Not long ago, a data breach was seen as an incident to manage—a hole to plug, a press release to endure. That era, it seems, is behind us.
According to the teams at Synacktiv, a boutique security firm focused on offensive cyber operations, stolen data has evolved into a genuine operational asset. It sits at the core of a structured underground economy that makes cyberattacks quicker, cheaper, and markedly more effective.
A value chain modeled on industry
The landscape of cybercrime has undergone a radical transformation. Today it operates as a fragmented ecosystem, almost a marketplace, with clearly defined roles among specialized players. It starts with collection—through data-thieves or direct intrusions—then moves to aggregation, enrichment, and finally exploitation.
Automated services mass-test the credentials that have been harvested, discarding the unusable ones and keeping only the access that works. These data are then organized into triplets (URL, username, password), a format industry insiders call ULP lists. They are traded on a large scale to compromise accounts, breach information systems, or drive extortion campaigns.
“This model resembles industrial subcontracting chains. A successful cyberattack is typically the result of a sequence of coordinated interventions,” explains Maxence Fossat, a cybersecurity expert at Synacktiv.
The scale of the phenomenon is dizzying. Several analyses estimate that credential databases in circulation comprise between 1 and 2 billion entries by 2025. Some of these records may be obsolete or duplicated, but the order of magnitude itself reveals the market’s depth.
The stolen data as a lever for profitability
What fundamentally changes the game is the economic logic underpinning these practices. Data resulting from breaches lowers the cost of acquiring access, raises the success rate of attacks, and speeds up their execution. In short, they boost the attacker’s return on investment.
Initial access to a system increasingly relies on compromised legitimate accounts rather than on elaborate, expensive intrusion techniques. This operational mode is particularly perilous: it tends not to trigger immediate alerts, because there is little, a priori, to distinguish a fraudulent login from a genuine one.
But stolen data isn’t only used to open doors. It is also employed to construct far more convincing attack scenarios. By leveraging internal details—how teams are organized, project names, communication habits, and so on—attackers craft phishing, vishing, or social-engineering operations with chilling precision. The gap between a crude scam and a perfectly contextualized message is precisely this data.
This industrialization is further amplified by the rise of automated tools and generative AI. Hackers with limited technical backgrounds can now generate code, test credentials, and exploit data at scale. The barrier to entry has collapsed.
A persistent, widely underestimated risk
Synacktiv’s investigations reveal another blind spot: some assaults lean on data from older breaches, sometimes several years after their initial disclosure.
Technical data—internal documentation, configurations, architectural diagrams, or source code—can be stored for years before being exploited to identify vulnerabilities or prepare targeted strikes.
Moreover, numerous attacks targeting intellectual property or technical information receive little media attention, yet they can have major strategic consequences.
At the heart of this ecosystem are the Initial Access Brokers. These intermediaries identify compromised access and resell it to other criminal groups (notably ransomware operators), who then take over to carry out the attack. It’s a division of labor that optimizes each participant’s capabilities and reduces risk for all involved.
Shifting the frame of reference
For Renaud Feil, co-founder and president of Synacktiv, the challenge begins with changing the frame of reference. “The goal today is to move beyond a one-off view of data leaks. They should be understood as events that feed a hidden, structured economy. The mechanisms seen in attacks aimed at individuals—account theft, identity theft, phishing—apply just as powerfully to businesses, with effects amplified.”
In other words, a data breach is never truly finished. It continues to exert influence long after discovery, feeding a market that never sleeps.
