In the ever-evolving cybercrime ecosystem, a staggering 1.7 billion passwords have been dumped onto criminal forums on the dark web, according to a report. The explosive rise of infostealer malware malicious software designed to extract passwords, credentials, cookies, and keystrokes has contributed to a 500% surge in infections across the globe in 2024.
The report documents how these malware variants have become the foundation for a burgeoning cybercrime economy. At the core of this black-market ecosystem are “initial access brokers” actors who specialize in breaching systems and reselling those credentials to others involved in financial fraud, ransomware, or corporate espionage.
Once breached, a user’s identity becomes a tradable commodity, often bundled into combo lists—data sets of validated usernames and passwords that power automated credential-stuffing attacks.
The gravity of the situation is underscored by a chilling figure: over 100 billion compromised credentials are now circulating in the cybercriminal underground, a 42% increase from the previous year. Names like BestCombo, BloddyMery, and ValidMail have emerged as top sellers, specializing in the packaging and dissemination of these combo lists.
ALSO READ: Call for Cyber Experts: Join FCRF Academy as Trainers and Course Creators
Why Infostealers Work: Simplicity, Scale, and Shock Value
Infostealer malware’s success lies in its simplicity and scalability. Unlike complex exploits or zero-day vulnerabilities, infostealers rely on tricking users into installing trojans, often disguised as legitimate software, game mods, or pirated content.
Once inside a system, they silently extract and exfiltrate sensitive data including stored passwords, autofill entries, browser cookies, and even screenshots sending them to remote command-and-control servers operated by threat actors.
Once harvested, this data fuels a chain of cybercrimes from account takeovers (ATOs) and business email compromise (BEC) to corporate reconnaissance and financial fraud. These passwords are particularly valuable because they provide direct, credential-based access, bypassing perimeter defenses.
What You Can Do: Rethinking Password Hygiene in the Infostealer Era
The report’s findings are a stark wake-up call—not just for corporations, but for individuals who reuse simple passwords across multiple platforms. It’s no longer sufficient to assume that antivirus software and password managers alone can prevent breaches.
Security experts recommend the following steps:
- Embrace Multi-Factor Authentication (MFA): Even if a password is stolen, MFA adds a strong second layer of protection.
- Use Password Managers Wisely: Opt for managers that don’t auto-fill on malicious pages and regularly audit your password vault for duplicates.
- Avoid Reuse: One password, one site. Credential-stuffing relies on users repeating passwords across accounts.
- Monitor for Breaches: Use breach notification tools to receive alerts when your credentials appear in dumps.
- Shift to Passkeys and Biometrics: The future lies in passwordless authentication, such as device-based biometric logins and cryptographic tokens.
For enterprises, the rise of infostealers signals an urgent need to prioritize endpoint visibility, behavioral analysis, and real-time threat intel integration.