Infostealer Malware: The Silent Epidemic Stealing Billions of Passwords in 2026

The Malware You've Never Heard of Is the One Already Inside Your Browser

Let me tell you about something that happened in January 2026 that most people completely missed.

Security researcher Jeremiah Fowler discovered an unprotected database sitting on the open internet. Inside it: 149 million stolen login-password pairs. That included 48 million Gmail accounts, 17 million Facebook accounts, and 900,000 Apple iCloud accounts. All of it harvested by infostealer malware — software designed to quietly extract every saved password, cookie, and authentication token from a victim's browser.

That database wasn't even noteworthy by the standards of the infostealer economy. It was just one collection from one operation. The total scope of infostealer activity in 2024-2025 dwarfs it entirely. According to KELA's research, infostealer malware compromised 3.9 billion credentials across 4.3 million infected devices in 2024 alone. Flashpoint reported that information-stealing malware was responsible for 75% of all 3.2 billion credentials stolen that year. And the first half of 2025 saw 1.8 billion more credentials stolen — an 800% increase over the previous six months.

If ransomware is the sledgehammer of cybercrime, infostealers are the lockpick. They don't encrypt your files or demand payment. They don't announce themselves at all. They slip into your system, copy everything valuable from your browser, and transmit it to a criminal server — often in under a minute. Then they disappear. You never see a ransom note. You never get an alert. You just wake up one morning to find your email hijacked, your bank account drained, or your company's network compromised.

And here's the part that should concern you most: 54% of ransomware victims had their corporate credentials appear in infostealer logs before the ransomware hit. The average time between a credential appearing in a stealer log marketplace and a ransomware attack? Two days. Monday your password shows up on a criminal marketplace. Wednesday you're dealing with ransomware.

Infostealers are the supply chain that feeds the entire cybercriminal ecosystem. Let me explain how they work and what you can do about it.

How Infostealers Actually Work

An infostealer is malware with one purpose: extract saved credentials and authentication data from your device, then send it to the attacker.

When an infostealer executes on your computer, it moves fast and quiet. Within seconds, it targets your web browsers — Chrome, Firefox, Edge, Brave — and extracts every saved password from the browser's credential database. It copies every cookie, including session cookies that represent active logins to your accounts. It grabs autofill data — credit card numbers, addresses, phone numbers. It captures your browsing history. It looks for cryptocurrency wallet files and private keys. It scans your desktop and documents folders for files that might contain passwords or sensitive data. And then it packages everything into a compressed file and uploads it to a command-and-control server.

The entire process takes seconds to a few minutes. There's no visible sign anything happened. Your computer doesn't slow down. No files are locked. No warning appears.

The stolen data — called a "log" — is then sold on underground marketplaces, Telegram channels, and specialized bot shops. A single log containing corporate VPN credentials might sell for $10 to $50. A log with banking credentials or cryptocurrency wallet keys commands higher prices. Bulk logs from thousands of infections are sold in batches for pennies per victim.

The Session Cookie Problem — Why Your MFA Doesn't Help

This is the part that changes how you think about account security.

You've been told that two-factor authentication protects your accounts even if your password is stolen. That's true for the login event. But infostealers don't need to log in. They steal the session cookie — the authentication token your browser stores after you've already logged in and passed MFA.

When you log into Gmail with your password and authenticator code, Gmail issues a session cookie to your browser that says "this person has authenticated." That cookie keeps you logged in so you don't have to re-enter your password every time you refresh the page.

An infostealer copies that cookie. The attacker imports it into their own browser. Gmail sees the valid session cookie and grants access — no password needed, no MFA prompt, nothing. To Gmail, the attacker's browser looks exactly like yours.

This is called session hijacking, and it's the reason infostealers are so devastating. They bypass the strongest password and the strongest MFA by stealing the proof of authentication itself.

Google has been working on countermeasures. Device Bound Session Credentials is a project designed to tie session cookies to the specific device that created them, making stolen cookies useless on other machines. But as of early 2026, full deployment across all services is still in progress.

The Big Three: Lumma, StealC, and RedLine

The infostealer market is dominated by a few major players, each operating as a Malware-as-a-Service business — meaning anyone can rent the malware for a monthly subscription.

Lumma Stealer

Lumma — also called LummaC2 — is the dominant infostealer of 2025-2026. It accounts for approximately 51% of all stealer logs sold on dark web forums. ESET reported a 369% surge in Lumma detections between the first and second halves of 2024. Microsoft identified over 394,000 Windows computers infected with Lumma in just two months between March and May 2025.

Lumma operates on a tiered subscription model: $250 per month for the standard package, scaling to $1,000 for premium features including custom builds and advanced evasion. The developer claims approximately 400 active clients.

In May 2025, Microsoft and Cloudflare led a major operation that seized 2,300 Lumma domains. The celebration was short-lived. Within weeks, Lumma's operators had rebuilt their infrastructure and resumed operations. By July 2025, detection numbers had returned to pre-takedown levels.

StealC

StealC focuses on comprehensive browser data extraction — passwords, cookies, autofill data, and browsing history. It's particularly effective at extracting session tokens that bypass MFA. StealC is known for its stealth techniques that reduce the chances of triggering security alerts, and it's distributed primarily through malicious advertisements and fake software downloads.

RedLine

RedLine dominated from 2020 to 2023, at one point responsible for 51% of all infostealer infections. Though law enforcement disrupted its operations in October 2024, its logs continue circulating in underground markets. RedLine was particularly aggressive in distribution through fake software updates and pirated applications, and it targeted FTP credentials, VPN configurations, and cryptocurrency wallets alongside browser data.

How You Get Infected

Infostealers reach your computer through several vectors, all of which exploit human behavior rather than technical vulnerabilities.

Fake software downloads. You search for a free PDF converter, a video editor, a game crack, or a popular tool. The top results — sometimes boosted by SEO poisoning or paid ads — lead to websites that look legitimate but serve infected installers. The software works as advertised. The infostealer packaged inside it also works as designed.

Malvertising. Legitimate advertising networks serve malicious ads that redirect to infostealer download pages. You can encounter these on perfectly reputable websites. One 2025 campaign even impersonated CrowdStrike — a security company — distributing Lumma through fake "Falcon Update" installers.

Phishing emails. Classic but effective. An email with an invoice attachment, a shipping notification, or a document that requires you to enable macros. Open the attachment, and the infostealer executes.

ClickFix attacks. A newer technique: you visit a compromised website that displays a fake CAPTCHA or error message. It instructs you to "press Win+R and paste this command to verify you're human." Following the instructions executes a PowerShell command that downloads and runs the infostealer. This technique is disturbingly effective because it leverages people's trust in familiar verification patterns.

Fake browser extensions. Trojanized browser extensions that appear legitimate but include infostealer functionality — exactly as we covered in our browser extension risks article.

What You Can Actually Do About It

Stop Saving Passwords in Your Browser

This is the single most important step. Your browser's built-in password manager is the primary target for every infostealer. Chrome, Firefox, Edge — they all store passwords in databases that infostealers know exactly how to extract.

Use a dedicated password manager instead. Bitwarden, 1Password, and Dashlane store credentials in encrypted vaults that infostealers can't easily access. The password is no longer in your browser's database — it's in a separate, heavily encrypted application.

Never Download Software From Search Results

If you need to download software, go directly to the developer's official website. Don't click on sponsored search results or ads. Don't download "free" versions of paid software. Don't trust forum posts linking to download sites. This single habit eliminates the most common infostealer infection vector.

Keep Your Operating System and Browser Updated

Google Chrome has been implementing protections against infostealer techniques, including app-bound encryption for cookies. When Chrome pushed cookie-securing updates in late 2024, it rendered all stealers' Chrome cookie collection temporarily obsolete. The stealer developers adapted within 24 hours — but this cat-and-mouse game means that running the latest browser version gives you the most current protections.

Use Endpoint Protection

As we covered in our antivirus article, modern endpoint protection with behavioral analysis can detect infostealer activity — the rapid access to browser credential databases and the data exfiltration that follows. Windows Defender, Malwarebytes, and other security tools include infostealer detection capabilities.

Consider Passkeys

Passkeys are fundamentally resistant to infostealers because there's no password or session cookie to steal. The authentication is bound to your device's hardware security module. Even if an infostealer extracts everything from your browser, it can't steal a passkey. As passkey adoption grows in 2026, switching to them where available provides the strongest protection.

Monitor for Credential Exposure

Check Have I Been Pwned regularly. Sign up for breach notifications. If your credentials appear in a breach, change them immediately — and not just on the breached service, but on every service where you used similar credentials. This is the exact scenario that enables credential stuffing.

The Bigger Picture

Infostealers represent a fundamental shift in how cybercrime operates. They're not the attack — they're the supply chain for attacks. Every ransomware campaign, every business email compromise, every account takeover, every identity theft starts with stolen credentials. And infostealers are producing those credentials at industrial scale.

The numbers tell the story: 3.9 billion credentials stolen in one year. 4.3 million devices infected. A database of 149 million passwords discovered sitting unprotected on the internet. 54% of ransomware victims had credentials in stealer logs before the attack.

Your browser is the most valuable target on your computer — not because of what you're reading, but because of what's saved inside it. Every password, every cookie, every autofill entry is a potential payday for someone running a $250-per-month malware subscription.

Stop saving passwords in your browser. Use a dedicated password manager. Don't download software from search results. Keep everything updated. And switch to passkeys where you can.

The infostealers are industrialized. Your defense needs to be too.

The Personal Impact You Don't See Coming

Most coverage of infostealers focuses on corporate environments. But the personal impact is equally devastating.

Imagine this scenario: you download what looks like a legitimate screen recording tool. It works perfectly. You use it for a week. Meanwhile, the bundled infostealer has already extracted every password saved in Chrome — your Gmail, your online banking, your Amazon account, your social media, your investment portfolio login, your health insurance portal.

Two weeks later, your bank alerts you to unauthorized transfers. Your Amazon account has orders shipping to unfamiliar addresses. Your email has forwarding rules you didn't set up, silently copying every incoming message to an unknown address. Your Instagram is posting spam. Your health insurance shows claims for services you never received.

All from one download. One moment of misplaced trust in a search result.

The connection between that download and the cascade of account compromises may never be obvious to you. You might blame each incident on separate causes — a phishing email here, a data breach there. But the root cause was a single infostealer infection that harvested everything at once.

This is why infostealers are called the silent epidemic. The infection is invisible. The damage is distributed across dozens of services over weeks and months. And the victim often never realizes what actually happened.

Check your browser right now. How many passwords are saved in it? That's exactly how many accounts an infostealer would compromise in under sixty seconds. Move them to a dedicated password manager today. Not tomorrow. Today.