Credential Harvesting at Scale: Infostealers as the New Primary Vector in Identity-Driven Attacks

Infostealers have evolved from niche tools into the backbone of modern cybercrime economics, with Flashpoint documenting over 11.1 million compromised devices in 2025 alone and 3.3 billion credentials now traded on underground markets. Unlike the source coverage, which focuses on technical delivery and monetization mechanics, this epidemic reveals deeper structural failures: the rapid commoditization of access through malware-as-a-service models priced as low as $60 monthly has democratized initial access, allowing low-skill actors to feed sophisticated ransomware and espionage groups. Primary strains like Lumma and Vidar demonstrate market volatility, with Vidar surging to 73% dominance in early 2026 through superior evasion and log packaging. The original reporting underplays how these tools bypass enterprise defenses by stealing live session tokens and context-rich metadata, enabling attackers to operate as authenticated insiders rather than external intruders. Cross-referencing with the Verizon 2025 DBIR shows stolen credentials involved in 22% of breaches, while KrebsOnSecurity reporting on MaaS ecosystems highlights how infostealer logs directly fuel account takeovers in critical infrastructure sectors. This creates systemic risk where under-monitored endpoints become force multipliers for state and criminal convergence. The missed angle is the feedback loop: high-volume credential supply lowers the barrier for infrastructure-targeted operations, shifting defender focus from perimeter exploits to post-compromise identity hygiene.