Valtik Studios
Back to blog
Credentialscritical2026-04-1611 min

16 Billion Credentials Leaked in 2025: The Infostealer Epidemic

Infostealer malware like RedLine, Raccoon, and Lumma exfiltrated 3.2 billion credential records in 2025. The silent pipeline between personal device compromise and corporate ransomware attacks. A threat intelligence and incident response analysis.

16 billion credentials and counting

By mid-2025, security researchers confirmed that over 16 billion credentials had been leaked or stolen and were circulating on criminal marketplaces. That is roughly two sets of login credentials for every person on earth. The primary engine behind this explosion is not sophisticated nation-state hacking. It is commodity infostealer malware running at industrial scale.

How infostealers work

Infostealers are lightweight malware designed to do one thing: harvest saved credentials and session tokens from web browsers. The most prevalent families in 2025 include Lumma, RedLine, Raccoon, and Vidar. They are sold as a service on Telegram and dark web forums for $150 to $300 per month.

When executed, an infostealer:

  1. Reads the browser's credential database (Chrome stores passwords in an SQLite file encrypted with DPAPI)
  2. Extracts saved cookies and session tokens
  3. Grabs autofill data including credit card numbers and addresses
  4. Takes a screenshot of the current desktop
  5. Harvests cryptocurrency wallet files
  6. Packages everything into a "log" and uploads it to the operator's server

The entire process takes under 30 seconds. The victim usually never notices.

Session tokens are the real prize

Passwords can be reset. MFA can block stolen credentials. But a stolen session token bypasses both. If an attacker has your browser's session cookie for Gmail, they are already logged in as you. No password needed. No MFA prompt. The server sees a valid session and lets them through.

This is why "credential stuffing" has been the number one initial access vector for three consecutive years according to Mandiant's M-Trends reports. Attackers are not brute-forcing passwords. They are replaying stolen sessions.

The Bybit hack: $1.47 billion

In February 2025, North Korea's Lazarus Group stole $1.47 billion in cryptocurrency from Bybit, the world's second-largest crypto exchange. The attack started with a compromised developer workstation. an infostealer harvested credentials that provided access to Bybit's internal infrastructure. From there, the attackers manipulated a multi-signature wallet transaction to redirect funds.

This was the largest single theft in cryptocurrency history, surpassing the $620 million Ronin Bridge hack in 2022. The FBI attributed it to Lazarus Group within weeks.

Microsoft SharePoint zero-day: 400+ organizations

A separate campaign exploited a zero-day in Microsoft SharePoint (CVE-2025-XXXX) to deploy infostealers across more than 400 organizations, including the National Nuclear Security Administration (NNSA). The attackers used a malicious SharePoint document to execute code on visiting users' machines, harvesting credentials at scale across government and defense contractors.

The economics

Stolen credentials are sold in bulk on markets like Russian Market and Genesis. Prices range from $1 for a basic email login to $500+ for corporate VPN credentials or banking sessions. A single infostealer operator running a campaign across pirated software downloads can harvest tens of thousands of logs per month, netting six figures annually.

The damage does not stop at individuals. When an employee's personal machine gets infected and they have saved their corporate VPN password in Chrome, the attacker gets access to the company network. This is how small, cheap malware leads to massive enterprise breaches.

What actually works as defense

  • Use a dedicated password manager (1Password, Bitwarden) instead of browser-saved passwords. Password managers use their own encryption, not the browser's DPAPI
  • Enable hardware security keys (YubiKey) for critical accounts. Session tokens can be stolen, but FIDO2 keys bind authentication to the device
  • Use browser profiles to separate personal and work browsing
  • Never save credentials in your browser. Disable Chrome's built-in password manager entirely
  • Monitor for your credentials on Have I Been Pwned and similar services
  • Endpoint detection (EDR) catches most commodity infostealers, but only on managed corporate devices
infostealermalwareransomwarethreat intelligenceincident responseendpoint securitycyber attackresearch

Want us to check your Credentials setup?

Our scanner detects this exact misconfiguration. plus dozens more across 38 platforms. Free website check available, no commitment required.

Free Security CheckRequest Full Audit
Related Reading
Ransomware13 min
Inside a Ransomware Gang: HR Departments, Salaries, and Bonuses
Ransomware-as-a-Service operations like LockBit, BlackCat, and Cl0p run on affiliate economics. The business model evolution from ransomware
Lazarus Group15 min
How North Korea Stole $6.75 Billion in Cryptocurrency
The Lazarus Group stole 60% of all cryptocurrency losses in 2024 — $1.34 billion from a single Bybit breach. North Korea's cyber operations
Deepfakes14 min
Every Person on the Video Call Was Fake: The $25.6 Million Deepfake Heist
In 2024, a Hong Kong finance worker wired $25.6 million after a deepfake video call with his CFO. Social engineering is entering a new era.