The cyber threat environment in Australia and New Zealand has entered a critical phase throughout 2025, marked by a dramatic surge in initial access sales, sophisticated ransomware operations, and widespread data breaches affecting essential sectors.
According to the Threat Landscape Report for Australia and New Zealand 2025, threat activity documented between January and November 2025 reveals a highly commercialized underground ecosystem where compromised network access is routinely bought, sold, and weaponized across multiple industries, creating unprecedented risk for organizations across the region.
The threat landscape analysis identifies a concentrated targeting strategy focused on data-rich industries.
Retail, Banking, Financial Services, and Insurance (BFSI), Professional Services, and Healthcare organizations remain disproportionately targeted due to the abundance of sensitive personally identifiable information (PII), financial data, and valuable downstream access opportunities they possess.
This sectoral focus reflects a deliberate strategy by threat actors seeking to maximize monetary returns and operational leverage in follow-on attacks.
Growth of Initial Access Markets
Cyble Research and Intelligence Labs (CRIL) documented 92 instances of compromised access sales affecting Australian and New Zealand organizations during 2025.
Retail organizations emerged as the primary target, accounting for 31 incidents approximately 34% of all observed activity more than three times higher than any other sector.
The BFSI sector recorded nine compromised access listings, while Professional Services organizations experienced seven documented incidents.
Combined, these three sectors accounted for over half of all initial access listings observed in the region during the reporting period.
This concentration strategy highlights why these sectors appeal to threat actors. Retail and BFSI organizations routinely process substantial volumes of customer data and payment information, making them invaluable targets for direct monetization or subsequent ransomware operations.
Professional Services firms offer an additional advantage: they typically maintain access to multiple client environments, creating lucrative supply chain exploitation opportunities.
Market analysis reveals a highly fragmented access brokerage landscape dominated by no single actor. “Cosmodrome” emerged as the most prolific compromised access seller during the period, followed closely by an actor operating as “shopify.”
However, these actors controlled only a fraction of total market activity. The seven most active sellers collectively accounted for approximately 26% of all observed access listings, while dozens of individual threat actors contributed the remaining listings, many posting only once or twice.
This decentralized structure indicates that initial access sales have become an accessible revenue stream for numerous threat actors, demonstrating the resilience and scalability of the underground economy and suggesting multiple pathways for network compromise.
Real-World Consequences
The threat landscape report documents several significant incidents illustrating how initial access translates into substantial organizational impact.
In June 2025, threat group Scattered Spider allegedly orchestrated a cyberattack against a major Australian airline, breaching a customer service portal and exposing records belonging to nearly six million customers, including names, email addresses, phone numbers, dates of birth, and frequent flyer numbers.
Investigators suspect this incident may represent part of a broader campaign targeting the aviation sector.
In March, threat actor “Stari4ok” advertised unauthorized access to a large Australian retail chain on the Russian-language forum Exploit, claiming access to hosting servers containing approximately 250 GB of data, including a 30 GB SQL database with around 71,000 user records. The listing carried an opening price of USD 1,500.
Similarly, in May, actor “w_tchdogs” offered unauthorized access to an Australian telecommunications provider on Darkforums, claiming to provide domain administration tools and critical network information, priced at USD 750.
Additional incidents highlight the broad attack surface. In April, unidentified threat actors breached the IT systems of a prominent accounting firm operating across Australia and New Zealand, compromising customer data and prompting the organization to warn clients of phishing attempts and obtain court injunctions in both countries.
Hacktivist activity also remained prevalent, with RipperSec claiming January access to an unsupported optical-fiber network monitoring device belonging to an Australian cable and media services provider.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.