A ‘significant increase’ in infostealer malware attacks left 3.9 billion credentials exposed to cyber criminals last year – and experts worry this is a ticking time bomb for enterprises
The threat of infostealer malware is on the rise, with 4.3 million machines infected last year alone
Researchers have warned that billions of credentials exposed to cyber criminals were sourced from infostealer logs last year – and it's created a ticking time bomb for enterprises as hackers begin cracking systems.
KELA Cyber Threat Intelligence’s State of Cybercrime 2024 report singled out infostealers as a persistent threat that usually serve as “precursors to advanced attacks, including ransomware and espionage”.
The firm said it observed more than 4.3 million machines around the world that had been infected with infostealer malware, such as Lumma stealer or RedLine, in 2024.
It estimated that this would account for more than 330 million credentials compromised using infostealers, which it said was slightly higher than the figures from 2023.
KELA warned that these credentials could be leveraged in future attacks that could balloon into “massive extortion campaigns”, citing the string of attacks leveraging compromised Snowflake credentials throughout 2024 that impacted at least 165 different companies.
In addition to the 330 million credentials KELA identified, the report said it also observed 3.9 billion credentials shared in the form of credential lists. These credential lists, commonly referred to as url:login:pass (ULP) files by threat actors, are compilations of data obtained during attacks.
These could be credentials harvested from a diverse range of sources, such as third-party breaches or phishing, but the report claimed that most ULP files are sourced from infostealer logs.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Lumma remains the most popular infostealer malware strain according to KELA, and was responsible for 40.48% of the infected machines in its data lake.
Other top offenders were StealC (20.29%, and Redline (16.43%), which KELA noted had been disrupted in October 2024 as part of Operation Magnus.
India, Brazil, and Indonesia were the top three most affected nations accounting for 20.12% of bots infected by infostealer malware in 2024.
KELA also highlighted the sensitive services most commonly targeted using these compromised credentials with the most frequently attacked being business cloud solutions (22.02%), CMS (21.19%), email (13.85%), and user authentication systems (11.5%).
How to protect yourself against infostealer threats
According to Huntress’ 2025 Cyber Threat Report, infostealers accounted for nearly a quarter (24%) of all cyber incidents in 2024, making it the most common threat category of the year.
Speaking to ITPro, Jaron Bradley, director of Jamf Threat Labs at Jamf, said infostealers campaigns are on the rise with evidence suggesting they are a particularly effective tactic used by threat actors.
“There has been a significant increase in Infostealer campaigns, and they have proven highly effective, even on macOS. These stealers are designed to target specific locations on the user's hard drive, seeking critical files such as usernames, passwords, browser session data, cryptocurrency wallets, documents, and more.”
Bradley added that the initial stages of infostealer campaigns require actions from the victim, so by improving overall security awareness businesses can mitigate some of the threat they pose to their organization.
“Users should be cautious about opening software sent by strangers, particularly if it comes with unusual instructions, such as right-clicking or adjusting settings,” he explained.
“For these infostealers to fully succeed, they also require the victim's login password, which is typically obtained by simply prompting the user with a popup window. Users should always question why an application would need their login credentials before willingly providing them.”
As well as investing in improving company-wide security awareness, KELA suggested a number of additional counter measures businesses can take to protect themselves.
RELATED WHITEPAPER
These include deploying enhanced endpoint detection and response (EDR) solutions that use behavior-based analysis rather than solely signature-based methods to detect and isolate infostealer activity in real time.
Improved email security is also essential in preventing phishing attempts, which are the primary delivery method for infostealers, the report added.
Finally, network segmentation is another important defense layer used to limit lateral movement once the attacker is inside your perimeter and stop them from accessing critical systems and sensitive data.
MORE FROM ITPRO

Solomon Klappholz is a former staff writer for ITPro and ChannelPro. He has experience writing about the technologies that facilitate industrial manufacturing, which led to him developing a particular interest in cybersecurity, IT regulation, industrial infrastructure applications, and machine learning.
-
Netgear launches next-gen platform and says it's quality vs quantity re partner engagementNews This is a significant launch, according to the company, and one that aligns with its overarching goal to simplify complexity...
-
What users can expect with Claude Sonnet 5News Claude Sonnet 5 comes with intuitive agentic capabilities, performance boosts, and cost-efficient ‘effort levels’
-
‘Hacking groups have the transport network firmly in their sights’: Network Rail is battling a torrent of cyber threatsNews FoI requests have revealed that the rail operator is under increasing attack, as cyber criminals set their sights on the transport sector
-
‘This operation marked a shift in strategy’: Three notorious malware networks have been taken down using RICO legislationNews The action involved the use of US racketeering laws to treat two malware families as part of a single conspiracy
-
Developers urged to remain vigilant amid continued Miasma malware risksNews The Miasma malware package uses legitimate OIDC tokens, making it indistinguishable from routine code updates
-
Claude users beware, hackers are using a fake website to dupe developers and deliver malwareNews 'Beagle' is deployed through a Dynamic Link Library (DLL) sideloading chain, and gives attackers remote access to the system
-
North Korean hackers are duping freelance developers with fake interviews to steal cryptocurrency and deliver malware — Sophos warns the 'Nickel Alley' group is using LinkedIn, Upwork, and Fiverr to target victimsNews A fake interview process uses coding tests and repo downloads to deliver malware
-
‘The build pipeline is becoming the new frontline’: Axios npm compromise highlights growing software supply chain risks, experts warnNews Cyber criminals exploited a hijacked maintainer account to compromise one of the world's most widely used JavaScript libraries
-
'It's destructive, not ransomware': Security experts weigh in on motivation behind Stryker cyber attackNews The attack on medical tech company Stryker has severely impacted operations globally
-
Thousands of Asus routers are being used to fuel a massive cyber crime spreeNews Black Lotus Labs has spotted a massive botnet of Asus routers built by malware that uses a common peer networking tool