Cybercrime as-a-service , Fraud Management & Cybercrime , ID Fraud

Dark Web Sales Driving Major Rise in Credential Attacks

Cybercriminals Netting Over 50 Credentials Per Infected Device, Kaspersky Says
Dark Web Sales Driving Major Rise in Credential Attacks

A rise in infostealer malware attacks over the past three years has enabled cybercriminal groups to turn credential stealing into a major money-making business, paving the way for new entrants in the field and sophisticated hacking techniques to breach corporate defenses.

See Also: Live Webinar | Digital Doppelgängers: The Dual Faces of Deepfake Technology

Cybersecurity company Kaspersky said data stealing attacks rose sevenfold over the past three years, enabling malicious actors to compromise more than 10 million personal and corporate devices in 2022 and possibly 16 million more last year.

Data-stealing malware has evolved over the past decade, improving hackers' ability to lurk unnoticed, and collect login credentials and sensitive data from device storage and applications. Kaspersky said hackers engaging in data exfiltration attacks stole close to 400 million logins and passwords for a wide range of websites in the past year, averaging 50.9 login credentials per infected device.

Stolen Credentials Fetching Rich Rewards

The growing value of corporate credentials in the cybercrime market contributed to a 643% increase in data-theft attacks over the past three years, Kaspersky said. Cybercriminals typically serve as initial access brokers, steal corporate credentials and sell them on dark web forums at a premium to fellow criminals looking for an easy way to infiltrate corporate networks and launch further attacks. Kaspersky researchers say the they are offering multiple sales models.

"Credentials may be sold through a subscription service with regular uploads, a so-called "aggregator" for specific requests, or via a shop selling recently acquired login credentials exclusively to selected buyers," said Kaspersky researcher Sergey Shcherbel. "Prices typically begin at $10 per log file in these shops."

According to Packet Labs, access brokers advertise stolen information heavily on dark web forums, with prices ranging from $17 for stolen credit card details, $40 for hacked logins for web services to $120 for high-value credit cards and associated information.

Data from Chainalysis found that a number of darknet markets have taken the lead in the cybercrime enablement businesses in the past few years, helping initial access brokers sell corporate credentials and detailed victim profiles to cybercrime groups who used the data in activities like scamming, identity theft and ransomware.

Genesis Market, which global law enforcement took down in April 2023 as part of Operation Cookie Monster, was best known for enabling identity theft and was soon replaced by emerging hubs such as the Kraken market, DNM Aggregator and These fraud shops integrate crypto payment processors on their websites via APIs, enabling a seamless payment and checkout experience for customers.

APAC and LATAM Particularly Affected

Data obtained by Kaspersky from infostealer malware log files actively traded in the underground markets reveals that a major share of credential stealing attacks in 2023 took place in the Asia-Pacific and Latin America. The company said hackers stole more than 28 million credentials from Brazil and more than 5 million each from local web domains in India, Colombia and Vietnam, respectively.

In Australia, compromised or stolen credentials accounted for a majority of cybersecurity incidents and one-in-four firms reported data breaches in the latter half of 2023. The Australian Information Commissioner said attacks involving compromised or stolen credentials accounted for 56% of all cybersecurity incidents, compared to 27% for ransomware attacks (see: Most Australian Breaches in 2023 Began With Credential Theft).

Cybersecurity company Group-IB noted last year that the number of initial access brokers operating worldwide rose by 45% year-on-year, but their numbers in the APAC region almost tripled. The market for selling access to corporate networks in the Asia-Pacific rose from a mere $223,000 in 2019 to more than $3.3 million in 2021.

"IABs play the role of oil producers for the whole underground economy. They fuel and facilitate the operations of other criminals, such as ransomware and nation-state adversaries," Group-IB CEO Dmitry Volkov said. "As access sales continue to grow and diversify, IABs are one of the top threats to watch."

About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.