Ransomware & Initial Access Fuel Australia/NZ Cyber Threats

Australia and New Zealand’s cyber threat environment has entered a critical phase throughout 2025. Threat actors are orchestrating increasingly sophisticated attacks, primarily focused on the sale of compromised network access.

The Cyble Research and Intelligence Labs documented 92 instances of compromised access sales affecting organizations across both regions during the year, revealing a mature and commercialized underground marketplace where stolen credentials and network entry points are openly traded on cybercrime forums.

These attacks have disproportionately impacted data-rich industries, with threat actors maintaining a strategic focus on retail, banking, financial services, insurance, professional services, and healthcare organizations.

The targeting strategy reflects attackers’ understanding of which sectors hold the greatest value, whether measured by customer data volumes, financial information, or downstream access opportunities to additional networks.

Cyble analysts identified that retail organizations emerged as the primary target, accounting for 31 incidents or approximately 34% of all observed initial access sales, a figure more than three times higher than competing sectors.

The BFSI sector followed with nine compromised access listings, while professional services firms experienced seven documented incidents.

Understanding Access Brokerage Market Structure and Attack Patterns

The initial access marketplace demonstrates a highly fragmented ecosystem rather than a centralized operation controlled by a small number of actors.

The threat actor known as cosmodrome emerged as the most prolific seller of compromised access during the reporting period, closely followed by an actor operating under the alias shopify.

However, these prominent sellers collectively controlled only approximately 26% of total observed listings, with the remaining activity originating from dozens of opportunistic participants posting access for sale on Russian-language forums like Exploit and English-language platforms such as Darkforums.

Real-world incidents illustrate the tangible consequences of this underground market activity.

In June 2025, the threat group Scattered Spider orchestrated a sophisticated attack against a major Australian airline, compromising a customer service portal and exposing records belonging to nearly six million customers, including names, email addresses, phone numbers, dates of birth, and frequent flyer numbers.

Earlier in March, the actor Stari4ok advertised access to a large Australian retail chain containing approximately 250 gigabytes of data, including a 30-gigabyte SQL database with 71,000 user records, listed with an opening price of USD 1,500.

This decentralized access marketplace demonstrates that initial access sales have become an accessible revenue stream for a diverse range of threat actors globally, reinforcing the scalability and resilience of the underground economy while exposing organizations across Australia and New Zealand to heightened cyber risk throughout 2026.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.