Our Threat Intelligence analyst team has intercepted a critical post on a major underground Dark Web forum. A threat actor operating under the alias "AckLine" has put up a batch of compromised corporate VPN accesses for sale.
The Discovery: 5 Networks Auctioned
The actor "AckLine", holding the Insider rank on the underground forum, published the sale of compromised access to 5 corporate networks, all belonging to the Global Protect enterprise solution. To attract high-level buyers (mainly ransomware groups), the attacker profiles their victims by revealing their revenue and size instead of their name.
- Target 1 (Romania): Telecommunications | Revenue: $290M+ | Employees: 1k-5k
- Target 2 (Colombia): Unknown Sector | Revenue: $120M+ | Employees: 500-1000
- Target 3 (Thailand): Business Services | Revenue: $10M+ | Employees: 50-200
- Target 4 (Slovenia): ISP/Telecommunications | Revenue: $25M+ | Employees: 50-200
- Target 5 (Spain): Education | Revenue: $350M+ | Employees: 1k-5k
“Credentials tested, haven't checked internal hosts or if they have Antivirus/EDR. Send me offers via qTox. Serious buyers only, if you come asking for the Zoominfo profile I'll block you. Don't waste my fucking time.”
The Role of Initial Access Brokers (IAB)
This finding is a textbook example of how the initial access market works. As we explained in our article on Initial Access Brokers (IABs), the cybercrime ecosystem has become highly professionalized.
IABs like AckLine are specialists dedicated exclusively to breaching the external perimeter of organizations. They do not deploy the ransomware themselves; they simply steal the "keys to the house" (in this case, Global Protect credentials) and sell them to the highest bidder.
Impact and Risks for Victims
This post reveals several critical points about how these actors operate:
- Specific Technology: Access to Global Protect, a widely used enterprise VPN solution, is being sold. This usually implies valid credentials were obtained without MFA (Multi-Factor Authentication) or a perimeter vulnerability was exploited.
Original post by actor AckLine selling Global Protect VPN access on underground Dark Web forum
- Victim Profiling: The attacker doesn't name the Spanish education company, but provides its revenue ($350M+) and size. This is enough for ransomware gangs to calculate how much ransom they can demand.
- "Blind" Sale: The seller clarifies they haven't checked the internal network or what Antivirus (AV) or EDR is installed. Their only job is to open the door; the buyer will handle lateral movement and ransomware deployment.
The Importance of Dark Web Monitoring
When your company's accesses appear in a listing like AckLine's, time is critical. Within hours or days, that access will be bought by a ransomware group, and what was a simple compromised credential will turn into a massive encryption and extortion incident.
This is where proactive monitoring changes the game. Our Dark Web Monitoring module continuously analyzes these communications and extracts metadata. By cross-referencing indicators (such as sector, region, and revenue) with our clients' profiles, Notmining can identify if an organization is being auctioned off and provide actionable intelligence to close the breach before the final intrusion.