Threat actors are increasingly transforming massive infostealer-derived credential collections into searchable underground services, allowing buyers to request credentials for specific companies, platforms, geographies, or account types, as reported by Bleeping Computer.Researchers from Flare analyzed 470 underground forum posts between January 2025 and June 2026, revealing a service layer that bridges infostealer infections and account takeover activities. These services function as credential brokers, monetizing vast amounts of stolen logs by offering targeted extraction, filtering, and formatting. Buyers can query sellers' databases for specific credentials instead of purchasing bulk data, with common output formats including URL:LOGIN:PASS and MAIL:PASS. The "search your target" market sits between credential collection by infostealers and their use for account takeover, fraud, or corporate intrusion.While the market overlaps with Initial Access Brokers (IABs), it is distinct. Customer feedback indicates a gap between advertised services and actual results, with issues like invalid or duplicated credentials being common. This evolving service model allows attackers to efficiently process stolen data into actionable intelligence for targeted attacks.Source: Bleeping Computer
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds