Threat actors are turning infostealer-derived credential dumps into searchable underground services that let buyers request targeted results by company, domain, platform, geography, or account type. Flare’s analysis of 470 forum posts shows these sellers act as a processing layer between stolen logs and account takeover, with many claims of freshness and validity falling short in practice. #Flare #Infostealer #InitialAccessBroker
Keypoints
- Underground sellers now offer targeted credential search services instead of only bulk dumps.
- Flare analyzed 470 posts showing ads, buyer feedback, pricing, and disputes over data quality.
- These services can filter, deduplicate, format, and deliver credentials from huge stolen databases.
- Buyer feedback often reports invalid, duplicated, or lower-than-advertised results.
- Defenders should monitor exposed employee credentials, corporate domains, and login portals before attackers use them.