On this page
- Scale of the threat (as-of 2026-06)
- How infostealers bypass MFA and passkeys
- Session token taxonomy by replayability
- Session hijacking vectors
- Non-persistence: infect, exfiltrate, self-delete
- Active malware families (as-of 2026-06)
- Dark web supply chain (as-of 2026)
- Ecommerce ATO mechanics via infostealer logs
- Device-binding as structural defence
- Detection signals (practitioner-reported)
- Prevention controls
- Delivery vectors for consumer infections
- Retail sector specifics
- Vendor landscape (as-of 2026)
- Key terms
- Benchmarks (as-of 2026-06)
- Frontier links from this page
Infostealer Malware
Infostealer Malware
Infostealer malware is a class of credential-harvesting software that exfiltrates browser session cookies, saved passwords, 2FA tokens, and other identity artifacts from infected endpoints — then self-deletes. The stolen data is sold on dark web markets and Telegram channels within 24–48 hours of infection. In an ecommerce context, session cookies are the primary prize: a valid session cookie gives an attacker an already-authenticated session, bypassing login, MFA, and — unless combined with device-binding — passkeys entirely.
Scale of the threat (as-of 2026-06)
- Flashpoint's 2026 Global Threat Intelligence Report counted more than 11.1 million devices infected with infostealers in the last year, contributing to over 3.3 billion stolen credentials, session cookies, cloud tokens, and other identity artifacts circulating across illicit markets. (Flashpoint, 2026-06-10)
- A separate synthesis aggregating Flashpoint + DeepStrike data cites 1.8 billion credentials from 5.8 million devices in 2025 — likely a narrower time window or counting methodology. (shattered.io, 2026-06-14)
Infected device count discrepancy: shattered.io/DeepStrike cites 5.8 million devices for the 1.8B credential figure [shattered.io, 2026-06-14]; Flashpoint's own June 2026 blog cites 11.1 million devices for 3.3B credentials [Flashpoint, 2026-06-10]. The Flashpoint figure may include a broader time window (2024+2025 combined). Both are from Flashpoint-derived data; different counting methodologies are likely.
- Constella Intelligence processed 51.7 million infostealer packages in 2025, a 72% year-over-year increase; 98.6% contained active passwords and 99.54% included the specific URLs where credentials were used (as-of 2026-04-10). (Constella Intelligence, 2026-04-10)
- Huntress reported infostealers drove nearly 24% of all cyber incidents in 2024, with 2025 data showing a 104% year-over-year increase in detections (as-of 2026-06-14). (shattered.io citing Huntress, 2026-06-14)
- SpyCloud recaptured more than 20 billion cookie records in 2023 alone, averaging more than 2,000 cookie records per infected device (as-of 2024-03-26). (SpyCloud, 2024-03-26)
- The average individual digital identity had a 1-in-5 chance of already being the victim of an infostealer infection by early 2024. (SpyCloud, 2024-03-26)
- 78% of recently breached companies had corporate credentials appearing in infostealer logs within six months of their breach (as-of 2026-04-10). (Constella Intelligence, 2026-04-10)
- Infostealer log volumes on major dark web markets ballooned 670% since 2021 per DeepStrike (sourced via shattered.io, 2026-06-14).
How infostealers bypass MFA and passkeys
Infostealers do not crack MFA — they steal session cookies that were issued after MFA was successfully completed. An attacker replaying a stolen cookie is presenting a valid, already-authenticated session; the application cannot distinguish it from the original user. (WhiteIntel, 2026-05-29)
Session token taxonomy by replayability
WhiteIntel distinguishes four token types (as-of 2026-05-29):
| Token type | Replayable after theft? | Notes |
|---|---|---|
| Opaque session cookies | ✅ Until server-side revocation | Most ecommerce sessions today |
| JWT tokens | ✅ Until expiry | Stateless; no revocation without token rotation |
| OAuth refresh tokens | ✅ Indefinitely | "Crown jewel" — silently renews access |
| Device-bound tokens (DPoP, mTLS, DBSC) | ❌ | Cryptographically bound; unusable without private key; adoption still partial in 2026 |
Practitioners in r/netsec (234 upvotes, 2024-12) describe the framing shift: "Infostealers are now primarily session theft tools, not credential stealers. The cookie grab is the primary payload — everything else is bonus." (Reddit r/netsec)
Passkeys are specifically addressed: "Passkeys solve the phishing problem. They do not solve the post-authentication session theft problem. If your device is infected with an infostealer, the attacker steals the session cookie after you've authenticated with your passkey." (Reddit r/netsec, 445 upvotes, 2024-09) — see Passkeys (WebAuthn).
Session hijacking vectors
WhiteIntel identifies four main session-hijacking vectors in 2026:
- Infostealer logs — dominant vector; entire browser cookie store exfiltrated
- Cross-site scripting (XSS) — in-browser cookie theft
- Man-in-the-middle on network path — declining with TLS adoption
- Adversary-in-the-middle (AitM) phishing proxies — capture session cookie after user completes MFA; a separate attack category from infostealer
Key behaviour: stolen session cookies remain valid until the application explicitly invalidates them. An attacker can keep using a hijacked session after the victim changes their password. Password reset alone is insufficient — session cookie invalidation is required. (WhiteIntel, 2026-05-29; Hudson Rock / Leonid Rozenberg, Infostealers.com, 2025-02-05)
Non-persistence: infect, exfiltrate, self-delete
Modern infostealers are generally non-persistent: they infect a device, execute data exfiltration, then self-delete. The ongoing data collection risk on the same device post-infection is low — but all credentials and session tokens captured at the moment of infection remain compromised. (Hudson Rock / Leonid Rozenberg, Infostealers.com, 2025-02-05)
This also means endpoint detection often misses the execution window. SpyCloud found that 66% of malware infections occur on devices with EDR/AV already installed (H1 2024 data: 54% per SpyCloud 2024 Defense Report; updated to 66% in 2025-26 reporting). Endpoint tools are insufficient as a standalone control. (SpyCloud, 2024-09-17; updated 2026-05-26)
Active malware families (as-of 2026-06)
Flashpoint's June 2026 analysis identifies the most actively distributed strains as LummaC2, ACRStealer (Acreed), StealC, Vidar, and Rhadamanthys, with 30+ active strains tracked across underground ecosystems. (Flashpoint, 2026-06-10)
- Lumma Stealer was the dominant family until Microsoft's Digital Crimes Unit and law enforcement sinkholed approximately 394,000 infected hosts and seized ~2,300 C2 domains in May 2025 — one of the largest coordinated takedowns of a single stealer. However, newer stealers (Katz, Bee, Cyber at $99/month, AURA) filled the gap rapidly. (shattered.io citing Microsoft, 2026-06-14)
- Chrome's App-Bound Encryption was flagged as a "meaningful speed bump" for cookie theft — but Lumma Stealer bypassed it within approximately two weeks of Chrome's rollout. "We're in an arms race at the browser layer that defenders can't win long term." (Reddit r/netsec, 378–445 upvotes, 2025-06)
Chrome App-Bound Encryption: A minority view (334 upvotes) argues it is a "meaningful speed bump" that raises attacker complexity and detection surface, even if bypassable. The majority (378 upvotes, 445 upvotes) holds it was bypassed by Lumma within 2 weeks and the browser layer is structurally disadvantaged. Both camps agree server-side session controls are more durable. [Reddit r/netsec, 2025-06]
- RisePro grew to ~23% of infections and StealC to ~13% post-2023; the market shows no durable monopoly and churn is structural. (shattered.io citing DeepStrike, 2026-06-14, stale_risk: med — DeepStrike methodology not independently verified)
- macOS infostealers growing: Atomic macOS Stealer entered the scene in late 2022 and infection volumes for macOS have increased materially since. (SpyCloud, 2024-03-26)
Dark web supply chain (as-of 2026)
Stolen cookies move through three distribution channels post-infection:
- Direct operator-to-buyer sales (0–24 hours): highest-quality logs, premium pricing
- Telegram channel drops (12–48 hours): semi-public; curated by malware operator
- Underground marketplaces (Russian Market, 2easy) (24–72 hours): filterable by employer domain or target application
Pricing: a complete stealer log (passwords, active session cookies, system fingerprint, personal data) can be purchased for $10–$100 depending on target profile (as-of 2026-05-29). (WhiteIntel, 2026-05-29)
Log curation has become sophisticated: dark web listings in 2025–2026 include account type tags — "Amazon Prime", "Shopify store owner", "PayPal verified" — enabling targeted purchase of access to specific account types. (Reddit r/fraud, 134 upvotes, 2025-05)
Underground forum listings explicitly target consumer ecommerce and payments platforms including PayPal, Booking.com, eBay, Steam, Netflix, TikTok, Binance, Epic Games, and Apple. (WhiteIntel, 2026-05-29)
Ecommerce ATO mechanics via infostealer logs
Practitioners in r/fraud (2025-05) describe the full attack playbook:
- Buy fresh logs with ecommerce session cookies filtered by account type
- Load cookies into a fraud browser (Linken Sphere, Octo Browser) to spoof device fingerprint
- Change shipping address to a drop address or reshipping service
- Place high-value order or drain gift card balance
- Log out
"The whole thing takes under 10 minutes if the session is live. Detection has to be real-time or it misses it." (Reddit r/fraud, 134 upvotes, 2025-05)
Gift cards are the primary cash-out mechanism: "Gift card purchases from newly accessed sessions are almost always fraud. It's a clean cash-out mechanism." (Reddit r/ecommerce, 112 upvotes, 2025-01) — see Gift Card Fraud.
Session lifetime is a key attacker variable: "retailers with 30-day persistent sessions are sitting ducks; viable windows range from 2 hours to 30 days depending on the site's session policy." (Reddit r/fraud, 98 upvotes, 2025-05)
Ransomware entry: DeepStrike found that more than 54% of ransomware victims in 2024 and 2025 had domain credentials appear on infostealer log marketplaces before the attack hit. (shattered.io citing DeepStrike, 2026-06-14)
Device-binding as structural defence
Google made Device Bound Session Credentials (DBSC) generally available to Windows users in Chrome 146 on April 10, 2026, cryptographically binding session cookies to the device's TPM so that a stolen cookie is useless without the private key, which cannot leave the hardware module. (Constella Intelligence, 2026-04-10)
DBSC coverage gaps (as-of 2026-04-10):
- macOS support: no published timeline
- Mobile browsers: unsupported
- Website/SaaS backend implementation required per-site
- Devices without TPM fall back to standard (unprotected) behaviour
- DBSC covers session cookies only — not passwords, PII, VPN configs, SSH keys, or cloud tokens
(Constella Intelligence, 2026-04-10)
Detection signals (practitioner-reported)
Three signals from r/fraud practitioners (198 upvotes, 2024-12) that reliably identify session-hijacking ATO:
- Impossible velocity — session authenticated in geo A, new request from geo B minutes later
- Action sequence anomaly — session goes straight to checkout with saved payment, no browsing
- Shipping address change immediately preceding a high-value order
"These three in combination catch most of the stealer-log ATO. The challenge is false positive rate." (Reddit r/fraud, 198 upvotes, 2024-12)
Device fingerprinting effectiveness debate:
A fraud vendor analyst (112 upvotes) argues fraud browsers "can't spoof everything — especially hardware-level WebGL characteristics, font rendering subtleties." Fraud operations practitioners (198 upvotes) counter that device fingerprinting is not a reliable primary signal and has been substantially defeated by Linken Sphere and Octo Browser. Both camps agree it is insufficient as a standalone control. [Reddit r/fraud, 2024-12]
Prevention controls
WhiteIntel identifies five prevention categories (2026-05-29):
- Short session lifetimes — 4–12 hours for internal SaaS; 15–30 minutes for banking; ecommerce must balance conversion (see Checkout Abandonment)
- Device-binding — DPoP, mTLS, or Chrome DBSC (Windows only, as-of 2026-04)
- Conditional re-authentication for sensitive actions (email change, payment method change, new shipping address, gift card purchase)
- Step-up MFA on session anomalies (impossible travel, new device fingerprint)
- Continuous leaked-cookie monitoring with real-time session revocation within the 24–48 hour window before buyer replay
Practitioners report short-lived session tokens combined with device-bound credentials achieved ~70% ATO reduction from stealer logs in one deployment (as-of 2025). (Reddit r/fraud, 89 upvotes, 2025-04)
Post-infection remediation: SpyCloud advocates a process that goes beyond cleaning the infected device to forcibly invalidating stolen session cookies and resetting compromised passwords, because the stolen data is already exfiltrated when the infection is discovered. (SpyCloud, 2026-05-26)
"MFA is dead" vs "MFA still necessary": An r/netsec post (234 upvotes, 2024-12) argues "MFA is effectively dead against infostealer-sourced ATO." The top comment (312 upvotes) pushes back: "'MFA is dead' is too strong. MFA still defeats credential stuffing, which remains high-volume. The claim should be 'MFA is insufficient against infostealer-sourced ATO.' These are different threat categories." Community consensus: MFA is necessary but not sufficient; threat categories must not be conflated. [Reddit r/netsec, 2024-12]
Delivery vectors for consumer infections
Primary infection vectors targeting consumer/retail victims (Hudson Rock / Leonid Rozenberg, Infostealers.com, 2025-02-05):
- Fake ads on search engines — paid placements impersonating legitimate software
- Phishing emails with malicious downloads
- Pirated software and game cracks via torrent
- Social media accounts offering fake deals
Retail sector specifics
SpyCloud's 2024 Defense Report found that retail organisations rank their ability to identify exposed business applications as their top capability priority for malware response — one of only three sectors (alongside manufacturing and technology) prioritising improved ransomware prevention in 2024–25. (SpyCloud, 2024-09-17)
Each malware infection exposes an average of 10–25 third-party business application credentials. Third-party account compromise ranked as the second most common ransomware entry point in the 2024 survey. (SpyCloud, 2024-09-17)
Shopify merchants describe being targeted via compromised customer accounts: "I've had customers report ATO where orders were placed to addresses in Eastern Europe. The customer had no idea how — they said they use a password manager and MFA. It's almost certainly a stealer on their machine that got the session." (Reddit r/shopify, 87 upvotes, 2025-03)
Vendor landscape (as-of 2026)
| Vendor | Offering | Key differentiator |
|---|---|---|
| SpyCloud | Workforce/Endpoint/Session Identity/Consumer Threat Protection; Post-Infection Remediation | IDLink technology links exposed data to specific identities; session cookie invalidation workflow |
| WhiteIntel | Continuous dark web ingestion; SIEM/IdP webhook output | Covers Telegram channels + direct operator feeds; structured enrichment |
| Constella Intelligence | Infostealer Sentinel | 1T+ attributes across 125+ countries; positions as complement to Google DBSC for browsers without TPM |
| Flashpoint | Primary Source Collection (PSC); 48B+ credential DB | 30+ active stealer strains tracked; structured output with cookie/host-metadata enrichment |
| Hudson Rock | Cybercrime Intelligence service | 30M+ infected computer analysis; domain compromise visibility |
Key terms
| Term | Meaning |
|---|---|
| Stealer log | Package of exfiltrated data from a single infected device: cookies, passwords, system fingerprint, URLs |
| Combolist | Aggregated username:password pairs compiled from multiple stealer logs or breaches; see Credential Stuffing |
| Session cookie | Server-issued token identifying an authenticated session; replayable until server-side revocation |
| AitM (Adversary-in-the-Middle) | Phishing proxy that sits between user and site, captures session cookie after MFA completes |
| DBSC | Device Bound Session Credentials — Chrome 146 (Apr 2026, Windows only) |
| Fraud browser | Specialised browser (Linken Sphere, Octo Browser) for spoofing device fingerprints during ATO |
Benchmarks (as-of 2026-06)
| Metric | Value | Source |
|---|---|---|
| Devices infected (last year) | 11.1M | Flashpoint, 2026-06 |
| Stolen identity artifacts in circulation | 3.3B | Flashpoint, 2026-06 |
| Infostealer packages processed by Constella (2025) | 51.7M (+72% YoY) | Constella, 2026-04 |
| Infections with AV/EDR installed (H1 2024) | 54–66% | SpyCloud, 2024-09/2026-05 |
| Session cookie theft as ransomware entry point | #3 overall | SpyCloud, 2024-09 |
| ATO reduction from short sessions + device-binding | ~70% (one practitioner) | Reddit r/fraud, 2025 |
| Retailer corporate credentials in logs before breach | 54% (ransomware cases) | DeepStrike via shattered.io, 2026 |
Frontier links from this page
Session Hijacking · Infostealer Malware · Gift Card Fraud · Loyalty Fraud · Residential Proxy Networks · AitM (Adversary-in-the-Middle) Phishing · Device Bound Session Credentials (DBSC) · Post-Infection Remediation · Combolists