Inside the Market for Stolen Login Credentials

A sophisticated underground economy has emerged around stolen login credentials, where cybercriminals are transforming massive datasets from infostealer malware into on-demand search services. Rather than selling bulk dumps, these threat actors now offer targeted extraction, allowing buyers to request credentials for a specific company, platform, domain, or geographic region.

Researchers at Flare analyzed 470 underground forum posts published between January 2025 and June 2026, spanning advertisements, buyer feedback, pricing references, and disputes over data quality. The findings reveal a dedicated service layer that sits between infostealer infections, raw log trading, and account takeover activity. The threat actors offering these services fall into two categories: Malware-as-a-Service (MaaS) providers and MaaS consumers. Many function as credential brokers or data processors, monetizing their ability to search, filter, format, and deliver targeted results from enormous stolen credential collections.

The analysis highlights a pinpointed service that offers targeted extraction, filtering, deduplication, formatting, and freshness from infostealer databases containing tens of billions of lines. This model acts as an alternative to combo lists: instead of purchasing a bulk dump, buyers query a seller’s existing data and receive only the results matching their target. Common output formats include URL:LOGIN:PASS, MAIL:PASS, LOGIN:PASS, PHONE:PASS, MAIL:PHONE, and MAIL:LOGIN. While this market overlaps with the Initial Access Broker (IAB) ecosystem, it is not identical. Buyer feedback reveals a gap between advertised claims and actual results, with lower volumes, invalid credentials, and frequent duplication.

How the “Search Your Target” Service Works

This market sits in the middle of the account takeover chain. First, infostealers infect devices and collect credentials, cookies, autofill data, and browser artifacts. Logs are then aggregated into private clouds, ULP databases, public dumps, or exchange-based collections. Next, “search-service” threat actors extract rows based on buyer requests. Buyers validate the credentials and use them for account takeover, fraud, spam, phishing, crypto theft, or corporate intrusion. Sellers in this dataset are often neither the first nor final step; they are the processing layer that turns stolen credential noise into targeted attack material.

From a threat intelligence perspective, this service model represents a practical example of T1589.001 (Gather Victim Identity Information: Credentials) and potentially T1650 (Acquire Access), given that some sellers deliver results indistinguishable from direct access provisioning.

The “Search Your Target” Market Economy

Much like the DDoS market, where a buyer submits a domain and the service provider attacks it, this service offers a duplicated pipeline. A buyer sends a target, and the seller returns matching credentials. That target can be a company domain, login URL, ecommerce site, gaming platform, application, geographic market, or a list of emails. Output is delivered in formats such as URL:LOGIN, URL:LOG, MAIL, LOGIN, PHONE, or other combinations.

Several sellers specify database size as a selling point. One actor advertised an ULP 5kkk+ lines database (5,000,000,000 records), quick access within 10–15 minutes, daily updates, and sources including private logs, private clouds, personal streams, and public data. Another promoted a 10kkk+ line, 1TB+ URL:LOG database, while others claimed access to collections ranging from hundreds of millions to tens of billions of records.

Beyond size, threat actors advertise search capabilities, freshness, formatting, and relevance. Some offer simple domain extraction, while others provide more customized services, such as extracting email accounts for a requested shop, website, app, or game. Attackers are effectively advertising their technical capabilities for indexing, updating, and enabling quick search within databases. One seller offered requests for $20 per search, with additional payment based on returned results.

The dataset also showed advanced credential enrichment. One actor claimed access to separate email, password, login, phone, and URL:Login collections, describing how records could be combined. For example, a buyer with only an email list could request matching login pairs, or a buyer seeking a specific geography could receive results built from country codes, domains, URLs, cities, and password patterns. This indicates that threat actors are using data best practices like labeling and slicing, much like legitimate businesses.

Customer Feedback Shows a Gap Between Ads and Reality

Buyer feedback reveals that sellers often over-promise and under-deliver. Some claim sellers aren’t credible, that credentials are invalid, or that sellers admit they never checked validity. Others note that the same data appears in large combo lists published for free across the underground. Duplication is a common complaint, with one buyer claiming that out of 3,000 records, only 200 were unique.

While the concept of large combo lists or aggregated credential files isn’t new, this service is unique. If operated correctly, it could put many businesses and organizations at significant risk.

Developed Alongside the Infostealers Market

Over the past several years, infostealer families and log marketplaces have produced enormous quantities of records, including browser-stored credentials, cookies, autofill data, and device information. These collections are constantly growing, creating a challenge for buyers to sort them for profit. The opportunity to more easily extract value led to commercialization. A buyer with a specific, pinpointed goal can save time and money with this service.

Comparison Between the “Search Your Target” Market and the IAB Market

The “search your target” market is often tied to a general search for an email, business, or person. Validity and freshness of access aren’t guaranteed; buyers pay for search, find, and results. This market partially overlaps with the Initial Access Broker (IAB) market. When buyers seek access to corporate VPNs, SaaS platforms, email accounts, cloud environments, admin panels, or remote access systems, the output can become initial access if these markets overlap. However, the IAB market is often more expensive, prestigious, and serves as a “white glove service,” selling validated access that can often bypass MFA and ultimately enter an organization.

What Defenders Should Learn

The “search your target” market demonstrates that attackers no longer need to manually process massive dumps to find what matters. They can outsource that work to sellers who specialize in turning noisy credential collections into focused target lists. For defenders, the challenge is to identify and close those exposed paths before a buyer turns them into access.

Flare helps by giving security teams visibility into these underground markets, monitoring exposed employee credentials, corporate domains, login portals, SaaS applications, and related indicators across deep and dark web sources. This allows organizations to detect when their access points appear in credential collections or search-service advertisements, prioritize the most relevant exposures, and respond faster with password resets, session revocation, MFA enforcement, and investigation of possible account misuse.