1.5 million, selling to government clients on subscriptions of $500,000 a year under strict exclusivity. Its successor in setting the high-water mark, Crowdfense, now advertises up to $9 million for a working zero-click smartphone exploit, as part of a $30 million acquisition pool, with browser and messaging-app exploits priced in the millions.
That chart is worth reading as economics, not trivia. Nobody spends millions on an exploit to harvest credit-card numbers from a home computer; commodity infostealers already do that for two dollars a log. A seven-figure exploit only makes sense against a target worth far more: persistent access to an enterprise, a government network, a payment system. The price floor is the proof. A multi-million-dollar tier sitting above a two-dollar tier maps the market's value structure directly. Infostealers fill the high-volume, low-value bottom; zero-days are reserved for the high-value top. And the high-value top is precisely where monetisation goes quiet, because access worth a million-dollar exploit is access worth keeping and working patiently, not burning for a single ransom.
The buyers at that top tier are no longer mainly states. Google's Threat Intelligence Group tracks around 40 commercial surveillance vendors, the private companies behind tools like NSO Group's Pegasus and Intellexa's Predator, and in 2025, for the first time, more tracked zero-days were attributed to those vendors than to state-sponsored espionage groups: 18 of 42, against 15 for nation-states. Intellexa reportedly sold to at least eight governments and priced a one-click mobile exploit chain at about €8 million. What that capability does in practice is visible in the surveillance-vendor cases: tools built on these exploit chains have been documented targeting executives, journalists, lawyers, and political figures — the precise high-value individuals whose access or information justifies the price. Financially motivated criminal groups have entered the same tier, because their revenue now rivals state budgets; threat researchers have for years observed ransomware operators buying or commissioning exploits once reserved for intelligence agencies, simply because the payout justifies it. Premium offensive capability is a commercialised, brokered market with rising prices, accessible well beyond governments. Rising prices, by the same economic logic, mean rising target values.
None of these four edges are rumour. They are the measurable boundary of the market. The question is what lies inside it.
The market structure, in five forces
Porter's framework asks five structural questions of a market. The cybercrime economy answers all five, and the answers explain why the quiet segment is where the money is going.
The threat of new entrants is high, by design. Ransomware-as-a-service and off-the-shelf infostealers mean a newcomer no longer needs to build capability, only to rent it. The barrier that protects most industries — the cost of becoming competent — has been dismantled and sold as a product.
Supplier power concentrates at the top. At the bottom, supply is abundant and interchangeable; one log is much like another, and prices sit at a few dollars. At the top, a broker holding genuine privileged access to a valuable, named target has real pricing power and can hold out for the highest bidder. The supplier base is the IABs, log-shop operators, and exploit brokers feeding raw material into everything downstream.
Buyer power varies by tier. The buyers are ransomware affiliates at the loud end and data brokers, fraud crews, surveillance vendors, and patient operators at the quiet end. They choose suppliers the way any business does, on price, quality, and reliability, and the falling ransom-payment rate is steadily shifting their preference from "rent a way in and extort" toward "buy the data and sell it on."
Substitutes compete over the same stolen goods. Once an actor holds access, they can encrypt and extort, steal and threaten to leak, or simply steal and sell. These are substitute monetisation strategies for one input, and the market is visibly rotating from the first toward the third.
Rivalry plays out through disruption, not price. When LockBit was taken down, the response was not collapse but redistribution: affiliates carried their skills to competing operations, and other brands absorbed the displaced supply. The brand is disposable; the labour and the demand are not. Sanctions follow the same logic — the United States, United Kingdom, and Australia named and sanctioned LockBit's administrator in 2024 — and the effect is to raise the cost of operating openly, which pushes the most capable operators toward the quieter end of the market where attribution is harder and there is no leak site to seize.
That rivalry is rarely visible from outside, which makes the LockBit takedown valuable. Operation Cronos, the February 2024 action led by the UK's National Crime Agency, opened up the inside of one of these businesses. It revealed a firm with 194 affiliates, of whom only 148 ever executed an attack and only 119 ever entered negotiations. LockBit took a 20% cut and, unusually, let affiliates collect the ransom themselves before paying its share. The platform had facilitated more than 7,000 attacks since June 2022, but only 2,110 reached negotiation, and only about 41% of negotiating affiliates converted a victim into a payer. More than half of affiliates saw no return at all. That is the unit economics behind the business of ransomware-as-a-service, laid bare by a takedown — high volume, high failure, thin conversion. Exactly the kind of margin pressure that pushes operators toward quieter, more reliable monetisation.
The segments, by strategy
Strategic-group analysis sorts an industry's players by the strategy they run, not the goods they move. Sorted that way, the market falls into five groups, distinguished mainly by how much visibility each strategy accepts.
Financial extortion is the loud centre: ransomware and data-leak operations — the Qilin and ShinyHunters operations we profile elsewhere — that depend on being seen, because the threat to publish is the entire leverage. Visibility is not a side effect for this group; it is the product.
Notoriety-driven actors trade in reputation, claiming breaches on forums to build a name, sometimes regardless of whether the underlying data is fresh or recycled. The asset they are building is standing in the market, which converts later into better prices and partnerships.
Ideological and hacktivist actors act for a cause rather than a payout, and announce themselves for the same reason. They are a small share of volume but a disproportionate share of noise.
State-aligned actors require a careful distinction. Pure espionage services generally collect for the state and do not sell. But the line is not clean: financially motivated brokers operate with apparent tolerance in some jurisdictions, sanctioned-state operations are explicitly revenue-generating, and state-tolerated groups moonlight. "State actors sell data" is too blunt; "the selling end of the market spans financially motivated brokers, sanctioned-state revenue operations, and moonlighters" is accurate.
Silent brokered-extraction is the segment this piece is named for. Here the goal is neither disruption nor publicity. Access is acquired, often from the very log shops and IAB listings above, and the resulting data is quietly sold, reused, or passed along. No encryption, no note, no leak-site post. The transaction is built to leave no trace on any side. The CoinbaseCartel profile shows the step just before this one: data-theft extortion that has already dropped the encryptor, one move away from dropping the ransom demand too.
Benchmarked by capability rather than motive, the groups converge on a common chain. Initial access comes from bought credentials and footholds (Valid Accounts, mapped in the MITRE ATT&CK framework as T1078) or exposed remote services (T1133), increasingly with no phishing at all because the access was simply purchased. Collection and exfiltration over ordinary web services (T1567) follow. Only the loud lane adds the final, visible step of encryption for impact (T1486). The silent segment stops one step earlier, at exfiltration, and never announces itself. The capability is largely shared across the groups; what differs is whether the last, noisy step is taken. That is why these are strategies, not fixed identities — the same well-capitalised group can run commodity infostealer campaigns for volume and buy a zero-day for a single high-value target, choosing its place on the loud-to-silent spectrum case by case.
The silent core: proving the unmeasurable
By definition, the fully silent transactions cannot be counted. A sale that succeeds leaves no victim notification, no public claim, and no recovered ransom. So the honest position is this: no one can put a credible single figure on the silent core, and anyone who offers one precisely is guessing. What can be done is to read its existence and rough shape off the behaviour of the market around it. Four independent indicators point the same way.
The shift away from encryption. Across 2025, data-theft extortion without any encryption accounted for 57.6% of extortion cases, against 13% using encryption alone, and the data-only share rose from 49% in the first half of the year to 65% in the second, according to Symantec. Encryption-based attacks have stayed roughly flat at about 4,700 a year, while total extortion attacks reached 6,182, up 23%. The trend line runs from noisy to quiet: encrypt, then steal-and-threaten, then, past the edge of measurement, steal-and-sell. Each step sheds a layer of visibility, and the market is moving down it.
The recycling rate. When 85% of the logs on a major shop are resold from existing sources, the same stolen access is changing hands repeatedly. A secondary market that active implies a primary market larger than any single sale that ever surfaces.
The detection gap. Mandiant's M-Trends 2026, drawn from more than 500,000 hours of incident response, found global median dwell time rose to 14 days, and that in 34% of cases the victim learned of the intrusion from an outside party rather than detecting it. Those external-notification cases ran a median of 25 days. If a third of known intrusions are discovered only because someone else raised the alarm, the intrusions where no one ever raises one are, by construction, the cases that never enter the statistics at all. The same report timed the hand-off from initial access to a follow-on operator at as little as 22 seconds: access traded as a commodity, in real time.
The price-tier logic. As above, the existence of a multi-million-dollar exploit market over a two-dollar log market is only rational if there are targets whose value justifies the premium, and those high-value targets are the ones monetised by retention and quiet sale rather than by a one-off ransom.
Consider the chain in the abstract, as an illustration of the mechanics rather than any specific case. An employee installs cracked software on a personal laptop; an infostealer harvests their saved corporate credentials and a live session cookie and uploads the package to a shop, where it sells for a few dollars. A broker who watches such shops recognises the corporate domain, tests the access, confirms it reaches something valuable, and relists it as privileged access to a named-sector company for several thousand dollars. A buyer acquires it and does nothing loud — they read email, watch a finance process, wait for the right moment, or quietly copy a dataset and sell it onward. At no point is a ransom note sent. At each step the transaction could have surfaced; at each step the incentives kept it quiet. The only reason the public hears about chains like this is that some of them end in a noisy ransom, and those are the ones we count.
And the incentive structure guarantees the silence. The buyer wants quiet access that keeps working. The seller wants to monetise without drawing law enforcement. The victim, against a skilled operator, may never know, and a third party who learns of a quietly resolved breach has little reason to publish it. Three participants, three reasons for silence. Under-reporting compounds the effect: the FBI's Internet Crime Complaint Center logged $20.877 billion in reported losses across more than a million complaints in 2025, up 26%, while a 2025 Pew Research Center survey found only 26% of Americans who lost money to an online scam reported it to anyone official. The reported number is the visible tip; the structure ensures the rest stays dark.
If the most damaging transactions are the ones that never produce a notification, the defensible question is what an attacker can already find and price about you. A Corporate Audit maps that exposure before it is sold.
Talk to an AnalystWhy the silent segment flourishes, hides, and changes form
PESTLE scans the forces outside a market that shape its conditions. Each one, here, favours silence and resilience.
Political. Operators concentrate in jurisdictions that will not extradite, and the major takedowns — Operation Cronos against LockBit, Cookie Monster against Genesis, Operation Endgame against malware infrastructure in 2024 — disrupt without dismantling, because affiliates and demand outlive the brand. Sanctions raise the cost of operating in the open, but they push the best operators toward the quiet end rather than out of the market.
Economic. Cryptocurrency provides settlement, and the falling ransom-payment rate changes the calculation in favour of sale over extortion: a near-certain few thousand dollars for access is more reliable than a one-in-three chance of a ransom. The IAB pricing model rewards quality access with patient buyers, and patient buyers do not make noise.
Social. The market runs on reputation. Forum standing, vouching, and escrow let strangers transact in stolen goods, and a broker's track record is an asset worth protecting — which itself discourages the kind of noise that draws law enforcement to a profitable operation.
Technological. Infostealer-as-a-service and ransomware-as-a-service industrialise the bottom of the market, while commercial exploit programmes professionalise the top. Generative tools lower the cost of the lures and the localisation that feed both ends.
Legal. Mandatory breach-disclosure regimes create a paradox. Rules meant to force transparency sharpen the incentive for silence on the attacker's side, because the cleanest way to spare a victim a disclosure obligation — and to keep the access saleable a second and third time — is to ensure the breach is never confirmed.
The result is a market that does not die when a venue is seized. It rebrands, re-hosts, and continues, because demand for quiet corporate access is structural, not tied to any single storefront.
Sizing it
Put the visible totals together and the gap becomes the point. On-chain ransomware payments in 2025 ran around $820 million, by Chainalysis's count. Reported cybercrime losses to the FBI reached $20.877 billion. Those are real numbers, and they capture the loud market and the reported fraud reasonably well.
They do not capture the silent core, and cannot. The value migrating out of ransom payments — as the pay rate falls to 28% while attacks rise 50% — does not vanish. It moves to monetisation that never produces an on-chain ransom or a victim complaint: access sold, data resold, intrusions worked quietly. The most defensible statement is the uncomfortable one: the visible figures are a floor, the true total is unknowable, and the difference is precisely the market built to stay unseen.
What this means for an organisation
The practical consequence is uncomfortable. The breach you are notified about is, increasingly, the considerate outcome — the operator who wanted you to know, because they wanted to be paid. The events that should most concern a security team are the ones engineered to produce no notification at all: the credential sold from a log shop, the access auctioned to a buyer who uses it patiently, the data resold to a party with no interest in announcing anything.
In practice that means asking different questions than a ransom-note-shaped defence asks. What corporate credentials already sit in infostealer logs? Which of the organisation's people carry access on devices it cannot see? What would a broker's listing for the company actually say — sector, revenue band, access type — and how much of that is already true and discoverable today? These are questions about exposure, not about alerts, and they can be answered before anything is sold.
You cannot defend against this segment by watching for ransom notes, because it does not send them. The defensible posture is to assume your access and data already carry a price somewhere, and to reduce what is exposed to be priced — the credentials sitting in logs, the access paths left open, the individual exposure that makes a target findable in the first place. That is the demand side of the exposure mapped in the identity attack surface and the attack surface you don't own. This market is who that exposure is for.
Sources
The access and data market
- Rapid7 — 2025 Initial Access Brokers Report (average listing price; H2 2025 price shift).
- KELA — Initial Access Broker trends; Group-IB Hi-Tech Crime Trends (broker counts; access types).
- Genesis Market seizure (Operation Cookie Monster, 2023) and Russian Market log-shop growth.
- BreachForums marketplace activity; published dark-web pricing surveys.
The exploit market and its buyers
- Zerodium published price chart; Crowdfense Exploit Acquisition Program (up to $9M).
- Google Threat Intelligence Group — commercial surveillance vendors and 2025 zero-day attribution; Intellexa / Predator analysis.
The loud market and sizing
- Chainalysis — 2026 Crypto Crime Report (ransomware).
- FBI IC3 — 2025 Internet Crime Report; Pew Research Center 2025 scam-reporting survey.
The shift to data theft, detection, and structure
- Symantec — ransomware extortion analysis; Cisco Talos IR Trends Q1 2026.
- Mandiant — M-Trends 2026; UK NCA — Operation Cronos (LockBit); MITRE ATT&CK technique references (T1078, T1133, T1567, T1486).