A new report from NordStellar and NordVPN has uncovered the scale of a fast-growing cybersecurity threat: browser cookies stolen through malware and trafficked on the dark web.
The researchers analyzed 93.7 billion stolen cookies circulating in underground markets, revealing that cybercriminals are using them to bypass login systems, impersonate users, and even access sensitive business data — often without ever needing a password.
Infostealers behind massive cookie theft operations
Nearly all of the stolen cookies were exfiltrated using infostealers and other types of malware — malicious programs designed to scan browsers for credentials, saved passwords, and session cookies. These tools are readily available as malware-as-a-service and often hidden in cracked software or phishing downloads.
Among the malware families identified:
- RedLine Stealer was the most prolific, responsible for 42 billion stolen cookies, though only 6.2% remained active.
- Vidar harvested 10.5 billion, with a higher rate of 7.2% active cookies.
- LummaC2, a newer stealer gaining popularity, netted 8.8 billion cookies.
- CryptBot stole fewer cookies (1.4 billion), but a staggering 83.4% were still valid, making it the most dangerous in terms of successful reuse.
“Cookie theft is no longer a fringe tactic. It’s industrialized and shockingly effective,” said researchers from NordStellar.
Why cookies are a hot commodity on the dark web
Session cookies in particular are a goldmine. They allow attackers to bypass login forms and two-factor authentication, gaining instant access to accounts ranging from email and cloud storage to online banking and workplace tools.
From the dataset of 93.7 billion cookies:
- 15.6 billion were still active, meaning they could be used to hijack live sessions.
- Common keywords in listings included “ID” (18B), “session” (1.2B), “auth” (272.9M), and “login” (61.2M).
- Many cookies also contained personally identifiable information (PII) such as names, email addresses, birthdays, gender, and even physical locations — data that can fuel phishing and identity theft.
Cookies were being sold on both dark web forums and Telegram channels, often within minutes of being harvested.
Big platforms, bigger targets
Attackers aren’t just going after obscure websites. Some of the most commonly targeted platforms were:
- Google services (Gmail, Google Drive, YouTube): over 4.5 billion cookies
- Microsoft accounts: more than 1 billion cookies
- Other top targets included Facebook, TikTok, and shopping platforms.
Since many users rely on Google or Microsoft accounts for multi-factor authentication and single sign-on (SSO), session hijacking can grant access to a wide array of linked services.
Global impact: top countries and devices affected
The research linked stolen cookies to 253 countries and territories, with the most affected regions being:
- Brazil, India, Indonesia, and the United States
- In Europe, Spain led with 1.75 billion cookies, while the UK showed a high proportion of active cookies (8.3%)
Most stolen cookies originated from Windows devices, although 13.2 billion came from unknown or non-Windows platforms — a sign that other operating systems are not immune.
What attackers can do with your cookies
Once in possession of an active session cookie, threat actors can:
- Hijack accounts without triggering 2FA
- Impersonate users across email, social media, and commerce sites
- Launch phishing attacks using harvested PII
- Access sensitive corporate data through compromised SSO
- Move laterally within business networks
- Deploy ransomware using elevated access credentials
How to stay protected
Cybersecurity experts recommend a few steps to reduce your exposure:
- Reject non-essential cookies, especially third-party trackers.
- Clear cookies regularly, particularly after using public or shared devices.
- Avoid public Wi-Fi or use a VPN to encrypt your traffic.
- Use security tools like threat protection suites to block malware before it can harvest data.
Leave a Reply