Infostealer malware harvested 1.8 billion credentials from 5.8 million infected devices in just the first half of 2025 — an 800% increase over the prior six months. More than half of ransomware victims had their domain credentials circulating on dark web marketplaces before the ransomware even hit. If your defense strategy still centers on passwords and basic MFA, you're already behind. Here's what the infostealer epidemic actually looks like, why your current defenses are failing, and what to do about it.
The credential theft problem isn't new. What's new is the scale, the speed, and the commoditization. Infostealer malware has gone from niche cybercriminal tooling to a fully industrialized, subscription-based economy where anyone with $200 a month can start harvesting credentials from enterprise environments. Microsoft's Digital Defense Report 2025 laid it out plainly: threat actors are no longer brute-forcing their way past firewalls. They're logging in with stolen identities. Identity is the new perimeter, and it's wide open.
The Numbers: How Bad It Actually Is
Let's ground this in data. Flashpoint's Global Threat Intelligence Index reported that 1.8 billion credentials were stolen in the first half of 2025, harvested from 5.8 million infected endpoints. That's not a typo. KELA's Infostealer Epidemic Report tracked 3.9 billion credentials compromised across 4.3 million infected machines in 2024 alone, with the top three malware families — Lumma, StealC, and RedLine — responsible for over 75% of those infections.
The Verizon DBIR 2025 added a chilling detail: 54% of ransomware victims had their domain credentials appear in stealer log marketplaces before the ransomware deployment hit. The time between a stolen credential appearing on a dark web marketplace and it being weaponized in an attack? Sometimes under 48 hours. That's your detection window. That's how long you have from "credential compromised" to "ransomware deployed" to find and fix the problem.
Meanwhile, credential theft saw a 160% increase in breaches year over year according to Check Point and Flashpoint's midyear analyses, and SecurityWeek's analysis found that 75% of breaches now involve compromised identities using valid credentials. The IBM X-Force Threat Intelligence Index 2025 documented an 84% year-over-year increase in infostealers delivered via phishing. The picture is clear: the password as a security mechanism is dead. Attackers figured that out faster than most defenders.
1.8 billion credentials stolen in H1 2025 (Flashpoint). 3.9 billion compromised in 2024 (KELA). 75% of breaches involve stolen identities (SecurityWeek). 54% of ransomware victims had credentials for sale on dark web markets before the attack (Verizon DBIR). 84% year-over-year increase in infostealer phishing delivery (IBM X-Force).
How Infostealers Work (And Why You Don't Notice)
Infostealers are not ransomware. There's no ransom note. No encrypted files. No dramatic popup demanding Bitcoin. That's exactly what makes them so dangerous — they operate in total silence. The malware lands on a machine, usually through a phishing email, a malicious download, a fake software installer, or a poisoned search engine result. Once running, it does its work in minutes: it scrapes saved passwords from every browser on the machine, grabs session cookies for already-authenticated services, dumps cryptocurrency wallet files, collects system information, and exfiltrates everything to attacker-controlled infrastructure. Then it's done. The user never notices anything happened.
The stolen data gets packaged into what the underground calls "stealer logs" — neatly organized bundles of credentials, cookies, and system fingerprints that get sold on dark web marketplaces and private Telegram channels. A single log containing corporate VPN credentials or cloud service access tokens commands premium prices. The entire pipeline from infection to credential sale happens in minutes to hours.
"Attackers now leverage SEO poisoning, malvertising, and legitimate platforms to infect organizations at scale. Once inside, these threats don't just exfiltrate data — they deploy additional payloads, move laterally across networks, and systemically extract sensitive data." — Danielle Kinsella, Technical Advisor (EMEA), Gigamon, speaking to CSO Online
The Huntress 2025 Cyber Threat Report found infostealers present in 24% of all incidents they investigated, with the most common delivery method being phishing emails and malicious downloads that trick users into running the malware themselves.
Why MFA Alone Won't Save You
Here's the uncomfortable truth that too many organizations haven't internalized: multi-factor authentication protects the authentication event. Infostealers steal session cookies that represent already-authenticated sessions. The attacker doesn't need your password or your MFA code. They replay your cookie and walk right into your account as if they were you, with your active session, bypassing every authentication control you've configured.
That's not the only MFA bypass technique in play. Attackers are also running MFA fatigue attacks — hammering users with repeated push notifications until they tap "approve" to make it stop. They're running SIM swapping operations to hijack phone numbers and intercept SMS codes. They're deploying adversary-in-the-middle (AiTM) phishing kits that relay MFA codes in real time. Evilginx, the most notorious AiTM phishing kit, has been adopted by threat actors ranging from phishing-as-a-service operators to Russian espionage groups like Star Blizzard, according to Microsoft's threat intelligence team.
"Instead of brute-forcing their way past firewalls, threat actors are now increasingly exploiting legitimate credentials, tokens, and trusted relationships to access systems and data." — Microsoft Digital Defense Report 2025
The 2026 Salesloft/Drift breach demonstrated this at massive scale: stolen OAuth tokens let attackers access hundreds of downstream customer organizations. Not a single password was cracked. The attackers simply replayed valid tokens. When identity is the new perimeter, token theft is the new break-in.
The Big Three: Lumma, StealC, and RedLine
Three infostealer families dominate the current threat landscape, and understanding them matters for your detection strategy.
Lumma Stealer
Lumma was the most prevalent infostealer of 2025, with 23.3 million detections globally according to the Identity Threat Report 2025. It runs as a Malware-as-a-Service subscription at around $200 per month, targeting browser credentials, cookies, cryptocurrency wallets, and system data. Its management panel gives operators real-time statistics, automated log parsing, and filtering tools to identify high-value corporate credentials automatically. In May 2025, the U.S. Department of Justice coordinated with Microsoft to disrupt Lumma's infrastructure, sinkholing 394,000 infections and seizing domains. But as Flashpoint analysts noted, the disruption reduced Lumma's prevalence without eliminating it. Operators migrated to alternative stealers within weeks.
What makes Lumma particularly insidious is its speed of adaptation. When Google Chrome pushed app-bound cookie encryption in late 2024, it should have broken every infostealer's Chrome cookie collection capability. Flashpoint's senior analyst Marisa Atkinson told CSO Online what actually happened:
"When Google Chrome pushed cookie-securing updates (app-bound encryption) last September it rendered all stealers' Chrome cookie collection obsolete. The stealer families Lumma, Vidar, and Meduza pushed updates and work-arounds to their stealer code within 24 hours." — Marisa Atkinson, Senior Analyst, Flashpoint, speaking to CSO Online
Twenty-four hours. That's how fast the underground adapts to browser security improvements.
StealC
StealC has climbed to one of the top three globally by infection volume. Its developers prioritize stealth over capability breadth — Version 2, released in March 2025, added command-and-control encryption with RC4 and updated payload delivery via MSI packages and PowerShell. The design philosophy is generating less noise to avoid triggering EDR and security monitoring tools. For defenders, that means StealC infections are harder to catch with signature-based detection alone.
RedLine
RedLine has been a workhorse of the infostealer ecosystem for years, at one point responsible for 51% of all infostealer infections. Even after law enforcement took down its operators in late 2024, RedLine remains widely deployed through existing distribution channels and phishing campaigns. IBM X-Force documented over 3.7 million Lumma credentials and 568,000 RedLine credentials being advertised on dark web markets in 2024 alone — and those numbers represent just the publicly listed portion.
At roughly $200 per month for a subscription, infostealers have become the most accessible weapon in the cybercrime toolkit. This isn't advanced persistent threat-level sophistication — it's commodity malware that any script kiddie can rent, deploy via phishing, and start harvesting enterprise credentials with a dashboard that looks like a SaaS product.
The Defense Playbook That Actually Works
Defending against infostealers requires thinking beyond passwords and beyond basic MFA. Here's what actually moves the needle.
1. Deploy Passkeys / FIDO2 for Everything You Can
FIDO2 passkeys are the single most effective defense against credential theft. They use asymmetric cryptography tied to device hardware — the private key never leaves the device, there's no shared secret to steal, and the credential is cryptographically bound to the specific website origin. A passkey created for your real login page literally cannot be used on a phishing clone. There's nothing to phish, nothing to stuff, and nothing to replay.
The adoption numbers have hit a tipping point. Google reports over 800 million accounts now using passkeys. Microsoft made passkeys the default for new accounts in May 2025. The FIDO Alliance found that 53% of consumers have enabled passkeys on at least one account. Microsoft's own data on synced passkeys in Entra ID shows that users are 14 times faster logging in with passkeys versus password-plus-MFA and three times more successful at completing sign-in. NIST's updated Digital Identity Guidelines now formally recognize synced passkeys as phishing-resistant authentication at Assurance Level 2, giving enterprises a standards-backed mandate to adopt them.
Start with privileged accounts and work outward. Your admins, your developers, your executives — anyone with access to production systems, API keys, or sensitive data should be on passkeys now, not next quarter.
2. Hunt for Infostealer Infections Proactively
You can't defend what you don't detect. Traditional endpoint detection fails against 66% of infostealers, according to recent testing. Your detection strategy needs to go beyond signature matching. Monitor for anomalous browser data access patterns — infostealers read browser credential databases in specific ways that behavioral analytics can flag. Watch for credentials from your domain appearing on dark web marketplaces through threat intelligence feeds. Analyze outbound network connections for unusual C2 communication patterns. KELA, Flashpoint, and similar threat intelligence platforms provide stealer log monitoring that can alert you when your organization's credentials surface for sale.
The detection window matters enormously. If you can catch a compromised credential within hours of theft instead of days, you can rotate it before it gets weaponized. Aim for a 4-hour response window on suspected infostealer infections. Current industry average detection time is around 4 days — an eternity when credentials can go from stolen to sold to deployed in under 48 hours.
3. Implement Session Token Controls
Since infostealers steal cookies and tokens that bypass authentication entirely, you need controls that validate sessions continuously, not just at login. Implement conditional access policies that re-evaluate sessions based on device compliance, network location, and behavioral signals. Token binding — tying authentication tokens to specific device characteristics so they can't be replayed from another machine — is critical. Google Chrome's Device Bound Session Credentials initiative is one example of this approach at the browser level.
Configure session lifetimes aggressively. The longer a session token remains valid, the longer the window an attacker has to replay it. For high-value applications, consider session durations measured in hours, not days.
4. Harden Endpoints Against Credential Harvesting
Infostealers pull credentials from browser password databases, so reducing what's stored there reduces what can be stolen. Deploy an enterprise password manager with browser extension integration and disable the built-in browser password save feature via group policy. Keep browsers patched — Chrome's app-bound cookie encryption was a meaningful security improvement even though stealers adapted quickly, because it raises the cost and complexity of theft. Run EDR with behavioral detection rules tuned for credential access patterns, not just known malware signatures.
5. Assume Breach, Verify Constantly
The 2026 threat landscape demands a true zero trust posture. The WEF Global Cybersecurity Outlook 2026 found that 81% of surveyed organizations are at least planning Zero Trust implementations. But planning isn't doing. Operationally, this means enforcing least-privilege access on every account, requiring continuous verification for every session, segmenting network access so a compromised credential doesn't grant kingdom keys, and treating every login from a new device or location as suspicious until proven otherwise.
"Across dozens of investigations this year, we've seen that in many cases, the breach was already well underway before anyone realised what was happening." — Eye Security, Cyber Threat Landscape 2026 report
The IBM Cost of a Data Breach Report 2025 found that organizations using AI and automation in their security operations save an average of $1.9 million per breach through faster detection, automated response, and reduced manual investigation workload. The tools exist. The question is whether your organization deploys them before or after the infostealer logs containing your domain credentials surface on Telegram.
Key Takeaways
- Passwords are dead. Act like it. Infostealers have industrialized credential theft to a point where every saved password is a liability. The only authentication mechanism that fundamentally removes the shared secret is FIDO2 passkeys. Start deploying them for privileged accounts immediately.
- MFA is necessary but not sufficient. Session cookie theft, AiTM phishing, MFA fatigue, and SIM swapping all bypass traditional multi-factor authentication. Layer conditional access, token binding, and session controls on top of MFA — or better yet, replace phishable MFA methods with passkeys entirely.
- Monitor the dark web for your credentials. If 54% of ransomware victims had their stolen credentials for sale before the attack, then threat intelligence monitoring of stealer log marketplaces is a ransomware prevention control. Integrate it into your SOC operations.
- Infostealers are silent. There's no ransom note, no encrypted files, no dramatic indicator of compromise. Detection requires behavioral analytics, outbound traffic analysis, and proactive threat hunting — not just endpoint antivirus.
- The $200 subscription model changed everything. This isn't nation-state tooling. It's commodity malware that anyone can rent. The barrier to entry for credential theft is now lower than the barrier to entry for most SaaS products. Your defense posture needs to account for the sheer volume of actors now equipped to steal credentials at scale.
The credential theft economy isn't slowing down. Infostealer operators adapt to browser security improvements in 24 hours, migrate to new infrastructure within weeks of law enforcement takedowns, and sell stolen credentials faster than most organizations can detect the infection. The defenders who survive 2026 will be the ones who accepted that the password era is over and built their identity security around that reality. The rest will find their credentials in a Telegram channel, priced at $10 a log.