Data-Stealing Storm:

Exploring the Dark Web Market

for Compromised Credentials
What Businesses Need to Know About
this Threat and How to Mitigate It

1
 Introduction
The Kaspersky Digital Footprint Intelligence team has prepared a report
that draws on data on millions of devices compromised by specific
malware designed for stealing information, or infostealers.

Infostealer is a type of malware designed for collecting and stealing

confidential information: accounts and credentials, cookies, bank card
details, cryptowallets, and so on. The data stolen from millions of devices
all over the world is forwarded to the malware operator’s C&C (Command
and Control) server and assembled into logs (a log file typically contains
information from a single infected system), to then be distributed among
the cybercrime community through darknet markets.

This report presents statistics and key takeaways from processing and
analysis of infostealer logs collected from 2021 through 2023.

Sources of the analyzed

information
Cybercriminals use private threads on underground forums to publish
logs collected by infostealers from infected devices. These files contain
users’ accounts and other details, as well as information about the
compromised device itself.

Cybercriminals typically sell logs to other cybercriminals, but they may

share data for free. For example, they may share what is left after they
have extracted all the information they need to boost their reputation
with the community.

Infostealer infection scenario

Log files are published

on Darknet forums

Malware intercepts
authentication data
and transfers it to
C&C server

User does not notice an infostealer

infection and continues to use
internet resources

1
One log file contains an average We analyze logs to isolate compromised accounts. If a user account is
of found in malware (Trojan, spyware bot, etc.) logs, this is a sign that the
user’s device was infected.

50.9 accounts It is important to note that one log corresponds to one infection of a
specific machine, while it can contain a large number of accounts for
various websites or applications that were used on the device.

The number of infections Infection trends we observed

detected in 2023 represents a
Note that logs do not show up on the dark web immediately after a

35%
device is compromised. The account may have been hacked in 2022,
but a corresponding log file might be published no earlier than 2023.
Therefore, it is reasonable to expect 2023’s actual infection figures to be
adjusted upward if we consider predictions about the number of logs to
increase on 2022 based on be published in 2024.
forecast data. The infection
date is determined based on The observable log dynamics suggest that in the first months of the year,
compromised device metadata the number of log files for the previous year is greater than in the last
contained in infostealer logs months of the year.

Yearly infection statistics

18 000 000
15 908 793
16 000 000

14 000 000
11 822 629
12 000 000 10 771 801
9 772 121
10 000 000

8 000 000
6 356 004
5 778 185
6 000 000

4 000 000
1 315 915 1 447 507
2 000 000

0
2020 2021 2022 2023

Infections observed Infections expected

1
Cybercriminals may post log files containing compromised
accounts on the darknet months or even years after
To build the forecast, we compared the number of compromised
infection. We track both posting dates and actual accounts from 2020 through 2023 by month. We used this data to
compromise dates. In 2024, we expect to see more data
that was compromised in 2023 or earlier but leaked on identify a trend while augmenting our datasets from previous years with
the darknet some time after. Prior to 2022, the difference
between observed and expected infections is smaller as
newly obtained data, which now allows us to predict expected numbers
most compromised login credentials have been leaked. adjusted for the estimated amount of data to be added in the future1

2
 Infection statistics by operating
system
According to the metadata found in infostealer logs, the bulk of the
compromised devices are powered by Windows. This can be attributed
to the general popularity of this operating system, not security issues:
Windows is one of the most widely used operating systems both in the
home and corporate segments.

We have analyzed the infection statistics for various Windows versions:

Home, Pro, and Enterprise. This data helps detect trends and split these
between corporate and home users.

Windows 10 infection statistics

The diagram below shows the proportions of infections for various
Windows 10 versions split by year from 2020 through 2023.

Distribution of infections across affected Windows 10 versions,

2020–2023

100 %
19.40%
80 % 34.31%
45.48% 53.07%
60 % 43.60%
29.50%
18.82%
40 % 15.96%

20 % 37.00% 36.19% 35.71% 30.97%

0

2020 2021 2022 2023

Windows 10 Home Windows 10 Pro Windows 10 Enterprise

It can be seen from the diagram that the relative numbers of

compromised corporate users have increased from year to year.

3
 Corporate access availability statistics
by Windows 10 version
Another trend is one associated with compromise of accounts in various
Windows 10 versions that have access to corporate resources.

Compromised corporate Windows 10 accounts

100 %
17.48%
29.07%
80 % 39.91%
48.17%
19.40%
65.18% 33.28%
60 % 27.97%
16.75%
14.15%
40 %
10.93%
49.24%
20 % 42.96% 43.34%
37.68%
23.88%

2019 2020 2021 2022 2023

Windows 10 Home Windows 10 Pro Windows 10 Enterprise

A malicious actor can
gather information about an
employee’s credentials with a
corporate email as a login to an
average of
1.85 web applications
from a log file.
The diagram shows that the number of accounts found in infostealer logs
associated with the Home version started shrinking after 2020, the year
when it also peaked.
We attribute this trend to the COVID-19 pandemic, which started in March
2020 and led to a mass transition to remote working, with employees
often using their personal devices.
The latter often lack the robust security controls used in corporate
environments, such as protective solutions, and corporate and password
policies. This factor increases the likelihood of the device being infected,
as it lacks the added security layer that prevents malware from being
downloaded and run. Therefore, compromising the employee’s personal
device that was used to log in to work resources may lead to leakage of
corporate accounts and access information.

4
Around 100 Infection statistics by stealer type
The diagram below reflects the percentages of the types that we
different infostealer types detected in 2020–2023.
were found in logs1.

1
Data available within our field of view

Infections by stealer type 0.47 %

4.45 %

7.2 %

7.48 %

11.9 % 51.44 %

17.07 %

Redline Vidar Raccoon Redline metastealer 1 % <= LOGS < 5 % 0.1 % <= LOGS < 1 % LOGS < 0.1 %

Mentions of the different stealers on dark web forums

1000

800

600

400

200

AZORult Arkei Vidar Racoon Redline

5
 The changes in the popularity of the three most widespread stealers
during the period looked as follows:

100 %
7.68% 11.41%
13.90% 12.46%
5.27%
80 % 15.25%
39.41%
33.20%

60 %
55.04%
9.23%
40 % 61.76%

48.71%
20 % 43.66%
28.28%
10.54%
0 4.21%

2020 2021 2022 2023

Other Redline Vidar Raccoon

The share of infections Redline gained popularity in 2021 and has accounted for half of all
attributed to new stealers infections since then. Vidar peaked in 2020–2021, but then declined
increased from significantly in the years that followed.

4.21%
Written in C, Iumma emerged in 2022 and started gaining popularity in
to 2023 on the back of a MaaS (malware-as-a-service) distribution model. It
is mostly a regular infostealer, but with an added focus on cryptowallets. It

28.28%
spread via sweeping email, YouTube, and Discord spam campaigns.

Among the new stealers, Stealc also stands out as it accounted for 3.59%
of infections in 2023.
in 2021–2023.

This trend is evidence of activity Infections by stealer type, 2023

on the infostealer development
market. 3.33 %
3.59 %

The new Iumma stealer Redline

accounted for Vidar

6.38%
14.98 % Raccoon

6.38 % Lumma
55.04 %
of total infections in 2023. Redline metastealer
11.41 %
Stealc stealer

Other types

5.27 %
6
 Compromised credentials
statistics by top-level domain
We have analyzed the number of compromised accounts with websites
hosted in various regional domains. The data sample represents Latin
character and generic top-level domains.

Below, you can find a list of the 30 domains with the largest number of
compromised accounts in 2023. These domains experienced an average
increase of 230% in the number of compromises compared to 2021.

It is important to emphasize that some domains are not only utilized for
hosting local websites but also for popular international services.

For instance, streaming platform Twitch operates on the domain .tv while
being international and not associated with any particular country. This fact
may largely impact the frequency of compromises for the domain .tv, but,
in fact, it does not necessarily correlate with the infostealer threat level in a
particular country. Additional examples encompass websites such as linked.in,
telegra.ph, etc. Indeed, any domain may host popular international websites,
rendering them relevant targets for cybercriminals. It’s essential to recognize
that while the existence of such websites within the domain zone may impact
the frequency of compromised accounts, it does not necessarily correlate
directly with the infostealer threat level in a country linked to this domain.

Top-level domain extension Number of compromised credentials per domain, 20231

1 .com 325,900,000
2 .br 28,800,000
3 .in 8,200,000
4 .co 6,000,000
5 .vn 5,500,000
6 .io 4,800,000
7 .tv 4,700,000
8 .mx 4,600,000
9 .fr 4,500,000
10 .es 4,400,000
11 .id 4,400,000
12 .it 4,200,000
13 .ar 4,200,000
14 .tr 3,800,000
15 .pe 3,400,000
16 .cl 2,900,000
17 .pl 2,700,000
18 .eg 2,700,000
19 .de 2,700,000
20 .sa 2,600,000
21 .ru 2,500,000
22 .uk 2,500,000
23 .pk 2,400,000
24 .nz 2,300,000
25 .th 2,200,000
26 .me 2,100,000
27 .us 2,100,000
28 .hu 2,000,000
29 .bd 1,600,000
30 .eu 1,600,000

1
The table displays rounded numbers
7
Analysis of corporate systems
We used the data that we gathered to collect statistics on re-infections of corporate users.

We selected 50 banking organizations in various regions to analyze compromised employee accounts1.

Our analysis focused on larger organizations (with 1,000 or more on the payroll), excluding those that saw only
isolated infection cases.
We defined three categories of re-infection:

1 2 3

Short-term: less than three Long-term: more than three Other: the interval between
days between re-infections2 days between re-infections infections cannot be
determined from available
metadata
1 The study used email addresses from log files that were
found on the dark web and thought to be associated with a
specific company in a sample. The compromised data was
not verified in order to prevent unauthorized access to any
company’s infrastructure. According to our data presented in the diagram below, most of the
2
The benchmark was based on the average period within re-infections fell in the short-term category, and 35%, in the long-term
which a critical incident could be detected, taking into
account weekends, holidays, and possible employee category.
absence

Re-infections

7%

35 % Total long-term
Total short-term
58 % Total no details

Also, we can make the following conclusions:

21.07% 8.94%
of all employees in review whose of infected employees ran malware
devices were infected ran again in three or more days after
malware again. getting infected for the first time.

8
Conclusion and advice
In the last three years, we have observed a steady increase in infostealer infections that appear within our field
of vision. Windows 10 Enterprise accounts for an increasing number of compromised devices, which suggests an
increase in the number of infected corporate devices.

Malicious actors are actively developing new stealers and using these in their attacks. The share of devices
compromised with malware that was not present among the three most popular types rose by more than 20% in
2021–2023.

We have observed re-infection trends. Long-term re-infections may be symptomatic of several issues:

Insufficient employee Ineffective incident Confidence that it Refusal to investigate

awareness detection and is enough to change the incident
response measures the password if the
account has been
compromised

Compromise of service accounts is a direct threat to the security of user and other data, but the very fact that the
device has been infected suggests that data stored on it may have been leaked. Besides, in some cases, malicious
actors may retain access to the infected machine for a long time.

Hence, the following are steps that must be taken if a data leak through logs has been detected:

• Immediately change the passwords for accounts that are presumed to be compromised and look for
suspicious events associated with those accounts.

• Notify the users whose devices may be infected of the need to run full antivirus scans of all their devices and
delete any malware they find.

• Start proactively monitoring darknet markets to detect compromised accounts before they affect the
cybersecurity of customers or employees. A detailed guide on setting up monitoring can be found here;

• Use Kaspersky Digital Footprint Intelligence to stay on top of what malicious actors know about the company’s
resources, promptly detect potential attack vectors, and configure protection or take steps to eliminate
cyberthreats in a timely manner.

To ensure efficient protection and reduce the risks associated with infostealer infection, we recommend doing the
following:

• Design an employee information security awareness program, and provide regular training and performance
assessments.
• Introduce a strict password policy for all corporate resources.

www.kaspersky.com
© 2024 AO Kaspersky Lab.
Registered trademarks and service marks are the property
of their respective owners.