Inside the Trade Floor
The Opening
One post. One actor. One moment on the floor.
This is what a single listing looks like when a broker opens the door to an enterprise. Every structured field — industry, artifact, vector, privilege, claimed revenue — was extracted by the classifier from free-form forum prose.
Now meet one seller. Not chosen for notoriety — chosen because, across the past twelve months, their activity captures the scale of what’s happening on exploit in miniature. This is the actor whose posts touch the most distinct victims across the most distinct categories.
The Makeup
One listing. Now zoom out. What is the floor actually selling?
Twelve months on exploit: — classified listings at high confidence. Each one is tagged by what’s being moved — stolen data, network access, credentials, tools, services — or by a buyer looking for something. The shape of the mix is the shape of the market.
The Enterprise Question
Of everyone posting on exploit, how many are actually targeting companies?
Not all activity on exploit is enterprise-scary. Plenty of the noise is credential dumps, tool sales, and forum chatter. Stack the counts: every active seller in the window; then only the ones listing data breaches; then only the ones brokering corporate access.
How Few Cause This
The flood is produced by a surprisingly small crew.
Rank every actor by their breach + access post count, cumulatively. The top 10 alone account for a striking share of the total. The top 30 account for most of it. The rest of the forum — hundreds of sellers — produces the long tail.
Most of the floor is produced by a crew smaller than most enterprise IT teams.
The Pulse
How is this changing week over week?
Twelve months of volume, bucketed by week — just the two classes this story is about. Breach listings on bottom; access sales stacked on top. The total height is the weekly tempo of the floor.
The Targets
Where the victims sit, what they do, and the pairings that show up far more often than chance.
Where targets sit
The map is not uniform. Breach and access listings concentrate in a handful of countries — the English-speaking developed world absorbs the bulk of named targets.
What they do
Industry names come in dozens of forum-side variations; these have been normalized — Healthcare absorbs medical/hospital/pharma/biotech; Finance absorbs banking/fintech/insurance; and so on.
Unexpected intersections
Pairings where a country and an industry appear together far more often than chance would predict. These are the hot diagonals — where attention clusters.
The Actors
Who these people are — how long they’ve been here, and where they point their attention.
New, established, veteran
Every seller posting breach or access listings in the window, placed on a first-seen × last-seen plane. Banded by first-seen rank: the earliest 10% (veterans) sit to the left, the next 30% (established) in the middle, and the most recent 60% (new) to the right. The left edge is where the oldest hands sit — watch how much of the window’s breach and access volume that thin wedge produces.
Who’s handing out keys
The top access sellers on exploit, by count of corporate access listings in the window. Each card shows their most-frequent target countries, industries, and preferred entry vector — the targeting preferences a defender would want to know.
The floor is a shape, not a crowd.
A small, concentrated group of actors does most of the damage. Access brokerage is a mature subsegment. Targeting is geographically and sectorally structured. The story isn’t that the internet is flooded with criminals — it’s that a small, coordinated market is running surprisingly visibly, and it’s running on one forum more than any other.