Infostealers Are the New Ransomware: Your Credentials Are Being Sold Right Now

Your credentials are for sale in a dark web marketplace right now. Not your online shopping credentials. Your actual work credentials—username, password, API keys, tokens, session cookies, and private SSH keys.

If that sounds paranoid, consider the numbers. According to Forbes’ reporting on 2025 threat intelligence data, 3.2 billion credentials were stolen in 2024 alone. That’s a 33% increase from 2023. Of those, 2.1 billion (75%) came from infostealer malware.

Let me state that clearly: three-quarters of all stolen credentials in 2024 came from a single attack category. Infostealers aren’t a subset of cyber threats. They’re the dominant threat to credential security.

And according to ForENova’s 2025 analysis, infostealers are the most frequent type of attack in 2025. In 2024, infostealer malware infected approximately 4.3 million devices, compromising around 3.9 billion credentials.

This is the biggest threat to your organization that nobody’s talking about.

What Infostealers Actually Do

Infostealers are malicious programs designed to infiltrate systems and steal sensitive information. They’re not ransomware—they don’t encrypt your files and demand payment. They’re not remote access trojans—they don’t give hackers live shell access (though they could). They’re thieves. They steal credentials and quietly disappear.

The Data They Collect

According to ForENova’s technical breakdown, infostealers collect:

• Login credentials: Usernames and passwords for every account on the system
• Banking and payment information: Credit card data, banking credentials, crypto wallet keys
• Personal Home address, social security numbers, phone numbers, email addresses
• Browser Browsing history, cookies, stored passwords, autofill data
• Cryptocurrency assets: Wallet information, private keys, seed phrases
• Device details: Operating system, hardware specs, installed software, network configuration, IP address
• Corporate credentials: VPN passwords, SSH keys, API tokens, Slack/Microsoft Teams credentials, AWS credentials

A single infected computer becomes a goldmine of sensitive information.

The Attack Prerequisites

How does infostealer malware get on your device in the first place? According to KELA’s 2025 infostealer report analyzing 300 infected corporate machines, the infection vector is typically:

• Malicious email attachments: Phishing email with .EXE, .ZIP, or Office document exploiting vulnerabilities
• Compromised websites: Drive-by download when visiting legitimate-looking site
• Software piracy: Downloading cracked software or license key generators from torrent sites
• Trojanized installers: Legitimate-looking software installer that actually contains malware
• Compromised supply chain: Legitimate vendor’s website or update mechanism compromised

Most common: user opens email attachment or clicks suspicious link thinking it’s legitimate.

The Scale of Compromise: By The Numbers

The statistics on infostealer infections are staggering.

Credential Theft Volume

According to Forbes citing Flashpoint threat intelligence:

• 2024: 3.2 billion total credentials stolen (33% increase year-over-year)
• Infostealer share: 2.1 billion credentials (75% of total)
• 2025 projection: 200+ million credentials already compromised in first months

If those trends continue, 2025 could see 4+ billion stolen credentials, with infostealers accounting for 3+ billion.

Infected Devices

According to ForENova’s reporting, approximately 4.3 million devices were infected with infostealer malware in 2024 alone.

That’s not unique infections ever. That’s new infections in a single year.

Corporate Impact

According to KELA’s analysis of 300 infected corporate machines, each infected computer contained compromised credentials for multiple corporate systems. The average infected machine had access to:

• Multiple VPN accounts
• Email and collaboration tools (Outlook, Slack, Teams)
• Cloud services (AWS, Azure, Google Cloud)
• Developer tools (GitHub, GitLab, Jira)
• Database credentials
• Administrative access to critical systems

A single compromised employee computer becomes a path into corporate infrastructure.

The Criminal Marketplace: Where Stolen Credentials Go

Stolen credentials don’t disappear. They’re commodities in criminal markets.

Underground Forums and Marketplaces

According to ForENova, stolen credentials are openly traded on underground forums, dark web marketplaces, and specialized cybercrime platforms. Prices vary by credential type:

• Corporate VPN credentials: $50-$500 per account
• AWS/Azure admin credentials: $100-$2,000 per account
• Banking credentials: $100-$10,000 per account
• Email credentials: $5-$50 per account
• Cryptocurrency wallet keys: $100-$100,000+ depending on balance

The market is liquid and efficient. Stolen credentials sell within hours of theft.

The Buyers

Who purchases stolen credentials? According to KELA’s research, buyers include:

• Ransomware gangs (using credentials for initial network access)
• Account takeover fraud rings
• Financial fraud specialists (banking and payment theft)
• Business email compromise (BEC) scammers
• Advanced persistent threat (APT) groups (using as initial foothold for espionage)
• Identity theft specialists
• Commodity resellers (buying in bulk, reselling to others)

A single set of compromised credentials could pass through multiple hands in the criminal ecosystem.

Why Infostealers Became The Dominant Threat

Ransomware gets headlines. But infostealers have become more dangerous because they’re more economical and flexible for attackers.

Reasons for Infostealer Dominance

According to ForENova’s analysis:

1. Low cost for attackers

Infostealer malware costs $10-$500 on dark web markets (Malware-as-a-Service). Deploy it to thousands of victims cheaply. Even 0.1% infection rate among targets yields massive credential haul.

Ransomware, by contrast, requires careful targeting, network reconnaissance, and high success rate to be profitable. Infostealers are spray-and-pray economics.

2. High revenue potential

A single compromised corporate VPN account sells for $100-$500. An employee with access to critical systems might fetch $1,000-$5,000. A bundle of 100 corporate credentials sells for thousands.

Multiply across thousands of infections and the revenue is enormous.

3. Low detection probability

Infostealers steal data silently. They don’t encrypt files (no alert). They don’t demand payment (no negotiation). They just quietly exfiltrate credentials and disappear.

Organizations often don’t realize they’ve been compromised until weeks or months later when compromised credentials surface in breach databases or are used for account takeover.

4. Multiple monetization paths

A ransomware operator has one monetization path: negotiate ransom. An infostealer operator has many: sell credentials on dark web, use them for direct fraud, trade them to ransomware gangs, resell to other criminals.

The business model is more flexible and resilient.

The Malware-as-a-Service Ecosystem

According to ForENova, infostealer malware is increasingly available as Malware-as-a-Service (MaaS). Criminals with minimal technical expertise can purchase pre-built infostealer malware from underground forums, customize it with their command-and-control infrastructure, and launch attacks immediately.

This democratization of malware access has enabled smaller criminal groups and opportunistic cybercriminals to participate in infostealer campaigns.

Recent Evolution: Infostealers in 2024-2025

The infostealer landscape continues evolving dangerously.

Most Common Variants

According to Flashpoint’s analysis, the most commonly deployed infostealer variants in 2024 included:

• Lumma Stealer: Actively distributed via phishing and malvertising
• Vidar: Modular infostealer with customizable data exfiltration
• Meta Stealer: Advanced infostealer with multiple exfiltration capabilities
• Password Stealer Pro: Focused on credential harvesting
• Redline: (Takedown notable) Historically dominant stealer before law enforcement action

When one infostealer gets taken down by law enforcement (like Redline in 2023), the criminal ecosystem adapts. New variants emerge immediately to fill the gap.

Cryptocurrency Adoption

According to ForENova, as cryptocurrency adoption expands globally, attackers are increasingly targeting cryptocurrency wallet information and keys. A stolen crypto wallet with significant balance can be immediately emptied by thieves.

This creates particularly urgent motivation for infostealer deployment in crypto-heavy regions and crypto worker devices.

What Organizations Should Do Right Now

Detection and Response

• Assume compromise: Act as if infostealer malware already exists in your network. Hunt for signs of infection.
• Monitor for anomalous credential usage: Compromised credentials often get used immediately. Monitor for impossible travel (login from different geographic locations in short timeframe), unusual access patterns, or credentials used for reconnaissance.
• Check breach databases: Regularly query services like HaveIBeenPwned (HIBP) with employee email addresses. If credentials surface, you’ve been compromised.
• Implement EDR (Endpoint Detection & Response): Deploy EDR solutions that can detect suspicious process execution, network connections, and file operations indicative of infostealer malware.

Prevention and Hardening

• Email security: Deploy advanced email filtering that detects malicious attachments and URLs. Block executable attachments and suspicious file types.
• Endpoint protection: Deploy endpoint antimalware (EDR) to all corporate devices. Keep definitions updated.
• MFA everywhere: Implement multi-factor authentication on all critical accounts. If credentials are stolen, MFA prevents compromise even with correct password.
• Password management: Deploy corporate password manager (1Password, Bitwarden, LastPass) so users aren’t storing passwords in browsers where infostealers can harvest them.
• API key management: Never store API keys in browsers or source code. Use secure vaults (AWS Secrets Manager, HashiCorp Vault) for sensitive credentials.
• Browser hardening: Disable password save feature in browsers. Configure browsers not to auto-fill sensitive information.

Incident Readiness

• Prepare for credential compromise: Assume some credentials will be stolen. Have rapid password reset procedures ready.
• Monitor for lateral movement: Once infostealer credentials surface, attackers may use them to move laterally. Have detection for unusual lateral movement patterns.
• Forensic capability: Maintain ability to quickly analyze infected endpoints and determine what was stolen.

The Uncomfortable Truth

Your credentials are probably already compromised.

With 2.1 billion credentials stolen via infostealers in 2024 and 4.3 million devices infected, the odds that your organization has at least one compromised employee credential are very high.

The question isn’t “have we been compromised?” It’s “when were we compromised and what damage resulted?”

Infostealer threats aren’t speculative. They’re inevitable.