Nobody Is Robbing Your Bank. They Already Sold the Keys.
Your security budget encodes a threat model. For most organisations, that model describes a crime that no longer exists.
Ask your security team to describe the adversary and you will hear some version of the heist. A skilled crew — the scout, the lockpicker, the getaway driver — studies your organisation, plans an operation against you specifically, breaks in, takes what it came for, and disappears. It is a satisfying story. It is the story behind your perimeter spend, your incident response retainer, and the threat-actor slide in your last board deck.
It is also roughly a decade out of date. The hoodie-in-a-basement hacker died around 2010. The heist crew that replaced him died quietly a few years ago, and most security budgets haven’t noticed.
What replaced the crew is not a better crew. It is a market.
The crime is now a supply chain
Modern cybercrime is organised the way every other mature industry is organised: through specialisation, intermediaries, and transactions between strangers.
At the front of the chain sit initial access brokers — operators who do nothing but compromise networks, wholesale. They phish, they spray credentials, they buy infostealer logs harvested from employees’ home laptops. They have no interest in your data. Their product is the door, and they sell it on criminal forums the way wholesalers sell anything: listed, priced, with the victim’s industry and revenue quoted as product specifications. Access to a mid-sized corporate network routinely trades for a few hundred to a few thousand dollars.
Stop on that number, because it is the most board-legible fact in all of cybersecurity. Your organisation spends six or seven figures a year on defence. The asset that defeats all of it changes hands for less than the catering budget of your last offsite.
Further down the chain, ransomware-as-a-service operators behave like franchisors: they build the malware, run the leak sites and the payment infrastructure, and license the kit to affiliates for a cut of the proceeds — commonly 70 to 80 percent to the affiliate. The affiliates are the buyers of the brokers’ access. Beyond them sit negotiation specialists, money-laundering services, even victim “support desks.” When the Conti group’s internal chats leaked in 2022, the world got a look at the org chart: salaries, HR complaints, performance reviews, an office. Not a gang. A company.
The people in this chain mostly never meet. The person who phished your employee, the person who deployed the ransomware, and the person who negotiated your payment are usually three strangers connected by escrow payments. There is no leader, no plan, and — this is the part that matters — no operation against you. You were not targeted. You were inventory.
Why the wrong model costs you real money
If this were just a question of analogies, it wouldn’t be worth your time. It isn’t. The heist model and the market model produce different decisions, and the differences are expensive.
The heist model says the breach is the event. The market says the breach is the listing. In the supply-chain reality, initial compromise and eventual impact are two separate transactions, often months apart, executed by different actors. The broker who harvested your access in March has no idea who will buy it in August, or what they’ll do with it. Your detection question is therefore not “is someone breaking in?” but “who is already inside, waiting for the asset to clear escrow?” Dwell time — not perimeter strength — is the metric that decides whether you make the news.
The heist model says one incident, one cleanup. The market says access gets resold. A “successful” incident response that evicts one intruder means little if the access that admitted them is still listed — or was sold to two buyers. The 2024 Change Healthcare disaster is the canonical case: a ransom of $22 million was reportedly paid to one group, whose operators promptly exit-scammed their own affiliate — after which the same stolen data surfaced with a second group demanding payment again. Two extortions, one breach. Under the heist model that’s lightning striking twice. Under the market model it’s just the secondary market working as designed.
The heist model says takedowns reduce your risk. The market says they reroute it. In February 2024, an international law-enforcement operation seized LockBit’s infrastructure — at the time the most prolific ransomware franchise on earth. A genuine victory. The franchise’s affiliates simply moved to competing platforms, and within a year the overall ecosystem volume had recovered. Arrests of individual Scattered Spider members in 2024 were followed, months later, by the same playbook tearing through UK retail. When you decapitate a gang, the gang dies. When you decapitate a market node, the market routes around it — that is what markets are for. If your risk register treats any takedown as a mitigation, your risk register is wrong.
AI didn’t change the model. It put it on sale.
The marketplace model predates the current AI wave. What AI is doing is collapsing the price of every specialist role in the chain.
The social engineer’s craft — fluent, contextual, individually tailored lures — was the expensive human bottleneck that kept quality phishing scarce. Large language models removed it: a competent lure in flawless English (or flawless Romanian, or flawless German) now costs effectively nothing, at unlimited scale. Voice cloning has done the same to the help-desk phone call, the technique that opened MGM’s doors in 2023. Reconnaissance — mapping your staff, your vendors, your technology stack from public sources — is exactly the kind of patient drudgery that automates beautifully.
The result is not a smarter adversary. It is a cheaper supply chain — lower cost of goods at every tier, which in any market means more volume, more participants, and downmarket expansion. Organisations that were never worth a skilled crew’s time are now economically viable inventory. If your implicit defence has been “we’re too small to target,” understand that nobody is doing the targeting anymore. A pipeline is doing it, and the pipeline’s costs just fell off a cliff.
What a CTO actually does with this
The reframe pays for itself in three decisions you can own in a boardroom without touching a packet capture.
First: assume the access already exists, and hunt the tenant. Shift weight from perimeter prevention to detection of what’s already inside — identity anomalies, lateral movement, the quiet weeks between purchase and deployment. The window between the broker’s harvest and the affiliate’s strike is your single largest defensive opportunity, and most organisations spend it blind.
Say the uncomfortable part directly: on the evidence, some readers of this article are compromised right now and will learn it the way most victims do — from someone else. A meaningful share of breached organisations are first notified by law enforcement, a security researcher, or the ransom note itself, and the quiet gap between initial access and impact is routinely weeks to months. So here is the only diagnostic that matters, and it costs one question on Monday morning: when did we last hunt our own network on the assumption that valid credentials were already in use — and what did we find? If the honest answer is “never,” then the absence of alarms in your SOC is not evidence of safety. It is evidence of silence — and in the marketplace model, silence is what the waiting phase sounds like.
Second: make eviction total, not surgical. When an incident occurs, the question for your responders is not “did we remove the intruder?” but “did we invalidate the asset — every credential, session, token, and foothold that was for sale?” Anything less is paying to clean a house that’s still listed on the marketplace.
Third: price the asymmetry, out loud, in the board pack. Your access trades for the cost of a team lunch; your downtime costs millions a day. That asymmetry — not compliance checklists — is the honest basis for security investment, and it points consistently toward the unglamorous controls: phishing-resistant MFA everywhere, ruthless credential hygiene, segmentation that makes one purchased door open onto one room instead of the whole building, and recovery you have actually rehearsed.
None of this requires new products. It requires retiring a mental model that was built for an adversary who no longer exists.
The burglar is gone. The marketplace is open, your listing may already be live, and the only question your security strategy needs to answer is the one the heist model never thought to ask:
not “can they get in?” — but “who already has, and what is it selling for?”
Catalin Lichi is the founder of Sugau Pty Ltd, an Australian consultancy specialising in sovereign infrastructure, bare-metal Kubernetes, and private AI for regulated industries.