The discovery of 1.7 billion leaked passwords on the dark web underscores the widespread risk of credential compromise.

The digital threat landscape has witnessed a dramatic and concerning escalation with the aggressive deployment of infostealer malware. These insidious programs operate stealthily on everyday devices, surreptitiously extracting sensitive data such as passwords, browser information, and login tokens without the user's knowledge.

A recently published report has illuminated the sheer scale of this burgeoning problem, revealing an alarming 500% surge in infostealer activity within a single year, culminating in the harvesting of over 1.7 billion fresh user credentials. This signifies a fundamental shift in cybercriminal tactics, moving beyond large-scale data breaches to targeted and widespread individual device compromise.

This surge in credential theft is largely attributed to the industrialisation of the process. In 2024, cybersecurity researchers at Fortinet documented a staggering volume of stolen login data being actively traded within the dark web ecosystem. Unlike breaches of the past that relied on exploiting vulnerabilities in centralised databases, the 1.7 billion credentials identified were primarily sourced from active infostealer infections on individual user devices. This indicates a highly efficient and distributed method of data acquisition, directly impacting a vast number of unsuspecting individuals.

At the core of this growing menace lies infostealer malware, a specific category of malicious software meticulously designed to siphon sensitive information. This includes not only usernames and passwords but also browser cookies, email login details, cryptocurrency wallet information, and session tokens. The operational model of infostealers differs significantly from traditional data breaches. Instead of breaching a company's central servers, these programs infiltrate individual user machines, often remaining undetected while they systematically collect valuable data.

Once this sensitive information is harvested, it enters a sophisticated underground market facilitated by initial access brokers. These intermediaries play a crucial role by aggregating and selling compromised credentials and access tokens to various other cybercriminal entities, notably including ransomware operators. This mature market even features verified functionality and region-specific pricing for different types of access, ranging from corporate VPNs and administrative dashboards to personal bank accounts, highlighting the organised and commercial nature of this illicit activity. Fortinet's 2025 Global Threat Landscape Report specifically pinpointed a 500% increase in credential logs originating from infostealer infections over the preceding year, identifying prevalent and potent strains such as RedLine, Vidar, and Raccoon.

Infostealers typically infiltrate devices through deceptive means, including phishing emails, malicious browser extensions, fake software installers, and cracked applications. Upon successful installation, these programs meticulously scan browser databases, autofill records, saved passwords, and local files for any data related to credentials. Many advanced infostealers are also capable of targeting digital wallets, FTP credentials, and cloud service logins. Alarmingly, a significant number of these threats also exfiltrate session tokens and authentication cookies, effectively bypassing even the security measures offered by multifactor authentication. By stealing these tokens, attackers can gain unauthorised access to accounts without needing to manually log in or provide a second verification factor.

To effectively defend against the escalating threat of infostealer malware, a proactive and multi-layered approach combining smart security habits and reliable tools is essential. This includes adopting a dedicated password manager to avoid browser-based password storage, enabling two-factor authentication on all critical accounts to provide an additional security layer, and utilising strong antivirus software while exercising extreme caution with downloads and links from untrusted sources. Furthermore, keeping all software consistently updated is crucial to patch known vulnerabilities, and individuals may also consider employing a personal data removal service to minimise their online footprint and reduce the risk of targeted attacks.

Summary: Infostealer malware represents a rapidly growing and pervasive cyber threat, with activity increasing by an alarming 500% in the past year, leading to the exposure of over 1.7 billion credentials. These stealthy programs infiltrate individual devices to steal sensitive information like passwords and login tokens, often bypassing even multifactor authentication through the theft of session tokens. This stolen data fuels a mature dark web market where initial access brokers sell compromised credentials to other cybercriminals. Protecting against this threat requires a combination of using password managers, enabling 2FA, employing strong antivirus software, practicing caution with online interactions, keeping software updated, and potentially utilising personal data removal services.