NormCyber Threat Bulletin

Silent Theft: How Info-Stealers and Dark Web Exposure Are Compromising Businesses

Credential theft has become the primary gateway to modern cyber attacks. In 2025 alone, information-stealing malware extracted approximately 1.8 billion credentials from 5.8 million devices, contributing to 86% of all breaches globally. However, the real risk often begins after the initial infection, when stolen credentials appear on dark web marketplaces.

Marsh McLennan’s Cyber Risk Intelligence Center states, organisations with exposed credentials on the dark web face dramatically higher breach risks. The presence of compromised user accounts alone makes organisations 2.56 times more likely to experience a cyber security incident, while dark web marketplace listings increase breach likelihood by 2.41 times. When multiple exposure indicators exist, such as compromised credentials combined with dark web marketplace activity, organisations may be 21–77% more likely to suffer a cyberattack compared to peers.

These findings highlight a critical reality: infostealers are not just stealing data, they are fuelling a thriving underground economy that directly increases the probability of ransomware, account takeover, and enterprise compromise.

What is an Infostealer?

An infostealer is a type of malware designed to covertly harvest sensitive information from infected devices. Unlike destructive malware, infostealers focus on surveillance and data exfiltration, collecting credentials, browser data, authentication tokens, financial information, and system intelligence.

This stolen data enables attackers to:

Access corporate systems without triggering alerts
Conduct financial fraud or identity theft
Sell credentials on criminal marketplaces
Launch ransomware or extortion campaigns

The connection between infostealers and broader cyber crime is well established. Verizon’s 2025 Data Breach Investigations Report found that 54% of ransomware victims had credentials previously exposed in infostealer logs, demonstrating how credential theft enables subsequent attacks.

Infostealers operate silently, often without noticeable symptoms, allowing attackers to maintain persistent access while organisations remain unaware of the compromise.

Initial Infection and Data Exfiltration

Infostealers typically infect systems through phishing emails, malicious downloads, fake software updates, compromised websites, and malvertising. Once installed, they immediately begin harvesting sensitive data, including:

Stored passwords and autofill data
Browser cookies and active session tokens
VPN credentials and authentication tokens
Email and messaging platform logins
Cryptocurrency wallets and sensitive files

The malware compresses and encrypts this data before transmitting it to attacker-controlled servers. From there, it is packaged into “stealer logs” and sold on underground marketplaces.

This process creates measurable downstream risk. Marsh’s research found that organisations with compromised credentials or marketplace listings face over double the likelihood of experiencing a breach compared to organisations without dark web exposure. Critically, attackers often do not need to hack organisations directly, they simply purchase valid credentials.

Figure 1

Enterprise Risk Amplified by Unmanaged Devices

Infostealers frequently target unmanaged or personal devices, creating significant enterprise exposure. Research shows:

46% of compromised systems containing corporate credentials were unmanaged devices
34% were enterprise or server operating systems

This highlights the growing risk posed by bring-your-own-device (BYOD) environments and hybrid work models. Even when corporate systems remain secure, compromised employee credentials harvested from personal devices can provide attackers with legitimate access paths into enterprise networks.

Dark web intelligence reinforces this threat. Marsh identified compromised users as the single most impactful dark web exposure indicator, significantly increasing breach probability compared to other exposure types.

The Criminal Economy: Credential Marketplaces Drive Attacks

Infostealer infections do not end at data theft. Instead, stolen credentials become commodities traded in cyber criminal ecosystems.

Studies show that since 2019:

64% of organisations have experienced infostealer infections
Credentials stolen from organisations appear on criminal marketplaces approximately every 2.5 months
Organisations experienced an average of 4.5 infections per year

Once listed, these credentials provide immediate access opportunities for attackers.

Marsh’s analysis confirms the direct correlation between dark web listings and attack risk, with marketplace exposure increasing breach likelihood by over 140% relative to baseline risk.

This creates a dangerous cycle as seen in figure 1.

Malware-as-a-Service Has Lowered the Barrier to Entry

Infostealers such as Stealc, Vidar, LummaC2, Redline, and Rhadamanthys are now widely available through Malware-as-a-Service (MaaS) platforms. These tools enable cyber criminals with minimal technical expertise to launch credential theft campaigns at scale.

Additionally, the growing availability of AI-enhanced tooling, industrialised access pipelines, and infostealer logs has lowered barriers to entry and intensified competition within an already saturated cybercrime market. An oversupply of data has resulted in declining network access costs, dropping from an average of $1,427 in the beginning of 2023 to only $439 in the beginning of 2026.

Over the past six months alone, NormCyber telemetry identified 2,500 infostealer-related incidents, with Stealc, Vidar, LummaC2, Redline, and Rhadamanthys among the most prevalent variants.

Modern infostealers use advanced evasion techniques, including:

Encryption and polymorphism to evade detection
Memory injection to bypass antivirus solutions
Session token theft to bypass MFA in some scenarios
Browser and application credential harvesting

These capabilities enable attackers to gain persistent access while remaining undetected.

Gaming and Personal Device Activity Increasing Enterprise Risk

A significant proportion of infostealer infections originate from gaming-related downloads. Research indicates:

42% of infections originated from gaming-related files
Common infection vectors include fake game modifications, cheat tools, and software downloads

NormCyber’s observations align with these findings, identifying compromised credentials associated with platforms such as:

Epic Games
Discord
Steam
Roblox

These infections frequently occur on personal devices later used to access corporate systems. This creates a hidden attack path where enterprise credentials are exposed through consumer activity.

Once exposed, these credentials may appear on dark web marketplaces, significantly increasing breach risk.

Dark Web Exposure Is a Leading Indicator of Cyber Incidents

The Marsh report demonstrates that dark web exposure is one of the strongest predictors of future cyber incidents.

Key findings include:

Compromised user credentials increase breach likelihood by 2.56 times
Dark web marketplace listings increase breach likelihood by 2.41 times
Organisations with multiple exposure indicators face 21–77% higher cyber incident probability
Dark web intelligence provides measurable predictive value for cyber risk assessment

This confirms that credential exposure is not simply a symptom of compromise, it is often the precursor to major cyber incidents. Infostealers play a central role in creating this exposure.

Recommendations

Infostealers represent one of the most significant cyber security threats facing organisations today. Their ability to steal credentials silently and feed underground criminal markets creates persistent and escalating risk. Dark web exposure significantly amplifies this risk, with exposed credentials more than doubling breach likelihood.

To reduce exposure and mitigate risk, organisations should implement the following measures:

Strengthen Identity Security

Enforce multi-factor authentication across all systems
Implement strong password policies and prohibit reuse
Deploy identity threat detection and response solutions

Monitor for Credential Exposure

Continuously monitor dark web marketplaces for compromised credentials
Integrate threat intelligence into security operations
Reset exposed credentials immediately

Improve Endpoint and Device Security

Deploy endpoint detection and response (EDR) tools
Restrict access from unmanaged devices
Monitor for suspicious authentication activity

Reduce Human Risk Factors

Conduct regular phishing and security awareness training
Restrict installation of unauthorised software
Disable browser synchronisation for corporate credentials

Adopt a Zero Trust Security Model

Continuously verify users and devices
Monitor authentication anomalies
Limit lateral movement within networks

Final Assessment

Infostealers have fundamentally changed the cyber threat landscape. They enable attackers to bypass traditional defences by exploiting valid credentials rather than technical vulnerabilities. Dark web intelligence confirms that credential exposure is one of the strongest predictors of future cyber incidents, increasing breach likelihood by more than 2.5 times.

Organisations must assume that credential compromise is not a matter of if, but when. Proactive monitoring, identity protection, endpoint security, and dark web intelligence are now essential components of modern cybersecurity defence.

Threat Rating: INFO-STEALER MALWARE

Overall Threat Level: 🔴 HIGH

Threat Category: Credential Access / Initial Access
Primary Impact: Account compromise, ransomware enablement, data breach
Target Profile: All sectors, with elevated targeting of healthcare, financial services, government, and technology

Threat Likelihood: 🔴 HIGH
Infostealers are currently one of the most widespread and scalable initial access vectors. Key indicators of elevated likelihood include:

1.8 billion credentials stolen in 2025 alone
64% of organisations have experienced at least one infostealer infection
NormCyber observed 2,500 infostealer incidents in the past 6 months
Compromised credentials increase breach likelihood by 2.56×
Dark web marketplace exposure increases breach likelihood by 2.41×

Threat Impact: 🔴 HIGH

Infostealers directly enable high-impact cyber incidents, including:
Ransomware deployment
Business email compromise (BEC)
Financial fraud
Corporate data breaches
Privileged account takeover

Organisations with multiple dark web exposure indicators may face up to 77% higher likelihood of a cyber incident