Infostealer malware has emerged as a serious threat to online security, with cybercriminals actively targeting your passwords. A new report from KELA, a threat intelligence agency focused on dark web data, reveals just how far-reaching the impact of infostealer malware has become.
Infostealers Behind 3.9 Billion Stolen Passwords
In 2024 alone, over 4.3 million machines were infected by infostealer malware, according to KELA’s latest cybercrime report. This malware has led to 3.9 billion passwords being compromised, distributed through credential lists found in infostealer logs. The top three malware strains—Lumma, StealC, and Redline—were responsible for 75% of the infections. KELA CEO David Carmiel highlighted how underground economies, including malware-as-a-service platforms and stolen credential marketplaces, facilitate these attacks, creating a cycle of theft and exploitation.
The threat isn’t limited to personal accounts. KELA found that nearly 40% of infected systems had corporate credentials, including access to email, content management systems, Active Directory Federation Services, and remote desktop services. This amounts to over 7.5 million compromised credentials, many of which were linked to personal computers that also held corporate login details.
The Appeal of Infostealers
The report explains that infostealers are especially dangerous due to their scalability and efficiency. Attackers can quickly gain access to large volumes of both personal and corporate accounts. Once credentials are stolen, they’re sold on dark web marketplaces, only to be used in further attacks, creating a vicious cycle.
To counter this, KELA recommends adopting multi-factor authentication, isolating critical systems to limit lateral movement by attackers, and deploying advanced email filtering to prevent phishing attacks. If you want to protect your data, taking action now is essential, as the threat is expected to grow through 2025.
Real-World Attacks and Targeting of Sensitive Systems
Infostealer malware has even targeted high-profile organizations, with employees from U.S. defense contractors, the U.S. Army and Navy, and agencies like the FBI and Government Accountability Office being compromised. Hudson Rock co-founder Alon Gal revealed that these infections can occur for as little as $10 per target device. Infostealers are not like traditional hackers who break into networks; instead, they exploit employee mistakes, such as downloading a malicious game mod or pirated software, to gain access to sensitive information. This includes:
- VPN credentials to military networks
- Multi-factor authentication session cookies
- Email logins for government and defense agencies
- Internal development tools like GitHub and Jira
- Browser autofill data, documents, and more
Gal stressed that infostealers are not just a problem of detecting infected machines—they also represent a growing network of compromised credentials and third-party risks. If they can infiltrate the military-industrial complex, what else could they already be inside?
The Real Issue: Initial Access
Roger Grimes, a data-driven defense evangelist at KnowBe4, emphasized that the real problem isn’t just stolen passwords but how infostealers are gaining initial access to military systems. Was it due to social engineering, unpatched software, or another vulnerability? Without addressing these initial access points, organizations face much larger threats than stolen credentials.
AI’s Growing Role in Password Security
AI is adding a new layer of concern to password security. Ignas Valancius, head of engineering at NordPass, warned that AI is already capable of cracking passwords much faster than ever before. Even strong passwords that once took considerable time to crack can now be bypassed in seconds. AI-driven attacks, such as brute-forcing and dictionary attacks, will become more common in 2025.
Valancius advises users to take password hygiene seriously by following these tips:
- Use long passwords – Longer passwords are harder to crack. Avoid using personal information.
- Create passphrases – If remembering long, random passwords is difficult, use a passphrase instead.
- Never reuse passwords – Use unique passwords for each account.
- Consider passkeys – A safer alternative, combining biometrics with cryptographic keys.
As AI tools advance, password security will only become more crucial. Act now to safeguard your accounts before it’s too late.
