News broke today about "one of the largest data breaches in history," sparking wide media coverage filled with warnings and fear-mongering. However, it appears to just be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks.
To be clear, this is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials.
Instead, these stolen credentials were likely circulating for some time, if not for years. It was then collected by a cybersecurity firm, researchers, or threat actors and repackaged into a database that was exposed on the Internet.
Cybernews, which discovered the briefly exposed datasets of compiled credentials, stated it was stored in a format commonly associated with infostealer malware, though they did not share samples
An infostealer is malware that attempts to steal credentials, cryptocurrency wallets, and other data from an infected device. Over the years, infostealers have become a massive problem, leading to breaches worldwide.
...
The infostealer problem has gotten so bad and pervasive that compromised credentials have become one of the most common ways for threat actors to breach networks.
Coup de tonnerre, en ce mardi 10 juin 2025. Le groupe malveillant Stormous revendique une cyberattaque contre les systèmes de l’Éducation nationale.
Il assure être en possession de données relatives à plus de 40 000 personnes et fournit, pour étayer ses allégations, un échantillon d’un peu moins de 1 400 lignes, soit autant de combinaison login/mot de passe, ou adresse mail/mot de passe. Et tout cela pour une poignée de services en ligne liés à l’Éducation nationale.
Mais cet échantillon suggère surtout que les allégations de Stormous sont fausses.
Nous l’avons confronté aux données de la plateforme Cavalier d’HudsonRock.
La conclusion s’impose rapidement : Stormous a commencé la divulgation d’une combolist vraisemblablement constituée en tout ou partie depuis d’innombrables logs de cleptogiciels (ou infostealers) partagés quotidiennement, gratuitement, et à tous les vents sur de multiples chaînes Telegram plus ou moins spécialisées. De quoi rappeler l’impressionnante liste ALIEN TXTBASE de la fin février.
41 servers seized and 32 suspects arrested during Operation Secure.
More than 20,000 malicious IP addresses or domains linked to information stealers have been taken down in an INTERPOL-coordinated operation against cybercriminal infrastructure.
During Operation Secure (January – April 2025) law enforcement agencies from 26 countries worked to locate servers, map physical networks and execute targeted takedowns.
Ahead of the operation, INTERPOL cooperated with private-sector partners Group-IB, Kaspersky and Trend Micro to produce Cyber Activity Reports, sharing critical intelligence with cyber teams across Asia. These coordinated efforts resulted in the takedown of 79 per cent of identified suspicious IP addresses.
Participating countries reported the seizure of 41 servers and over 100 GB of data, as well as the arrest of 32 suspects linked to illegal cyber activities.
Infostealer malware is a primary tool for gaining unauthorized access to organizational networks. This type of malicious software extracts sensitive data from infected devices, often referred to as bots. The stolen information typically includes browser credentials, passwords, cookies, credit card details and cryptocurrency wallet data.
Additionally, logs harvested by infostealers are increasingly traded on the cybercriminal underground and are frequently used as a gateway for further attacks. These logs often enable initial access for ransomware deployments, data breaches, and cyber-enabled fraud schemes such as Business Email Compromise (BEC).
Following the operation, authorities notified over 216,000 victims and potential victims so they could take immediate action - such as changing passwords, freezing accounts, or removing unauthorized access.
Vietnamese police arrested 18 suspects, seizing devices from their homes and workplaces. The group's leader was found with over VND 300 million (USD 11,500) in cash, SIM cards and business registration documents, pointing to a scheme to open and sell corporate accounts.
As part of their respective enforcement efforts under Operation Secure, house raids were carried out by authorities in Sri Lanka and Nauru. These actions led to the arrest of 14 individuals - 12 in Sri Lanka and two in Nauru - as well as the identification of 40 victims.
The Hong Kong Police analysed over 1,700 pieces of intelligence provided by INTERPOL and identified 117 command-and-control servers hosted across 89 internet service providers. These servers were used by cybercriminals as central hubs to launch and manage malicious campaigns, including phishing, online fraud and social media scams.
Neal Jetton, INTERPOL’s Director of Cybercrime, said:
“INTERPOL continues to support practical, collaborative action against global cyber threats. Operation Secure has once again shown the power of intelligence sharing in disrupting malicious infrastructure and preventing large-scale harm to both individuals and businesses.”
Notes to editors
Operation Secure is a regional initiative organized under the Asia and South Pacific Joint Operations Against Cybercrime (ASPJOC) Project.
Participating countries: Brunei, Cambodia, Fiji, Hong Kong (China), India, Indonesia, Japan, Kazakhstan, Kiribati, Korea (Rep of), Laos, Macau (China), Malaysia, Maldives, Nauru, Nepal, Papua New Guinea, Philippines, Samoa, Singapore, Solomon Islands, Sri Lanka, Thailand, Timor-Leste, Tonga, Vanuatu, Vietnam.
Key Findings:
On May 21, 2025, Europol, FBI, and Microsoft, in collaboration with other public and private sector partners, announced an operation to dismantle the activity of the Lumma infostealer. The malware, considered to be one of the most prolific infostealers, is distributed through a malware-as-a-service model. In addition to its use by common cyber criminals for stealing credentials, Lumma was observed to be part of the arsenal of several prominent threat actor groups, including Scattered Spider, Angry Likho, and CoralRaider.
The Takedown on the Dark Web
According to the reports, the takedown operation began on May 15. On that day, Lumma customers flooded dark web forums that advertise the stealer, complaining they were unable to access the malware’s command and control (C2) servers and management dashboards.
This joint operation targeted the sophisticated ecosystem that allowed Europol’s European Cybercrime Centre has worked with Microsoft to disrupt Lumma Stealer (“Lumma”), the world’s most significant infostealer threat.
This joint operation targeted the sophisticated ecosystem that allowed criminals to exploit stolen information on a massive scale. Europol coordinated with law enforcement in Europe to ensure action was taken, leveraging intelligence provided by Microsoft.
Between 16 March and 16 May 2025, Microsoft identified over 394 000 Windows computers globally infected by the Lumma malware. In a coordinated follow-up operation this week, Microsoft’s Digital Crimes Unit (DCU), Europol, and international partners have disrupted Lumma’s technical infrastructure, cutting off communications between the malicious tool and victims. In addition, over 1 300 domains seized by or transferred to Microsoft, including 300 domains actioned by law enforcement with the support of Europol, will be redirected to Microsoft sinkholes.
The Head of Europol’s European Cybercrime Centre, Edvardas Šileris, said: “This operation is a clear example of how public-private partnerships are transforming the fight against cybercrime. By combining Europol’s coordination capabilities with Microsoft’s technical insights, a vast criminal infrastructure has been disrupted. Cybercriminals thrive on fragmentation – but together, we are stronger.”
The presence of credentials in leaked “stealer logs” indicates his device was infected.
Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware, a strong indication that devices belonging to him have been hacked in recent years.
Kyle Schutt is a 30-something-year-old software engineer who, according to Dropsite News, gained access in February to a “core financial management system” belonging to the Federal Emergency Management Agency. As an employee of DOGE, Schutt accessed FEMA’s proprietary software for managing both disaster and non-disaster funding grants. Under his role at CISA, he likely is privy to sensitive information regarding the security of civilian federal government networks and critical infrastructure throughout the US.
A steady stream of published credentials
According to journalist Micah Lee, user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware. Stealer malware typically infects devices through trojanized apps, phishing, or software exploits. Besides pilfering login credentials, stealers can also log all keystrokes and capture or record screen output. The data is then sent to the attacker and, occasionally after that, can make its way into public credential dumps.
“I have no way of knowing exactly when Schutt's computer was hacked, or how many times,” Lee wrote. “I don't know nearly enough about the origins of these stealer log datasets. He might have gotten hacked years ago and the stealer log datasets were just published recently. But he also might have gotten hacked within the last few months.”
Silent and undetectable initial access is the cornerstone of a cyberattack. MFA is there to stop unauthorized access, but attackers are constantly evolving.
We dive into FleshStealer, a new strain of information-stealing malware—explaining what it is and its potential impact on organizations.
Hackers are distributing close to 1,000 web pages mimicking Reddit and the WeTransfer file sharing service that lead to downloading the Lumma Stealer malware.
Following the takedown of RedLine Stealer by international authorities, ESET researchers are publicly releasing their research into the infostealer’s backend modules.
From Perfctl to InfoStealer, Author: Xavier Mertens
The BANSHEE malware is a macOS-based infostealer that targets system information, browser data, and cryptocurrency wallets.
LummaC2 is an Infostealer that is being actively distributed, disguised as illegal programs (e.g. cracks, keygens, and game hacking programs) available from distribution websites, YouTube, and LinkedIn using the SEO poisoning technique. Recently, it has also been distributed via search engine ads, posing as web pages of Notion, Slack, Capcut, etc.
Reference: Distribution of MSIX Malware Disguised as Notion Installer
An information-stealing script embedded in a Python package on the popular repository PyPI appears to be connected to a cybercriminal operation based in Iraq, according to researchers at Checkmarx.
Discover how Recorded Future uses infostealer logs to identify CSAM consumers and trends. Learn key findings and mitigation strategies.
Last week, a security researcher sent me 122GB of data scraped out of thousands of Telegram channels. It contained 1.7k files with 2B lines and 361M unique email addresses of which 151M had never been seen in HIBP before. Alongside those addresses were passwords and, in many cases, the website the data pertains to. I've loaded it into Have I Been Pwned (HIBP) today because there's a huge amount of previously unseen email addresses and based on all the checks I've done, it's legitimate data. That's the high-level overview, now here are the details:
Recent infostealer malware campaign utilizing fake Homebrew websites to deliver Cuckoo and AtomicStealer.
Kandji's threat research team has discovered a piece of malware that combines aspects of an infostealer and spyware. Here's how it works.
Jamf Threat Labs dissects ongoing infostealer attacks targeting macOS users. Each with different means of compromising victim’s Macs but with similar aims: to steal sensitive user data.
Learn how a threat actor used spearphishing emails and social engineering tactics to obtain a hotel’s credentials and solicit customers’ payment information.
