On October 20, a hacker known as Dark X announced that they had accessed a server and obtained the personal information of 350 million customers from Hot Topic. The next day, Dark X put the stolen information, which included purported emails, addresses, phone numbers, and partial credit card numbers, up for sale on an underground forum. The following day, Dark X stated that Hot Topic had expelled them from the server.
This article is co-published in collaboration with 404 Media.
According to Dark X, the breach, potentially the largest hack of a consumer retailer to date, was partly a matter of luck. They stumbled upon login credentials from a developer who had access to Hot Topic’s most sensitive data. To substantiate their claim, Dark X provided me with the developer’s login credentials for Snowflake, a data warehousing service that has been a frequent target for hackers. Alon Gal from the cybersecurity firm Hudson Rock, who was the first to discover the connection between infostealers and the Hot Topic breach, mentioned that the same credentials were sent to him by the hacker.
The element of luck is evident. However, the alleged hack of Hot Topic is also the latest incident tied to a vast underground network that has made it alarmingly easy to compromise some of the world’s most prominent companies.
AT&T, Ticketmaster, Santander Bank, Neiman Marcus, and Electronic Arts have all fallen victim to a series of breaches recently. These attacks were not random occurrences; they were facilitated by “infostealers,” a type of malware engineered to extract passwords and cookies from victims’ web browsers. This phenomenon has spawned a sophisticated, shadowy ecosystem where cybercriminals adopt various roles. Russian malware developers persistently refine their code, while teams market their services to contractors eager to distribute malware via platforms like YouTube, TikTok, and GitHub. Youthful English-speaking individuals from around the globe exploit the stolen information to infiltrate corporations. By the end of October, a coalition of law enforcement agencies announced a significant operation targeting two of the most notorious infostealers. However, the infostealer market has flourished to such an extent that even focused law enforcement efforts are unlikely to significantly impact its proliferation.
Through interviews with malware creators, users of stolen credentials, and analysis of guides aimed at teaching newcomers about malware distribution, 404 Media has constructed a detailed outline of this underground industry. The findings reveal that a simple download of seemingly harmless software by a single individual can trigger a data breach in a multibillion-dollar organization, resulting in an ongoing and escalated struggle between Google and other tech giants to protect users and companies from these threats.
“We are experts in our domain and will persist in our efforts to outmaneuver future updates from Google,” stated an administrator of LummaC2, a highly utilized infostealer. “It requires time, but we possess all the necessary resources and expertise to maintain our resistance against Chrome.”
The infostealer industry commences with the malware itself, of which many varieties exist, including known entities like Nexus, Aurora, META, and Raccoon. Currently, the most commonly encountered infostealer is identified as RedLine, according to cybersecurity firm Recorded Future. The availability of ready-made malware significantly reduces the entry barriers for aspiring hackers. The LummaC2 admin noted that their platform is open to both novice and seasoned hackers looking to engage in this realm.
At first, many of these developers aimed to pilfer credentials or keys associated with cryptocurrency wallets. With this stolen information, hackers could drain a victim’s digital wallets and turn a quick profit. Some continue to promote their tools as capable of stealing Bitcoin and have even integrated OCR technology to identify seed phrases in images. Recently, however, those same developers and their affiliates discovered that the other data stored in a browser—like passwords for the victim’s workplace—could also translate into a lucrative revenue stream.
“Malware developers and their clients have come to realize that personal and corporate credentials, such as login information for online accounts, financial details, and other sensitive data, possess considerable value on the black market,” stated RussianPanda, an independent security researcher who closely monitors infostealers, in an interview with 404 Media. She explained that the creators of infostealers have shifted their focus to capture this kind of data as well. Essentially, the fallout from cryptocurrency-focused breaches has given rise to an entirely new industry that is wreaking further havoc across various sectors, including healthcare and technology.
Some infostealers then peddle these harvested credentials, cookies, or logs through automated bots on Telegram. The platform, far from just being a messaging service, offers vital infrastructure for these groups. The entire transaction process, from the purchasing to the selling of stolen logs, is mechanized through Telegram bots. Telegram has yet to respond to inquiries for comments.
Though infostealers are not particularly difficult to create, the developers of this malware find themselves consistently in conflict with engineers at major tech companies like Google, who are determined to thwart their efforts to steal users’ credentials.
In July, for instance, Google Chrome implemented an update aimed at preventing applications other than Chrome—including malicious software—from accessing cookie information. For a brief period, Chrome seemed to have the advantage. LummaC2 provided its users with several workarounds, yet none proved to be a dependable solution. Some developers of malicious software expressed their complaints more overtly. In one instance, a set of infostealers contained the phrase “ChromeFuckNewCookies” within their code.
“It’s a bit of a cat-and-mouse game, but we believe this is a contest we want to actively engage in as long as the results remain favorable,” stated Will Harris, a staff software engineer at Google Chrome. “Our primary goal is to protect users to the best of our ability.” This encompasses not only the security of Chrome itself and the safeguarding of more data from infostealers, but also strategies for “disruption.” This includes encouraging more researchers to examine the specific tactics of infostealers, which in turn limits the resources available to the developers of malicious software. By rolling out updates incrementally rather than all at once, they can also hinder malware creators. Instead of giving the criminals a comprehensive overview of everything they need to address simultaneously, the developers can keep them guessing about Google’s next moves, thereby consuming more of their time.
Following one particular update, a significant number of users associated with a stealer were “extremely upset, prompting the malware creators to work overnight on developing a bypass,” Harris explained. He also noted that a specific stealer named Vidar raised the price of its tool. “We need to remain agile in this scenario. The infostealers are adapting quickly as well, and we aim to keep pace with them, which I believe we have managed in this instance,” he remarked.
Additionally, he singled out Microsoft Windows for attention. “When you compare Windows to other platforms like Android, ChromeOS, or even macOS, those systems exhibit much stronger application isolation.” This means that malicious software faces greater challenges when attempting to extract information from various parts of the system. “We observed that on Windows, which is clearly a significant platform for us, those protective measures were lacking.”
In a recent statement, a representative from Microsoft noted, “Alongside the hardware-based baseline requirements for all Windows PCs—such as TPM, Secure Boot, and virtualization-based security—there are numerous security features that are now enabled by default in Windows 11, making it more challenging for information stealers. We recommend that users operate as a Standard User instead of an Admin on their Windows devices. By running in standard user mode, individuals (and the applications they use) can make alterations to their computers, but they will not have full access to the system, thereby reducing the chances for info stealers to easily access the data they seek.”
According to Recorded Future, infostealer malware for Mac does exist, but it is significantly less prevalent.
A malware developer might possess an effective software solution. However, the real challenge lies in getting that software onto the computers of unsuspecting victims.
As electronic rap music plays in the background, a man extends his arms and reclines into a chair. The camera sweeps around his purported apartment, showcasing large floor-to-ceiling windows in an expansive dining room, wooden floors, and an eclectic chandelier. In another scene, the man opens a laptop, busily types, and then enjoys a sip of what appears to be whiskey. The underlying message: This could be your reality if we collaborate.
This is one of the many advertisements found on an underground platform known as Lolz, where “traffers” come together in search of new recruits. In this instance, the individual featured in the video is on the lookout for people to promote a fake casino tool designed to siphon funds from unsuspecting victims. However, a significant portion of the “traffers” section focuses on distributing infostealers. The role of these contractors is to assist in disseminating the malware or driving traffic, as various teams compete for visibility in a saturated environment. Each strives to surpass the others with eye-catching promotions and branding, adopting names such as “Billionaire Boys Club,” “Baphomet,” and “Chemodan.” Their advertisements come with animated GIFs displaying computer-generated representations of luxury cars or private jets. Another advertisement for “Cryptoland Team” features a knight in armor gazing at a hooded skeleton inscription on parchment.
“Payment by logs or cash. We offer you a choice: You can take the logs, or we will purchase them,” one advertisement from the Baphomet team, marked with dark branding, states.
Each listing specifies the infostealer brand they employ, the profit-sharing arrangement that a collaborator might expect, and whether associates are permitted to retain any extra exfiltrated logs. Furthermore, they clearly indicate that individuals they collaborate with are forbidden from targeting the Commonwealth of Independent States (СНГ), which includes former Soviet Union countries like Belarus, Ukraine, and Russia. Collaborators typically share reviews and screenshots to demonstrate their earnings from working with the team.
Many of these teams process new applications through their dedicated Telegram bots. Some are quite selective, requiring that applicants have previous experience, while others appear more lenient and willing to take on almost anyone. 404 Media was able to easily navigate the application process for two traffer teams by responding to a few simple inquiries. Subsequently, the bots provided links to the manuals of the respective teams, detailing how to disseminate the malware.
One manual associated with Baphomet, for instance, suggests integrating a stealer into cheating software designed for Roblox. It further explains how to create a YouTube video that promotes this cheat, thereby assisting in the dissemination of the malware.
Another advertisement from a trafficking team claims it is effective on platforms such as TikTok, Telegram, Instagram, Twitter, Facebook, YouTube, YouTube Shorts, email newsletters, as well as bloggers and influencers. In a video featuring a hacker consuming whiskey, his laptop briefly displays a TikTok page. Many of these manuals echo this sentiment, advising that infostealers can be distributed through various social media platforms or pointing to GitHub as a powerful trafficking avenue.
Some infostealers are cleverly concealed within cracked or pirated software. Their effectiveness largely stems from the fact that users actively seek out this software, rather than the software coming to them. Individuals are on the lookout for free software, often disregarding the potential hazards involved.
A representative from Google stated in an email, “We have policies in place to prevent spam, scams, or other deceptive practices that take advantage of the YouTube community. This includes prohibiting content where the main purpose is to trick others into leaving YouTube for another site.”
Meta did not reply to a request for comment. TikTok acknowledged a request but failed to provide a response before publication.
These traffers and others are clearly achieving success on a grand scale. Recorded Future reports that there are 250,000 new infostealer infections each day.
The stolen credentials are then shared across Telegram channels, creating a flood of cookies and logins available for purchase. The administrator for LummaC2 commented, “This brings us good income, but I am not ready to disclose specific amounts,” in reference to the sale of the stolen logs. By testing the Telegram bot, users can filter by country, and the quantity of cookies or passwords available. 404 Media noted that numerous U.S. logs were for sale. In recent weeks, several of these Telegram channels have been removed, but Telegram did not respond to inquiries regarding any actions taken against them.
These channels also maintain their own branding, similar to the traffers. Many also offer stolen credentials for free, likely to promote their paid services. Even credentials available at no cost can be highly damaging for targeted organizations. Earlier this year, a security researcher demonstrated how exposed logins were used to breach a server belonging to AU10TIX, an identity verification company partnering with TikTok, Uber, and X. Those credentials were sourced from a free stream on Telegram, as the researcher explained to 404 Media at that time.
Numerous websites focus on or include sections specifically for selling infostealer logs. Genesis Market serves as a platform used by hackers behind the 2021 breach of Electronic Arts, who obtained a login token for the company’s Slack. In 2023, authorities dismantled Genesis Market. However, much of the credential trading has shifted to another well-established site, Russian Market, as reported by Recorded Future.
This is where hackers play a significant role. Judische, a hacker associated with breaches at AT&T, Ticketmaster, and other companies that utilized Snowflake, likely acquired stolen credentials from these types of feeds and utilized them to access targeted servers. In several cases, those companies were not employing multifactor authentication, which allowed the stolen logs to potentially circumvent that additional layer of security—a cookie can deceive a service into believing the user is trusted, thereby not requiring an extra login code.
Some English hackers, seemingly unaware of the ultimate source of the logs, request passwords related to particular targets in specific countries within large group chats. One chat I observed recently expressed interest in logs pertaining to Canadian victims.
In an interview with Dark X, the alleged hacker from Hot Topic, there appeared to be an awareness of another avenue for generating income. They indicated that they also trade logs.
“You wanna buy? haha,” they wrote.
