The Quiet Catastrophe
While ransomware dominates headlines and boardroom discussions, a less visible but arguably more damaging threat has been growing at an exponential rate. Information-stealing malware — “infostealers” — has become the foundational layer of the modern cybercrime economy, silently harvesting credentials, session tokens, cryptocurrency wallets, and personal data on a scale that defies easy comprehension.
The numbers are staggering. According to KELA’s 2025 threat intelligence report, infostealer malware compromised 3.9 billion credentials across 4.3 million infected devices in 2024 alone. SpyCloud’s 2025 Identity Exposure Report found that 548 million credentials were exfiltrated via infostealer malware, with an average of 44 exposed credentials per infection and 1,861 cookies harvested per infected device. In January 2026, security researcher Jeremiah Fowler discovered an unprotected database containing 149 million unique login-password pairs — including 48 million Gmail accounts, 17 million Facebook accounts, and 900,000 Apple iCloud accounts — compiled entirely from infostealer operations.
These are not abstract statistics. Every stolen credential is a potential entry point for a ransomware attack, a corporate espionage operation, a financial fraud scheme, or an identity theft. Infostealers are the supply chain that feeds the entire cybercriminal ecosystem, and their industrialization through the Malware-as-a-Service model has made them accessible to virtually anyone willing to pay.
Inside the Infostealer Ecosystem
The modern infostealer landscape is dominated by a handful of malware families that operate as commercial services — Lumma, RedLine, StealC, Raccoon, and Vidar. The top three — Lumma, StealC, and RedLine — were responsible for over 75% of infected machines in 2024, according to KELA. Each offers a slightly different feature set, but the business model is remarkably consistent: a subscription-based service that provides malware binaries, a management panel for tracking infections, and tools for organizing and selling the stolen data.
Lumma Stealer: The Market Leader
Lumma Stealer (also known as LummaC2) emerged as the most prolific infostealer of 2024-2025, with ESET reporting a 369% surge in detections between the first and second halves of 2024. Microsoft identified over 394,000 Windows computers globally infected with Lumma during just a two-month window between March and May 2025. The malware’s developer claimed approximately 400 active clients purchasing its Malware-as-a-Service offerings.
Lumma is sold through a tiered subscription model: $250 per month for the standard package, scaling up to $1,000 for premium features including custom builds and advanced evasion techniques, with a top-tier $20,000 package granting access to the source code and reseller rights. The malware targets browser credential stores, cryptocurrency wallet files, two-factor authentication extensions, FTP clients, email clients, and session cookies. Recent versions incorporated anti-analysis techniques that detect sandbox environments, virtual machines, and security researcher tools.
In May 2025, Microsoft’s Digital Crimes Unit led a global disruption operation against Lumma, seizing approximately 2,300 malicious domains in coordination with Europol, the FBI, and the U.S. Department of Justice. However, the disruption proved temporary — Trend Micro observed hundreds of new command-and-control URLs appearing in the weeks after the takedown, and by late 2025, ESET reported the malware had partially recovered, though detections in the second half of 2025 were down 86% from their peak.
RedLine and Raccoon: The Established Players
RedLine Stealer, first identified in March 2020, became what ESET described as the most prolific infostealer in history, responsible for 51% of all infostealer infections from 2020 to 2023 according to Kaspersky research. In October 2024, Operation Magnus — a joint effort by Dutch National Police, the FBI, and other agencies — disrupted RedLine’s infrastructure, seizing servers, domains, and Telegram channels. Despite this, RedLine remains in active use.
Raccoon Stealer experienced a significant disruption when its primary operator, Ukrainian national Mark Sokolovsky, was arrested in the Netherlands in March 2022. Sokolovsky, who had been leasing Raccoon for $200 per month via cryptocurrency, was eventually sentenced to five years in federal prison after his role was linked to over 52 million compromised user credentials. Despite the arrest, a rebuilt version of the malware has since resumed operations.
The MaaS Business Model
The Malware-as-a-Service delivery model has transformed infostealers from tools of skilled hackers into commoditized products accessible to low-skill criminals. For approximately $250 per month — less than many legitimate SaaS subscriptions — a subscriber receives the malware binary, a web-based management panel to track infections and organize stolen data, distribution tools, and technical support. Some services even offer responsive customer service through Telegram channels.
This commoditization has driven the explosive growth in infostealer activity. The barrier to entry for credential theft has collapsed to near zero, and the economics are overwhelmingly favorable to attackers. A single subscription can harvest credentials from thousands of victims, with each set of credentials potentially worth anywhere from a few cents (for low-value consumer accounts) to thousands of dollars (for corporate VPN or cloud admin credentials).
The Kill Chain: From Infection to Exploitation
Understanding how infostealers operate is essential for defending against them. The typical kill chain follows a predictable pattern, though the specifics vary by malware family and distribution method.
Distribution
Infostealers reach victims through multiple vectors. The most common include malicious advertisements (malvertising) that redirect to fake software download pages, SEO poisoning that places malicious sites in search results for popular software queries, phishing emails with infected attachments, and compromised legitimate software distribution channels. A particularly effective technique during 2024-2025 involved fake CAPTCHA pages — the so-called “ClickFix” attacks — where users were tricked into executing malicious commands while believing they were completing a human verification check.
Credential Harvesting
Once executed on a victim’s system, the infostealer rapidly extracts stored data. Modern browsers store credentials in encrypted databases, but the encryption keys are accessible to any process running with the user’s privileges. The malware decrypts and exfiltrates browser-stored passwords, autofill data, credit card numbers, and browsing history within seconds. Cryptocurrency wallets, VPN configurations, FTP credentials, and email client data are also targeted.
Session Token Theft
Perhaps the most consequential capability of modern infostealers is session token theft. When a user authenticates to a web service — even with multi-factor authentication — the service issues a session cookie that allows subsequent requests without re-authentication. Infostealers capture these session cookies, which can be imported into an attacker’s browser to assume the victim’s authenticated session. This effectively bypasses MFA entirely: the attacker never needs to present the second factor because they are using a session that has already completed authentication.
According to SpyCloud, an average of 1,861 cookies were harvested per infostealer infection in 2024. Microsoft has emphasized that 80% of recent breaches involving MFA bypass occurred through session token abuse. The technique is particularly dangerous because it works regardless of the MFA method used — hardware keys, TOTP apps, push notifications, and SMS codes all become irrelevant once the authenticated session is stolen.
Data Monetization
Stolen credentials are typically organized into “logs” — structured data packages containing all information extracted from a single victim’s system. These logs are sold on specialized marketplaces and Telegram channels where buyers can search for specific targets — a particular company’s domain, a specific email provider, or credentials for a particular service. Prices vary widely based on the value of the contents, from a few dollars for consumer account bundles to hundreds or thousands for corporate access credentials.
Advertisement
The Ransomware Connection
The relationship between infostealers and ransomware is not merely correlative — it is a direct supply chain dependency. Mandiant’s M-Trends 2025 report found that stolen credentials were the second most common initial infection vector in 2024, accounting for 16% of all investigations — the highest this category has ever reached. For ransomware attacks specifically, Mandiant linked 21% of incidents to stolen credentials.
SpyCloud’s data reinforces this connection: 54% of ransomware victims had corporate credentials previously exposed in infostealer logs, with 40% of those involving corporate email addresses. Nearly one-third of companies that suffered a ransomware attack had previously experienced an infostealer infection.
The chain works as follows: an infostealer harvests VPN credentials from an employee’s personal device. The credentials are sold on a marketplace. A ransomware affiliate purchases the credentials, uses them to access the corporate network, conducts reconnaissance and lateral movement, and ultimately deploys ransomware. The entire chain — from initial infostealer infection to ransomware deployment — can span days or weeks, making it difficult to connect the two events in post-incident analysis.
This supply chain dynamic means that defending against ransomware requires defending against infostealers — a connection that many organizations’ security strategies fail to make.
The 149 Million Credential Database
The discovery of a database containing 149 million unique login-password pairs — compiled entirely from infostealer operations — illustrates the scale at which credential theft is occurring.
The database, discovered by security researcher Jeremiah Fowler and disclosed on January 23, 2026, was not password-protected or encrypted. It contained approximately 96 GB of raw data including emails, usernames, passwords, and the specific website URLs needed to log into the accounts. The data spanned major services: 48 million Gmail accounts, 17 million Facebook accounts, 4 million Yahoo logins, 1.5 million Microsoft Outlook entries, 900,000 Apple iCloud accounts, and 420,000 Binance cryptocurrency accounts, along with credentials from educational institutions, government systems, and dating platforms.
The database was not the product of a single breach. It was an aggregation — a compiled dataset assembled from infostealer log files. The number of records was actively increasing while Fowler investigated it, suggesting the malware feeding it was still operational. After Fowler alerted the hosting provider, the database was taken offline — but the 149 million credentials are almost certainly already in the hands of criminals.
The existence of such databases has profound implications. They represent a persistent resource that threat actors can query repeatedly, long after the initial theft. Even if a user changes a compromised password, the database retains information about the user’s password patterns, email addresses, and associated accounts that can be used for targeted attacks. The databases also enable credential stuffing at scale — automated attempts to log into services using stolen username/password combinations, exploiting the widespread practice of password reuse.
Defense Strategies: What Actually Works
Defending against the infostealer epidemic requires a multi-layered approach that addresses both prevention and mitigation.
Phishing-Resistant MFA
Traditional MFA methods — SMS codes, TOTP apps, push notifications — are ineffective against session token theft. Phishing-resistant MFA methods, particularly FIDO2/WebAuthn hardware security keys, bind the authentication to the specific domain and browser session, making stolen session tokens unusable on a different device. Migrating high-value accounts to phishing-resistant MFA should be a priority.
Credential Monitoring and Breach Detection
Organizations should actively monitor for their corporate credentials appearing in infostealer log marketplaces. Services like SpyCloud, Flare, and Hudson Rock provide early warning when employee credentials are detected in underground markets, enabling proactive password resets and session invalidation before the credentials are exploited.
Browser Security Hardening
Enterprise browser management policies should disable or restrict password storage in browsers, enforce the use of enterprise password managers, and implement policies that clear session cookies at browser close for sensitive applications. Browser isolation technologies can prevent infostealers from accessing credential stores by running browser sessions in remote environments.
Endpoint Protection
Modern endpoint detection and response (EDR) platforms should be configured to detect infostealer behavior patterns — rapid credential store access, communication with known C2 infrastructure, and suspicious data staging. However, the speed at which infostealers operate (typically completing credential extraction within seconds) means that detection must be complemented by prevention controls.
Personal Device Policies
Many infostealer infections occur on personal devices that are outside the organization’s security controls. SpyCloud found that nearly 50% of corporate users have been infected with malware through either a personal or work-related device. If those personal devices are used to access corporate resources — VPN, email, cloud services — the stolen credentials can be used against the corporate environment. Organizations need clear policies about personal device access to corporate resources, combined with conditional access controls that limit authentication from unmanaged devices.
Session Management
Implementing shorter session timeouts, binding sessions to device fingerprints, and deploying continuous session validation mechanisms can limit the window during which stolen session tokens are useful. While these measures create friction for legitimate users, the trade-off is justified for high-value applications and administrative accounts.
The Scale Problem
The infostealer epidemic presents a challenge that extends beyond any individual organization’s security program. With 3.9 billion credentials compromised in a single year and databases of 149 million credentials found sitting unprotected on the open internet, the systemic risk to the digital economy is clear. Every stolen credential is a potential entry point, and the volume ensures that even organizations with strong security practices will have employees whose personal accounts — and sometimes corporate credentials — are compromised.
Addressing this challenge at scale requires coordination between security vendors, platform operators, law enforcement, and the organizations that are both targets and first responders. The May 2025 disruption of Lumma Stealer — involving Microsoft, Europol, the FBI, and multiple security companies — demonstrated both the potential and the limitations of coordinated action. It also requires a frank acknowledgment that the current model of credential-based authentication — where a stolen password or session token grants full access — is fundamentally inadequate for the threat environment. The infostealer epidemic is not a malware problem; it is an authentication architecture problem, and solving it will require rethinking how digital identity works at its foundation.
Advertisement
🧭 Decision Radar (Algeria Lens)
| Dimension | Assessment |
|---|---|
| Relevance for Algeria | High — Algerian organizations rely heavily on password-based authentication and browser-stored credentials, making them vulnerable to the same infostealer campaigns targeting users globally. Consumer awareness of credential hygiene remains low. |
| Infrastructure Ready? | Partial — Basic endpoint protection is deployed in major enterprises and government, but advanced capabilities like credential monitoring services (SpyCloud, Flare) and phishing-resistant MFA (FIDO2 hardware keys) are not widely adopted. |
| Skills Available? | Partial — Algeria’s cybersecurity workforce is growing but still small. SOC teams at banks and telecoms can detect basic threats, but specialized infostealer analysis and dark web credential monitoring require skills that are scarce locally. |
| Action Timeline | Immediate — Infostealers are already active globally and do not discriminate by geography. Algerian organizations should audit browser credential storage policies and begin migrating critical accounts to phishing-resistant MFA now. |
| Key Stakeholders | CISOs and IT security teams at banks, telecoms, and government agencies; CERT Algeria; university cybersecurity programs; Algerian companies using cloud services (Google Workspace, Microsoft 365) |
| Decision Type | Tactical — Concrete defensive measures (disabling browser password storage, deploying credential monitoring, enforcing MFA) can be implemented immediately without major infrastructure changes. |
Quick Take: Algerian organizations are not immune to the global infostealer epidemic — any employee using a browser to save passwords or accessing corporate VPN from a personal device is a potential victim. The immediate priorities are enforcing enterprise password managers over browser credential storage, deploying phishing-resistant MFA for critical systems, and building awareness that a single stolen session cookie can bypass even the strongest authentication.
Sources & Further Reading
- Lumma Stealer: Breaking Down the Delivery Techniques and Capabilities — Microsoft Security Blog
- Disrupting Lumma Stealer: Microsoft Leads Global Action — Microsoft On the Issues
- Understanding the Infostealer Epidemic in 2025 — KELA Cyber Threat Intelligence
- SpyCloud 2025 Identity Exposure Report — SpyCloud
- 149 Million Logins and Passwords Exposed in Infostealer Database — TechRepublic
- M-Trends 2025: Data, Insights, and Recommendations From the Frontlines — Mandiant / Google Cloud
- Lumma Stealer: A Fast-Growing Infostealer Threat — ESET
🔗 Related Intelligence
The Odido Mega-Breach: When a Telecom Giant Refuses to Pay and Millions of Records Hit the Dark Web
The Phishing-as-a-Service Economy: How $50 Buys a Cyberattack in 2026
AI-Powered Cyberattacks: Deepfakes, Social Engineering, and the New Threat Landscape
The Insider Threat Crisis: Why Your Biggest Risk Is Already Inside
Advertisement