A ‘significant increase’ in infostealer malware attacks left 3.9 billion credentials exposed to cyber criminals last year – and experts worry this is a ticking time bomb for enterprises
The threat of infostealer malware is on the rise, with 4.3 million machines infected last year alone


Researchers have warned that billions of credentials exposed to cyber criminals were sourced from infostealer logs last year – and it's created a ticking time bomb for enterprises as hackers begin cracking systems.
KELA Cyber Threat Intelligence’s State of Cybercrime 2024 report singled out infostealers as a persistent threat that usually serve as “precursors to advanced attacks, including ransomware and espionage”.
The firm said it observed more than 4.3 million machines around the world that had been infected with infostealer malware, such as Lumma stealer or RedLine, in 2024.
It estimated that this would account for more than 330 million credentials compromised using infostealers, which it said was slightly higher than the figures from 2023.
KELA warned that these credentials could be leveraged in future attacks that could balloon into “massive extortion campaigns”, citing the string of attacks leveraging compromised Snowflake credentials throughout 2024 that impacted at least 165 different companies.
In addition to the 330 million credentials KELA identified, the report said it also observed 3.9 billion credentials shared in the form of credential lists. These credential lists, commonly referred to as url:login:pass (ULP) files by threat actors, are compilations of data obtained during attacks.
These could be credentials harvested from a diverse range of sources, such as third-party breaches or phishing, but the report claimed that most ULP files are sourced from infostealer logs.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Lumma remains the most popular infostealer malware strain according to KELA, and was responsible for 40.48% of the infected machines in its data lake.
Other top offenders were StealC (20.29%, and Redline (16.43%), which KELA noted had been disrupted in October 2024 as part of Operation Magnus.
India, Brazil, and Indonesia were the top three most affected nations accounting for 20.12% of bots infected by infostealer malware in 2024.
KELA also highlighted the sensitive services most commonly targeted using these compromised credentials with the most frequently attacked being business cloud solutions (22.02%), CMS (21.19%), email (13.85%), and user authentication systems (11.5%).
How to protect yourself against infostealer threats
According to Huntress’ 2025 Cyber Threat Report, infostealers accounted for nearly a quarter (24%) of all cyber incidents in 2024, making it the most common threat category of the year.
Speaking to ITPro, Jaron Bradley, director of Jamf Threat Labs at Jamf, said infostealers campaigns are on the rise with evidence suggesting they are a particularly effective tactic used by threat actors.
“There has been a significant increase in Infostealer campaigns, and they have proven highly effective, even on macOS. These stealers are designed to target specific locations on the user's hard drive, seeking critical files such as usernames, passwords, browser session data, cryptocurrency wallets, documents, and more.”
Bradley added that the initial stages of infostealer campaigns require actions from the victim, so by improving overall security awareness businesses can mitigate some of the threat they pose to their organization.
“Users should be cautious about opening software sent by strangers, particularly if it comes with unusual instructions, such as right-clicking or adjusting settings,” he explained.
“For these infostealers to fully succeed, they also require the victim's login password, which is typically obtained by simply prompting the user with a popup window. Users should always question why an application would need their login credentials before willingly providing them.”
As well as investing in improving company-wide security awareness, KELA suggested a number of additional counter measures businesses can take to protect themselves.
RELATED WHITEPAPER
These include deploying enhanced endpoint detection and response (EDR) solutions that use behavior-based analysis rather than solely signature-based methods to detect and isolate infostealer activity in real time.
Improved email security is also essential in preventing phishing attempts, which are the primary delivery method for infostealers, the report added.
Finally, network segmentation is another important defense layer used to limit lateral movement once the attacker is inside your perimeter and stop them from accessing critical systems and sensitive data.
MORE FROM ITPRO

Solomon Klappholz is a former staff writer for ITPro and ChannelPro. He has experience writing about the technologies that facilitate industrial manufacturing, which led to him developing a particular interest in cybersecurity, IT regulation, industrial infrastructure applications, and machine learning.
-
M&S suspends online sales as 'cyber incident' continues
News Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
By Ross Kelly
-
Manners cost nothing, unless you’re using ChatGPT
Opinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
By Ross Kelly
-
Hackers are using Zoom’s remote control feature to infect devices with malware
News Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
By Ross Kelly
-
Hackers are duping developers with malware-laden coding challenges
News A North Korean state-sponsored group has been targeting crypto developers through fake coding challenges given as part of the recruitment process.
By Emma Woollacott
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
By Emma Woollacott
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up sting
News Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
By Emma Woollacott
-
This potent malware variant can hijack your Windows PC, steal passwords, and more: Neptune RAT is spreading on GitHub, Telegram, and even YouTube – and experts warn 'anyone could use it to launch attacks'
News Neptune RAT can hijack Windows PCs and steal passwords – and it's spreading fast
By Emma Woollacott
-
Warning issued over ‘fast flux’ techniques used to obscure malicious signals on compromised networks
News Cybersecurity agencies have issued a stark message that too little is being done to sniff out malware hiding in corporate networks
By Rory Bathgate
-
Fake file converter tools are on the rise – here’s what you need to know
News The FBI has issued an alert over the rise of fake file converter tools available online after observing a spate of scams and ransomware attacks.
By Emma Woollacott
-
Forget MFA fatigue, attackers are exploiting ‘click tolerance’ to trick users into infecting themselves with malware
News Threat actors are exploiting users’ familiarity with verification tests to trick them into loading malware onto their systems, new research has warned.
By Solomon Klappholz