Infostealers Fuel Cybercrime by Turning Millions of Devices into Credential Theft Machines

Cybercriminals are increasingly leveraging infostealer malware to compromise millions of devices, transforming them into credential theft machines. These stolen credentials are then sold on illicit marketplaces or directly used by other threat actors, particularly ransomware gangs, to gain initial access to victim networks. This trend signifies a strategic shift in cyberattack methodologies, moving away from complex exploit-based intrusions towards more efficient and less detectable methods like credential stuffing and account takeover.

According to a report by Flashpoint, over 11.1 million devices were infected with infostealers in 2025 alone, resulting in the circulation of more than 3.3 billion credentials, browser artifacts, session information, and other identity-related data on underground forums. This vast trove of stolen information provides attackers with a direct path into target networks, often granting them authorized access to sensitive data without triggering security defenses.

Researchers have identified over 30 unique strains of infostealer malware, with the landscape constantly evolving. New variants emerge daily, existing ones are forked, and law enforcement agencies disrupt others. These stealers are readily available on the dark web, often through malware-as-a-service (MaaS) models, with some costing as little as $60 per month. While Lumma, Acreed, Rhadamanthys, Vidar, and StealC were prominent in 2025, the threat landscape is dynamic; by early 2026, Vidar had surged to dominate, accounting for over 73% of infected hosts.

Once an attacker acquires a stealer, the next step is to infect a target device, which can be any device connected to the intended network. Social engineering attacks, particularly those targeting individuals with desktop or laptop computers, remain the most common delivery method. The sheer volume of potential targets makes successful infection statistically probable.

Individual infostealers vary in their specific functionalities, but they generally share a common set of objectives. Many first check if they are running in a sandbox environment to evade detection by security controls. To further avoid static analysis, their code often employs string encryption and obfuscation techniques, with decryption occurring only in memory, making them difficult to flag by signature-based detection tools.

The core function of these stealers is to gather a wide range of sensitive data. This includes website passwords, enterprise credentials (such as VPN, RDP, and webmail logins), SaaS and cloud platform credentials, email account access, password manager stores, and autofill data containing personal information. They also actively seek browser cookies, active session tokens, and cloud/SaaS session artifacts, along with any cryptocurrency wallet information and credit card data.

Beyond identity theft, infostealers also collect system metadata like OS version, hardware details, and IP addresses. This combined data and metadata allow attackers to steal not just identity but also context, creating comprehensive profiles of their victims. The collected information is then packaged into "stealer logs," often compressed and encrypted, and exfiltrated to attacker-controlled servers.

The monetization of these logs is a primary driver for infostealer proliferation. Attackers may use the data for personal gain, but more commonly, they sell it to criminal groups. This stolen data frequently serves as the initial access vector for ransomware attacks, enabling threat actors to deploy their payloads undetected and achieve their objectives before defenses can be mounted. The direct link between an infostealer infection and a subsequent ransomware demand is often short and stark, highlighting the critical role these tools play in the modern cybercrime ecosystem.