Cybersecurity researchers have uncovered a large-scale operation involving over 93.7 billion stolen browser cookies circulating on dark web marketplaces — a 74% surge compared to last year’s findings.
The report, released by NordStellar, reveals that more than 15.6 billion of these stolen cookies are still active. The breach spans 253 countries and territories, posing serious risks to millions of users.
Malware Behind the Cookie Theft
The research attributes the bulk of this breach to powerful information-stealing malware programs.
- Redline Stealer: Collected nearly 42 billion cookies, with 6.2% still active.
- Vidar: Harvested 10.5 billion cookies, 7.2% remain active.
- LummaC2: Extracted over 8.8 billion cookies, 6.5% are active.
- CryptBot: Though responsible for only 1.4 billion cookies, 83.4% remain active, making it the most efficient stealer.
These tools scan browsers for stored session data using methods like document.cookie.split(';'), then send the data to command-and-control servers. Stolen cookies often appear for sale on dark web forums within minutes.
Authentication Risks and Data Labels
The compromised cookies contain sensitive information that can be used to hijack sessions and bypass traditional login security. Analysts found:
- 18 billion cookies labeled with “ID”
- 1.2 billion marked “session”
- 272.9 million tagged “auth”
- 61.2 million labeled “login”
Attackers can reuse valid Set-Cookie headers to gain access to accounts without passwords or multi-factor authentication.
Targeted Platforms and Services
Google services were the most affected, with over 4.5 billion cookies linked to Gmail, Google Drive, and related platforms. YouTube and Microsoft services also faced heavy exposure, with each accounting for more than 1 billion cookies.
Advanced malware like Rhadamanthys now uses AI-powered optical character recognition (OCR) to extract cryptocurrency seed phrases from images found on infected systems.
Global Impact
Most attacks targeted Windows systems, which accounted for 85.9% of the stolen cookies. Another 13.2 billion cookies were taken from other or unidentified platforms.
Among the most affected countries are Brazil, India, Indonesia, and the United States. In Europe, Spain reported 1.75 billion stolen cookies, while the UK recorded 800 million with an 8.3% active rate—raising particular concern among analysts.
Delivery Methods and Recommendations
Hackers disguise their malware as legitimate downloads, frequently using Microsoft Software Installer (MSI) files or bundling it with pirated software to evade detection.
Security experts advise organizations and individuals to take the following precautions:
- Clear browser cookies regularly
- Use updated endpoint detection and response tools
- Avoid downloading software from untrusted sources
- Provide continuous security awareness training
The volume and persistence of active stolen cookies underscore the urgent need for better browser security practices and user education to counter this expanding threat.
