Infostealers Turn Millions of Devices Into Credential Theft Machines

Hackers no longer force open the side-window when infostealers can give them a key to the front door.

Infostealers have become the primary source of stolen credentials for attackers. Using these credentials is now a favored route for bad actors to access a target effectively as an invited guest. It is quicker, easier, less visible and more effective than forcing an entry.

More than 11.1 million devices were infected with infostealers in 2025, reports Flashpoint. More than 3.3 billion credentials, browser artifacts, session information and other forms of identity are now circulating in illicit marketplaces. These don’t simply provide entry to a target, they often provide authorized access to valuable data undisturbed by security defenses within the target.

Flashpoint has found more than 30 unique strains of infostealer (from hereon referred to as ‘stealers’). The precise number of ‘individual’ stealers is difficult (and probably meaningless) to quantify – the marketplace changes almost daily with new stealers appearing, existing ones forked, and law-enforcement shutting down or at least disrupting others.

Stealers are available on the underground ecosystem, often via malware-as-a-service (MaaS) and for hire at as little as $60 per month. During 2025, the most successful stealers, in order, were Lumma, Acreed, Rhadamanthys, Vidar, and StealC. However, this can change rapidly. During the first two months of 2026, Vidar rose from fourth place to dominate, accounting for more than 73% of all infected hosts and devices. Lumma, number one in 2025, accounts for just 1.1%