Infostealer malware crossed a threshold in 2025 that changes how every security team should think about passwords. According to Flashpoint, these silent credential-grabbers contributed to the theft of more than 1.8 billion credentials from 5.8 million infected devices, a figure the firm described as an 800% jump over the prior four months. Stolen passwords and session cookies now show up in 86% of breaches, per DeepStrike’s 2025 stealer-log analysis, which means the humble infostealer has quietly become the single most common doorway into corporate networks.
This is a news analysis of where the infostealer economy stands as of June 2026: the hard numbers, the named malware families, the takedowns that did and did not work, what named researchers are saying, and where the credential-theft market goes next. The short version is uncomfortable. Even after Microsoft and law enforcement dismantled the dominant player in May 2025, the ecosystem absorbed the blow and kept growing.
Infostealer Malware Stole 1.8 Billion Credentials in 2025
The headline number comes from two independent sources that landed on the same figure. Flashpoint reported that infostealers helped exfiltrate over 1.8 billion credentials, including more than a billion corporate and personal email and password pairs, browser cookies, and other sensitive tokens. DeepStrike’s December 2025 stealer-log study put the count at 1.8 billion credentials stolen in 2025 across 5.8 million impacted devices, calling it an 800% surge over recent years.
An infostealer is a lightweight piece of malware with one job: harvest everything of value from an infected machine and ship it to a remote server. That haul typically includes saved browser passwords, autofill data, cryptocurrency wallet files, authentication cookies that bypass multi-factor prompts, and system fingerprints. The whole operation can finish in seconds. The victim usually notices nothing. The stolen package, called a “log,” then flows into criminal marketplaces where it is bought, resold, and weaponized.
The scale matters because credentials are reusable. A single corporate login pulled from an employee’s personal laptop can seed a ransomware attack months later. DeepStrike found that more than 54% of ransomware victims in 2024 and 2025 had domain credentials appear on infostealer log marketplaces before the attack hit. That sequencing is the story of modern intrusions: steal first, sell second, encrypt third.
Why Stolen Credentials Now Drive 86% of Breaches
For years the industry treated phishing, unpatched software, and misconfiguration as the top breach vectors. In 2025 the data shifted decisively toward identity. DeepStrike reported that stolen passwords and session cookies appeared in 86% of breaches. IBM’s X-Force team, in reporting summarized across 2025 and 2026, found credential harvesting now occurs in roughly 29% of all cybersecurity incidents, and logged a 44% year-over-year jump in exploitation of public-facing applications, a pattern that pairs stolen logins with exposed services.
The reason is economic. Exploiting a zero-day vulnerability is expensive, perishable, and noisy. Logging in with a valid username and password is cheap, durable, and quiet. When an attacker holds a working credential plus a live session cookie, multi-factor authentication often provides no protection at all, because the cookie represents an already-authenticated session. This is why so many 2025 breaches read like authorized logins rather than break-ins.
The personal-device angle compounds the problem. Check Point Software reported that infostealer attacks “surged by 58%” and that “over 70% of infected devices were personal” in bring-your-own-device environments. An unmanaged home laptop with a saved work password is now a primary path into the enterprise, sitting entirely outside corporate endpoint controls. For background on how exposed credentials cascade into full compromises, see our explainer on how data breaches happen.
The Top Infostealer Families of 2025 and 2026
The infostealer market is crowded and competitive, run like a software-as-a-service business complete with subscription tiers, customer support, and Telegram channels. After the takedown of the once-dominant RedLine Stealer, the field reshuffled. Lumma emerged as the most prevalent stealer of 2025 before its own infrastructure was disrupted, while newer entrants rushed to fill any gap. IBM-linked reporting summarized by SWIF counted more than 16 million devices infected by infostealers in 2025, led by Lumma, Acreed, and Vidar.
| Infostealer family | Status in 2025-2026 | Key data point |
|---|---|---|
| Lumma | Dominant stealer of 2025, infrastructure disrupted in May 2025 | Among top families by infection volume; 394,000 hosts sinkholed in takedown |
| RedLine | Legacy mass-stealer, displaced after takedown | Its removal reshaped the market and seeded successor families |
| Vidar | Durable legacy family, steady presence | Listed among 2025 infection leaders by IBM-linked reporting |
| RisePro | Fast-growing family post-2023 | Grew to roughly 23% of infections in DeepStrike’s analysis |
| StealC | Rising family in 2025-2026 | Reached about 13% of infections post-2023 |
| Acreed | Newer family flagged by Flashpoint and IBM | Among 2025 infection leaders |
| Katz | New commercial stealer | First observed April 2025 on BreachForums |
| Bee | New commercial stealer | Sold from June 2025 at $300/month |
The churn is the point. No single family stays on top for long, and that resilience is precisely what makes the ecosystem hard to police. Take one brand offline and three cheaper rivals are already advertising.
Lumma, RedLine and the Rise of Budget Stealers
The most telling 2025 trend was price. Flashpoint documented a wave of new commercial stealers undercutting the established names. Cyber launched at a starting price of $99 per month, one of the cheapest full-featured stealers on the market. Bee appeared in June 2025 at $300 per month. AURA arrived in July 2025 pitched at the higher end with advanced capabilities. Katz showed up in April 2025 on illicit forums including BreachForums.
Cheap tools mean more operators. A $99 subscription puts industrial-grade credential theft within reach of low-skill criminals who buy the malware, rent a delivery method, and monetize the logs without writing a line of code. This commoditization is why infostealer log volumes on major dark web markets ballooned 670% since 2021, according to DeepStrike. The supply of stolen identity data is no longer a bottleneck for anyone.
How a Stealer Log Becomes a Ransomware Attack
The pipeline runs in stages. First, the malware infects a device, often through a cracked-software download, a malicious ad, or a phishing email. Infostealers delivered via phishing rose 84% year-over-year in 2024 versus 2023, with early 2025 data showing a 180% surge compared with 2023. Second, the stolen log is sold or posted on a marketplace. Third, an initial access broker buys the log, validates the corporate credentials inside, and resells working access to a ransomware affiliate. Fourth, the affiliate logs in and deploys encryption.
That chain explains the 54% figure: most ransomware victims were already for sale before they were attacked. Defenders watching only for malware execution miss the intrusion entirely, because the final step looks like a normal login. Strong two-factor authentication helps, but only phishing-resistant methods that resist cookie theft truly break the chain.
The May 2025 Lumma Takedown and What It Achieved
The biggest enforcement win of the year came in May 2025, when Microsoft’s Digital Crimes Unit, working with law enforcement and industry partners, struck Lumma Stealer’s infrastructure. Over a roughly two-month operation the coalition sinkholed about 394,000 infected Windows hosts and seized approximately 2,300 command-and-control domains. It was one of the largest coordinated actions ever taken against a single stealer.
The operation worked, and it did not solve the problem. DeepStrike’s analysts noted that the Lumma disruption “created an opening that newer stealers quickly filled,” reinforcing how adaptable the ecosystem has become. The same dynamic followed the earlier RedLine takedown, which cleared the way for the very successors now dominating. Disruption raises costs and buys defenders time. It does not retire the business model.
This is the strategic frustration facing agencies in 2026. Each takedown is real, expensive, and quickly routed around. The lesson is that supply-side enforcement alone cannot win against a market where new brands cost a few hundred dollars to launch and where demand for stolen logins keeps climbing.
Market Impact: A Scalable Identity-Theft Economy
Infostealers turned identity theft from opportunistic capture into a scalable service economy. Stolen cookies and passwords became reusable access tokens that feed ransomware crews, fraud rings, and initial access brokers. The 1.8 billion credentials, 5.8 million infected devices, and 54%-plus ransomware exposure rate together describe a mature supply chain, not a scattering of one-off thefts.
The downstream cost is enormous even where it is hard to itemize. Account takeover, business email compromise, wire fraud, and ransomware all draw from the same well of stolen logins. Huntress reported that infostealers drove nearly 24% of all cyber incidents in 2024, with its 2025 data showing a 104% year-over-year increase in detections. When a quarter of all incidents trace back to one malware class, that class has become infrastructure.
| Metric | Figure | Source |
|---|---|---|
| Credentials stolen in 2025 | 1.8 billion | Flashpoint / DeepStrike |
| Devices infected in 2025 | 5.8 million (16M+ broader IBM count) | DeepStrike / IBM X-Force |
| Breaches involving stolen creds/cookies | 86% | DeepStrike |
| Ransomware victims pre-exposed in logs | 54%+ | DeepStrike |
| Log-volume growth since 2021 | 670% | DeepStrike |
| Incidents involving credential harvesting | 29% | IBM X-Force |
| Share of 2024 incidents from infostealers | ~24% | Huntress |
What Named Experts Are Saying
The people tracking this market do not mince words. Huntress put it bluntly: “Infostealers aren’t just a passing trend; they’re a cornerstone of modern cyber threats.” The firm’s framing reflects how central credential theft has become to nearly every other attack type.
Check Point Software emphasized the personal-device blind spot, reporting that “infostealer attacks surged by 58%” while “over 70% of infected devices were personal.” That detail reframes the threat as a human and policy problem as much as a technical one, because the most dangerous infections often sit on machines no IT team controls.
Flashpoint, which tracks the underground forums where these tools are bought and sold, described infostealers as a major force in digital-identity attacks, anchoring its assessment to the theft of more than 1.8 billion credentials. The NJCCIC, New Jersey’s threat-intelligence center, named “the theft and abuse of login credentials” as one of the most persistent and pervasive threats heading into 2026. Four independent voices, one conclusion: credentials are the battlefield now.
Historical Context: From Banking Trojans to Credential Factories
Credential theft is not new, but its industrialization is. Early stealers in the 2010s were bolt-on modules of banking trojans, targeting narrow financial data. The modern era began when developers split the stealer out as a standalone, subscription-based product. RedLine, which appeared near the start of the decade, proved that a simple malware-as-a-service stealer could scale to millions of victims and a thriving resale market.
The pivotal innovation was theft of session cookies alongside passwords. Once stealers began grabbing live authentication tokens, they neutralized much of the protection that strong passwords and basic two-factor prompts had provided. A password can be changed; a stolen valid session is usable immediately. That shift, maturing through 2023 and 2024, is what pushed credential theft into 86% of breaches by 2025.
The 670% growth in log volumes since 2021 charts this transformation precisely. What began as a niche cybercrime specialty became, in four years, the connective tissue of the entire criminal economy. Understanding the broader pattern of phishing-driven delivery helps explain how so many of these infections start with a single careless click.
Competitive Comparison: How Stealers Stack Up
Buyers shopping the underground in 2026 weigh the same factors as any software customer: price, features, support, and reliability. Budget entrants like Cyber at $99 a month win volume by lowering the barrier to entry. Mid-tier tools like Bee at $300 a month compete on stealth and evasion. Higher-end offerings like AURA pitch advanced capabilities to more sophisticated operators willing to pay a premium.
The legacy families illustrate the lifecycle. RedLine and Lumma each rode dominance to the point where they became enforcement targets, and each disruption opened space for rivals. RisePro climbing to roughly 23% of infections and StealC reaching about 13% post-2023 show how quickly market share migrates when a leader stumbles. This is a market with no durable monopoly, which is bad news for defenders hoping a single decisive takedown could end the threat.
Compared with other malware classes, infostealers stand out for their return on investment. Ransomware demands negotiation and pressure; cryptojacking yields pennies; infostealers produce reusable, resellable credentials that retain value for months. That efficiency is why the category outgrew nearly every rival threat type in 2025. The same identity-first logic now shapes incidents far beyond classic malware, including AI-era exposures we cover in our analysis of shadow AI breaches.
Real-World Fallout: Coupang, Canvas and Beyond
The abstract numbers become concrete in the year’s marquee breaches. South Korean regulators attributed Coupang’s massive breach to management failures rather than a sophisticated zero-day, with Deputy Minister Choi Woo-hyuk stating that “the attacker exploited user authentication vulnerabilities to access user accounts without a proper login and caused large-scale unauthorised information leaks.” That is the infostealer pattern in plain language: valid-looking access, no break-in, mass exposure.
Other 2025 and 2026 incidents followed the same identity-led script. Telecom operator Odido confirmed an attack exposing data from more than six million accounts, including names, phone numbers, email addresses, bank account numbers, and passport scans. The through-line across these events is that the initial foothold increasingly traces to stolen or abused credentials rather than novel exploits. For the full accounting of two of the year’s largest cases, see our coverage of the Coupang breach and the Canvas breach by ShinyHunters.
Five Predictions for the Credential-Theft Market
Based on the 2025-2026 trajectory and analyst guidance, here is where the infostealer economy heads next.
- Cheap stealers keep proliferating. Flashpoint’s pricing data points to continued commoditization, with sub-$100 tools undercutting incumbents while still producing monetizable logs. Expect more brands, not fewer.
- The ransomware pipeline stays credential-led. With more than half of victims already exposed in marketplaces before attack, DeepStrike’s data implies stolen logins remain the dominant ransomware entry point through 2026.
- Intrusions combine stolen creds plus exposed services. IBM X-Force’s 44% rise in public-facing-application exploitation suggests future attacks will pair valid logins with internet-exposed systems rather than relying on malware execution alone.
- Takedowns accelerate replacement, not retirement. Flashpoint’s observation of rapid family churn means enforcement will keep displacing leaders without ending the market, as Katz, Bee, Cyber, and AURA already demonstrate.
- Identity-first defense becomes the baseline. Huntress’s “cornerstone” framing signals that phishing-resistant authentication, session-token protection, and dark-web credential monitoring move from optional to mandatory across 2026.
How to Defend Against Infostealer Malware
The defense playbook follows the attack chain. Because most infections begin on endpoints, harden them: block cracked-software downloads, restrict browser password storage in favor of a dedicated manager, and deploy endpoint detection that flags credential-harvesting behavior. Because personal devices carry over 70% of infections in BYOD settings, treat any unmanaged machine touching corporate resources as untrusted.
Because stealers grab session cookies, ordinary multi-factor authentication is not enough. Move to phishing-resistant methods such as hardware security keys or passkeys, shorten session lifetimes, and bind sessions to device posture so a stolen cookie fails on an unrecognized machine. Monitor dark-web marketplaces and stealer-log feeds for your domain’s credentials, since DeepStrike’s 54% figure means early detection of an exposed login can preempt a ransomware attack outright.
Finally, assume some credentials are already stolen. Rotate high-value secrets on a schedule, enforce least-privilege access so one compromised login cannot reach everything, and rehearse incident response for the day a valid-looking login turns hostile. The organizations weathering 2026 best are the ones that stopped trusting passwords as proof of identity.
Frequently Asked Questions
What is infostealer malware?
Infostealer malware is a lightweight program that harvests valuable data from an infected device, including saved browser passwords, autofill records, cryptocurrency wallets, and authentication cookies, then sends that package, called a “log,” to an attacker. The process is fast and usually invisible to the victim.
How many credentials did infostealers steal in 2025?
Flashpoint and DeepStrike both reported more than 1.8 billion credentials stolen in 2025, from roughly 5.8 million infected devices. DeepStrike described the volume as an 800% surge over recent years.
Which infostealer families are most active in 2026?
Lumma led 2025 before its May 2025 takedown, with Acreed, Vidar, RisePro, and StealC among the most active. Newer commercial entrants including Katz, Bee, Cyber, and AURA emerged across 2025 at prices from $99 to $300 per month.
Does multi-factor authentication stop infostealers?
Not always. Many stealers grab live session cookies that represent an already-authenticated session, which can bypass standard MFA prompts. Phishing-resistant methods like hardware keys and passkeys, combined with short session lifetimes and device binding, provide far stronger protection.
How do infostealers lead to ransomware?
Stolen logs are sold to initial access brokers who validate corporate credentials and resell working access to ransomware affiliates. DeepStrike found that more than 54% of ransomware victims in 2024 and 2025 appeared in stealer-log marketplaces before being attacked.
Did the Lumma takedown stop the threat?
It disrupted Lumma significantly, with Microsoft and partners sinkholing about 394,000 hosts and seizing roughly 2,300 domains in May 2025, but newer stealers quickly filled the gap. The market’s low cost of entry makes it resilient to single takedowns.
How can I tell if my credentials were stolen?
Use dark-web and stealer-log monitoring services that scan marketplaces for your email domains and reused passwords. Watch for unexpected logins, password-reset notices, and session activity from unfamiliar locations, and rotate any exposed credential immediately.
Are personal devices a bigger infostealer risk than work computers?
Often yes. Check Point reported that over 70% of infected devices were personal in BYOD environments. Unmanaged home machines storing work credentials sit outside corporate security controls, making them a favored entry point.
Related Coverage
- Data Breaches: How They Happen and How to Protect Yourself
- Coupang Data Breach: 33.7M Hit, $409M Fine
- Canvas Data Breach: 275M Hit by ShinyHunters
- Password Security: What Actually Keeps Accounts Safe
- Two-Factor Authentication in Node.js: 11 Steps
- Shadow AI: 20% of Breaches, $670K Cost
- Online Security Explained: A Practical Guide
