Back to blog

The Credential Economy

August 15, 2025 · 5 min read

Sixteen Billion Reasons to Care

In June 2025, researchers confirmed a credential dump containing over 16 billion login records. Google, Apple, GitHub, government platforms. The scale was genuinely difficult to absorb. What separated this from previous mega-leaks was the provenance: the data came fresh, harvested in real time from millions of infected devices and funneled into a single dataset that had been circulating on underground forums for months before anyone in the security community noticed.

No server was breached. No database was exfiltrated from some corporate network. The data came from individual machines, one compromised laptop at a time, all feeding the same pipeline. By the time researchers identified the aggregate, billions of credentials were already accessible to anyone with a Telegram account and a few hundred dollars.

How Infostealers Work

The families doing most of this damage are well established. Redline has been around long enough that its codebase has been publicly documented across multiple research papers. It focuses aggressively on browser data: saved passwords, credit card details, session cookies, all extracted by grabbing decryption keys directly from Chromium and Firefox database files. Beyond browsers, it goes after cryptocurrency wallets and session tokens from applications like Discord. To stay hidden, it uses process hollowing, injecting code into legitimate Windows processes that security software is less likely to flag.

Raccoon Stealer runs SQL queries against browser databases to pull credentials and browsing history. The second version, rewritten in C/C++, extended its reach to password managers like Bitwarden and 1Password, which is a meaningful escalation. It also includes basic anti-analysis behavior: checking for debuggers, refusing to run on systems with Russian language settings, the usual.

Vidar sits at the current top of this category. Written in C with a multithreaded architecture, it exfiltrates data faster and has demonstrated the ability to bypass Chrome’s AppBound encryption through direct memory injection. That’s a protection that was supposed to make credentials harder to steal even from an already-infected system. Recent versions also extract two-factor authentication data, which removes one of the last remaining obstacles for an attacker who already has your password.

The Malware-as-a-Service Economy

Raccoon costs around $200 a month. Vidar is priced similarly. Both come with customer support, regular updates, and dashboards for managing the data they collect. The operators run these like software subscriptions, because functionally that’s what they are.

This changes who can run an infostealer campaign. Technical skill used to be the barrier. A few hundred dollars and a willingness to read some instructions is now enough to deploy campaigns targeting thousands of users. The stolen credentials then move through dark web markets and Telegram channels, where buyers filter by what they need: banking logins, crypto wallets, corporate VPN access.

The downstream numbers are striking. In 2025, credential theft became the leading initial attack vector, appearing as a factor in 86% of breaches. Over half of ransomware victims had their domain credentials surface on infostealer marketplaces before the attack occurred. The infostealers open the door; other operators walk through it.

Why Multi-Factor Authentication Is Not Enough

MFA works. That’s worth saying plainly before getting into where it falls short. The actual vulnerability lives in session management, which is almost never what the security advice focuses on.

When you log into a web application, the server issues a session token stored as a cookie in your browser. That token is what proves you’re authenticated for the duration of your session. Infostealers harvest these cookies alongside passwords, which means an attacker with your session token can access your accounts directly, skipping the authentication step entirely. The MFA prompt never appears because the token already asserts that authentication happened.

Most security guidance still emphasizes passwords and MFA adoption. Users who have done everything they were told to do, who have unique passwords and TOTP codes on every account, can still find their accounts accessed. The advice wasn’t wrong. It just wasn’t complete.

The Defense Asymmetry

Enterprise security teams have tools for this. Endpoint detection platforms can identify infostealer behavior, threat intelligence subscriptions track new variants, and session token lifetimes can be shortened to limit the damage from any single theft. None of this is cheap or easy to operate, but it exists and it works reasonably well.

Individual users get consumer antivirus, which offers some coverage against known signatures. Infostealers update fast enough that novel variants frequently evade detection for weeks. Most people have no way to evaluate how effective their current protection actually is. They’re relying on whatever their OS or antivirus vendor has decided to include, with no real visibility into the gap.

Small businesses are in the hardest position. They have things worth stealing: customer records, financial accounts, credentials that connect them to larger partners in their supply chain. Most lack the budget for enterprise-grade detection or anyone on staff who does security full time. Large enterprises face legal and compliance pressure that forces investment in defense. Small businesses have neither the protection nor the deterrent.

Defense costs money. Money is distributed unequally. Security ends up being another domain where the gap between those who can protect themselves and those who can’t keeps widening.

What the Market Structure Reveals

The credential economy functions like any commodity market. Supply comes from infostealer operators running campaigns at scale. Demand comes from attackers who need initial access, whether for fraud, ransomware deployment, or getting a foothold inside a corporate network. Prices reflect credential quality: a verified corporate VPN login sells for considerably more than a consumer email account.

I find this framing useful because it cuts through a lot of the technical noise. Cybersecurity discourse tends to focus on the sophistication of the attacks and the failure of specific defenses. The credential market makes the underlying structure visible: there’s an extractive industry here, one that treats infected devices as raw material and treats people who can’t afford better protection as the resource being extracted. The technology is genuinely sophisticated. The economic logic is much older.