One of my all-Time favorite movie Series are the matrix movies

Something has always attracted me to sort of tech fantasy, with Back to the Future being up there too. The fact that a hacker (of all things) named Neo can enter a simulated world essentially built on computer code and begin to alter reality by "altering the code" always piqued my interest as cool. A bit of a premonition in my early to late teen years, I guess...

I was also a big gamer when I was young kid and poured many hours into Enter the Matrix when it came out on the GameCube, as it let me play as some of the side characters of the series: Niobe and Ghost. The game also had some SWEET cutscenes that made you feel like you were playing inside the actual movie. At one point, Niobe and Ghost come across the character of the Keymaker. The Keymaker is able to open pretty much any door in the simulated world that is the Matrix, even at one point taking our characters into the very substructure that the Matrix is built on, which appears as a hallway. The hallway has many doors that open to different locations and parts of the world of the simulation, which the Keymaker seems to access as if at will.

For the sake of our metaphor (and cuz I like movies), think of this hallway like your digital life

Remember our "Harvesting" Analogy?

As hard as farmer's work to produce raw materials, take wheat for example, the real goal to turn the raw materials into polished finished products that sell for far more money than the raw material alone. You get a lot richer quicker by making higher-quality wheat that can be ground into 00 flour that can be used to make premium breads, pastas, and cakes than you are selling it as animal feed.

Threat actors think the same way about your data. While a large batch of data compromised from a large corporation's email server is good, there may be a few diamonds in the rough that can be pulled out and leveraged to far greater effect. Perhaps within the larger data jumble, there are a large number of email addresses that have the same domain, like john.doe@example.com, jane.doe@example.com, etc. Say some contain PIN numbers, passport numbers, phone numbers, addresses, or even plaintext passwords. This prized data can be separated from the other filler and marketed as "Example.com Combos" or "Big Bank Logs with PINs" or "Carrier Y Numbers for Swaps" within underground communities. There are literally Millions of examples of these circulating. This way, hackers turn one "harvest" into multiple "finished products."

In a few words: Enrich to get rich

We're still missing something though, sorry to say:

As you engage with websites and services across the internet, the number of doors in the hallway of your digital life increases, with each one of these doors having a "key" which can unlock access to that part of your "world," whether that be your Facebook account, bank account, Apple Pay, etc. See where I'm going with this?

We discussed in "The Myth of 'I've Got Nothing to Hide'" that targeted the masses in data breaches is far less about specific targeting of individuals and more about what possessing the data meant in aggregate (i.e. scale over specifics). Harkening back to the lottery analogy we made, it is far better to have more tickets with higher odds of a low to medium level payout than betting it all on black for a single roll. Threat actors are simply playing the odds, we've made that clear already...but there is definitely another point that we skipped over that we'll touch on in depth here:

Raw materials are nice, finished products are better!

But what if you could "replay" your lottery ticket!?

While Your Data’s Value Is in enrichment, Your habits' value is in repeatability

One of the most predictable aspects of human nature is that we fall into patterns of life or stick to a routine. We always order our coffee the same way, we drive predictable routes to get to and from a handful of locations we frequent, etc. Cybercriminals know the aspects of the game they are playing and how to tip the odds in their favor, that we have already established, but there is another aspect to things: EVERYONE ELSE PLAYING.

As James Bond tells Vesper in Casino Royale, "In poker, you don't just play your hand, but you also play the man across from you." The game is as much understanding the constraints of the world you are operating in, bending and manipulating it as needed in the case of cybercriminals, as much as it is about the masses are playing. A person sitting at your blackjack table that makes bad decisions that is dealt in front of you makes all the difference to your success!

The thing about humans, as complex of a species we have indeed become, we fall into quite predictable pattern of behavior. Chances are good you drive the same route to work with the same coffee order listening to the same radio station on your morning commute at the same time more often than not...How many times have you driven to work and not even think about it until you actually get in the parking lot!? Happens to the best of us.

The replaying the lottery ticket analogy I made above plays off of this idea of human predictability through the digital lens. What if the same numbers that won me the Powerball could also win me the MegaMillions!? The ticket now becomes far more powerful, purely based on an increase of probability due to human behavior.

Let’s go back to our hallway.

You don’t just have one door.

You have dozens. Maybe hundreds.

Now ask yourself a simple question:

How many of those doors use the same key?

This is where credential stuffing comes into play.

Credential stuffing is exactly what it sounds like: taking a username and password that worked on one door in your digital hallway and trying it on every other door.

No guessing.

No breaking in.

No Hollywood hacking scene.

Just weaponization of human behavior and probability.

If you’ve ever reused a password, you’ve unknowingly increased the odds that one compromised account turns into many when one key opens multiple locks.

Threat actors do take this a step further, however (remember, raw materials are great but refined products are better).

Counting Cards: Why Complexity doesn't matter in singularity

The math problem hiding behind your password

There’s a method to the madness of demanding that 12-character password with uppercase, lowercase, special characters, and numbers you hear about in your security training!

Underneath all of that is a simple idea: Every time you add more possible characters to a password, you’re not increasing the difficulty a little bit…

You’re increasing it exponentially. Think of it like this:

If your password is 4 characters long and only uses lowercase letters, you’ve got 26 possible options for each character.

That means:

26 × 26 × 26 × 26

Or about 456,000 possible combinations.

Not nothing… but not exactly Fort Knox either.

Now make that password 8 characters long.

Same rules, just longer.

Now you’re looking at:

26⁸

Roughly 208 billion combinations.

Same character set. Just a few extra characters.

Now add uppercase letters, numbers, and symbols.

Now you’re not just adding possibilities…

You’re multiplying them.

That’s exponential growth of security, but in a vacuum.

Singular complexity does not beat out probability

The thing about the math is that the curve can be flattened, as one complex password often gets repeated cross-platform or even within the same environment. True brute-force attacks require incredible amounts of computation resources and time, as each username:password combination is tried in random order. With modern password complexity, some of these computations, even in the best case scenarios, would take upwards of thousands of years to break just one combination. This is not the kind of exponential growth that threat actors want. While great for a 401k, kinda not for quick cash...

Instead, threat actors become pro-level scouts and go to work studying "game film." These games are data breaches and the raw data they contain. With over 1,000 estimated data breaches occurring year-over-year since 2016, threat actors definitely know when to drop to Cover-4, when to blitz, and who you're throwing to on 3rd and long...By studying commonalities seen within these raw data harvested in these data breaches to build their refined products: wordlists.

The curve is flattened when commonalities emerge. One of the most famous examples of this happened in 2009 when attackers compromised the social gaming company RockYou. What made that breach infamous wasn’t just the scale—over 30 million passwords—but the fact that they were stored in plain text. What made this so powerful was that, on a grand scale, security researchers and hackers alike now got a look behind the curtain on how users chose their passwords.

People love:

Sports teams
Seasonal passwords
Pet names
Cities
Keyboard patterns
Birth years

You didn’t just see password123.

You saw things like:

Summer2010
Jessica1987
Yankees1
ILoveMyDog
qwertyuiop

And once those patterns were known, they became reusable and easily packaged. Even a wordlist of 30 million of the top passwords beats trying billions of combinations, especially when human behavior lowers the probability curve. You don't have to prepare for all eventualities when you already know what is most likely to occur.

From Keys to Access: When the Door Actually Opens

Up to this point, we’ve been talking about getting through the door.

But in the world of cybercrime, getting in is often the least valuable part of the operation.

Access is the product.

And like any good marketplace, there are people who specialize in acquiring it… and people who specialize in using it.

This is where something called Initial Access Brokering comes into play.

Think of these actors as professional door-openers.

They don’t necessarily care what’s behind the door. They care that the door opens. Once they find valid credentials — whether through credential stuffing, phishing, or other means — they package that access up and sell it.

“Corporate VPN access – $500”
“Admin panel login – $1,000”
“Email account with reset capability – premium”

The value isn’t in you.

It’s in what your access connects to.

Once valid credentials are confirmed, things tend to move quickly.

Remember the hallway.

Opening one door is rarely the end goal. It’s a starting point.

Email accounts are one of the most valuable initial wins. Why?

Because email is the master key to the rest of your digital life.

With access to your email, an attacker can: Initiate password resets across other platforms, Intercept verification codes, Confirm account ownershipm Expand access without ever needing your original password again...

From there, to speak metaphorically, is where the dominoes fall.

Retail accounts with saved payment methods get drained.
Banking access gets tested in small increments.
Social media accounts get repurposed for scams or phishing.
Work accounts can lead to internal systems, VPNs, or sensitive data.

And in many cases, the original compromise goes unnoticed.

Because from the system’s perspective…Everything looks legitimate.

Truth Is, you were never the actual target. In fact, you're the ammunition.

No one picked you.

No one singled you out.

You were part of a list.

A dataset. A probability. A finding.

Credential stuffing allows threat actors to test keys in various locks, trying different combinations on various sites to try to cash in. Once those accounts are validated, they become a far more valuable finished product. Threat actors can then put these in validated credentials list, possibly packaging them with your password. Your olive has been pressed into oil at that point and now they can squeeze you for all you're worth. This is when the dominoes start to fall.

Because once access is confirmed, the question changes from:

“Can we get in?”

To:

“What can we turn this into?”

So, what's the bullseye, the pinnacle, the cheese!?

The best answer we have: Validated email credentials

Not to poop on anyone's porch, but certain "G" companies have a lot of inter-connected services: cloud storage drives, calendars, email, digital wallets...Hell, you can't set up a new cellphone without an Apple or Google ID now. ICloud is one of the world's most used services.

If a threat actor can get into your email inbox, they can view communications with other services that you engage with. Those Jam of the Month subscription emails don't stand a chance. Chances are you used a similar or the same password for your email on these services.

This leads to one of the biggest cash-out strategies in cybercrime: Email Resets. This happens when the threat actors turn around and change the locks on all the doors in your digital life. Suddenly, you're locked out of your bank account and have suspicious charges for Amazon packages, hotel bookings, cards opened in your name, and it is a bear of a process to get reversed. Passwords all reset and suddenly, the threat actor is now acting as you.

Because, at the end of the day, they're dressing in your clothes to rob you blind.

That’s where things like account takeovers, SIM swaps, and identity abuse come into play.

That’s where the real money is made.

And that’s where we’re going next.

Because in cybercrime, getting access isn’t the win, it's a step toward cashing in.