The Stolen Credentials Market: Dark Web Threats and Credential Trading

A study examining 470 underground forum entries published between January 2025 and June 2026, sourced from multiple platforms, revealed a growing ecosystem where actors offer to search and extract credentials from their databases.

Key Findings

The research highlights a specialized service layer that bridges infostealer infections, raw log trading, and account takeover operations. The threat actors involved in these services fall into two categories: Malware-as-a-Service (MaaS) providers and MaaS consumers.

Market Dynamics

Key findings indicate that this market operates as an alternative to traditional combo lists, where buyers no longer purchase bulk data but instead query a seller’s database to retrieve only the credentials matching their specific criteria.

Operational Model

The “Search Your Target” service functions as a middle layer in the account takeover chain. Infostealers first infect devices, harvesting credentials, cookies, autofill data, and browser artifacts. These logs are then aggregated into private clouds, ULP databases, public dumps, or exchange-based collections.

Service Overlaps and Differences

The service overlaps with the Initial Access Broker (IAB) ecosystem but differs in its operational model. Common output formats include URL:LOGIN:PASS, MAIL:PASS, LOGIN:PASS, PHONE:PASS, MAIL:PHONE, and MAIL:LOGIN.

Buyer Feedback and Challenges

User feedback suggests discrepancies between advertised claims and actual outcomes. Many buyers report that the volume of credentials delivered is lower than promised, with frequent issues such as invalid, duplicated, or non-functional data.

Technical Capabilities and Offerings

Sellers in this dataset often act as intermediaries rather than the initial or final step in the process, serving as a processing layer that transforms raw credential data into actionable attack vectors.

Data Management Practices

Some sellers advertise capabilities such as data indexing, freshness, formatting, and relevance. One actor described access to separate password, login, phone, and URL:Login collections, enabling buyers to combine records.

Threat Intelligence and Mitigation

From a threat intelligence perspective, this service model aligns with tactics such as T1589.001 (Gather Victim Identity Information: Credentials), where adversaries proactively acquire credentials before exploitation.

Monitoring and Defense

Flare’s tools provide visibility into underground markets, monitoring employee credentials, corporate domains, login portals, SaaS applications, and related indicators across deep and dark web sources. This enables organizations to detect when their assets appear in credential collections or search-service advertisements.

Market Evolution and Trends

The “Search Your Target” market operates similarly to the DDoS market, where buyers submit a domain and the service provider initiates an attack. In this case, a buyer provides a target, and the seller returns matching credentials.

Seller Capabilities and Claims

Sellers emphasize database size as a key selling point. One actor promoted a ULP database with 5 billion lines (5kkk+), claiming rapid access within 10–15 minutes, daily updates, and sources such as private logs, personal streams, and public data.

Challenges for Buyers and Sellers

Customer feedback reveals a gap between advertised claims and actual results. Buyers report inconsistencies, including invalid credentials and excessive duplication. Some sellers admitted they did not verify the validity of the data, while others claimed their databases contained the same information found in free combo lists.

Commercialization of Infostealer Data

The service has evolved alongside the infostealer market, which has generated vast quantities of browser-stored credentials, cookies, autofill data, and device information. These collections pose challenges for buyers seeking to extract value, creating opportunities for commercialization.

About Author

Anuj

See author's posts