Researchers have warned that billions of credentials exposed to cyber criminals were sourced from infostealer logs last year – and it's created a ticking time bomb for enterprises as hackers begin cracking systems.
KELA Cyber Threat Intelligence’s State of Cybercrime 2024 report singled out infostealers as a persistent threat that usually serve as “precursors to advanced attacks, including ransomware and espionage”.
The firm said it observed more than 4.3 million machines around the world that had been infected with infostealer malware, such as Lumma stealer or RedLine, in 2024.
It estimated that this would account for more than 330 million credentials compromised using infostealers, which it said was slightly higher than the figures from 2023.
KELA warned that these credentials could be leveraged in future attacks that could balloon into “massive extortion campaigns”, citing the string of attacks leveraging compromised Snowflake credentials throughout 2024 that impacted at least 165 different companies.
In addition to the 330 million credentials KELA identified, the report said it also observed 3.9 billion credentials shared in the form of credential lists. These credential lists, commonly referred to as url:login:pass (ULP) files by threat actors, are compilations of data obtained during attacks.
These could be credentials harvested from a diverse range of sources, such as third-party breaches or phishing, but the report claimed that most ULP files are sourced from infostealer logs.
Lumma remains the most popular infostealer malware strain according to KELA, and was responsible for 40.48% of the infected machines in its data lake.
Other top offenders were StealC (20.29%, and Redline (16.43%), which KELA noted had been disrupted in October 2024 as part of Operation Magnus.
India, Brazil, and Indonesia were the top three most affected nations accounting for 20.12% of bots infected by infostealer malware in 2024.
KELA also highlighted the sensitive services most commonly targeted using these compromised credentials with the most frequently attacked being business cloud solutions (22.02%), CMS (21.19%), email (13.85%), and user authentication systems (11.5%).
How to protect yourself against infostealer threats
According to Huntress’ 2025 Cyber Threat Report, infostealers accounted for nearly a quarter (24%) of all cyber incidents in 2024, making it the most common threat category of the year.
Speaking to ITPro, Jaron Bradley, director of Jamf Threat Labs at Jamf, said infostealers campaigns are on the rise with evidence suggesting they are a particularly effective tactic used by threat actors.
“There has been a significant increase in Infostealer campaigns, and they have proven highly effective, even on macOS. These stealers are designed to target specific locations on the user's hard drive, seeking critical files such as usernames, passwords, browser session data, cryptocurrency wallets, documents, and more.”
Bradley added that the initial stages of infostealer campaigns require actions from the victim, so by improving overall security awareness businesses can mitigate some of the threat they pose to their organization.
“Users should be cautious about opening software sent by strangers, particularly if it comes with unusual instructions, such as right-clicking or adjusting settings,” he explained.
“For these infostealers to fully succeed, they also require the victim's login password, which is typically obtained by simply prompting the user with a popup window. Users should always question why an application would need their login credentials before willingly providing them.”
As well as investing in improving company-wide security awareness, KELA suggested a number of additional counter measures businesses can take to protect themselves.
RELATED WHITEPAPER
These include deploying enhanced endpoint detection and response (EDR) solutions that use behavior-based analysis rather than solely signature-based methods to detect and isolate infostealer activity in real time.
Improved email security is also essential in preventing phishing attempts, which are the primary delivery method for infostealers, the report added.
Finally, network segmentation is another important defense layer used to limit lateral movement once the attacker is inside your perimeter and stop them from accessing critical systems and sensitive data.
MORE FROM ITPRO
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up stingNews Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
This potent malware variant can hijack your Windows PC, steal passwords, and more: Neptune RAT is spreading on GitHub, Telegram, and even YouTube – and experts warn 'anyone could use it to launch attacks'News Neptune RAT can hijack Windows PCs and steal passwords – and it's spreading fast
-
Warning issued over ‘fast flux’ techniques used to obscure malicious signals on compromised networksNews Cybersecurity agencies have issued a stark message that too little is being done to sniff out malware hiding in corporate networks
-
Fake file converter tools are on the rise – here’s what you need to knowNews The FBI has issued an alert over the rise of fake file converter tools available online after observing a spate of scams and ransomware attacks.
-
Forget MFA fatigue, attackers are exploiting ‘click tolerance’ to trick users into infecting themselves with malwareNews Threat actors are exploiting users’ familiarity with verification tests to trick them into loading malware onto their systems, new research has warned.
-
Why ‘malware as a service’ is becoming a serious problemNews Researchers have issued a warning over the rise of 'malware as a service' platforms amid a surge in attacks over the last year.
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victimsNews Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
