Some of the most valuable assets sold on cybercriminal marketplaces today are not credentials. They are collections of browser data that give attackers access to already authenticated accounts, with no login required.
Some while back, we found a discussion where a user asked: “How was my account compromised if I have a strong password and two-factor authentication enabled?” Case in point: the attacker never needed to log in the traditional way since gaining access to an active browser session.
In reality, behind many account takeovers, fraudulent campaigns, and suspicious login activities sits an ecosystem most users never see: infostealer logs. Full collections of browser data harvested from infected devices and later sold, traded, or reused by fraudsters.
And the story rarely ends with the infected device. Once stolen sessions and account access start circulating, they can be used to impersonate legitimate users across financial platforms, advertising accounts, e-commerce services, and corporate systems.
84%
rise in infostealer attacks in 2024
IBM X-Force 2025
1,861
cookies harvested per infected device
SpyCloud 2025
4.3M
devices infected in 2024
Deepstrike 2025
39%
of breaches involve stolen session data
SpyCloud 2025
Sources: IBM X-Force Threat Intelligence Index 2025, SpyCloud Annual Identity Exposure Report 2025
Contents
Passwords Are Just One Piece of the Puzzle
When you think about stolen data, most often you might picture a leaked username and password. And that certainly happens. Yet, browser data has become far more valuable than a simple login combination.
It all starts with the enormous amount of information that modern browsers store. They track where we log in, which websites we visit regularly, what payment methods we use, and often keep us signed in for weeks at a time. Convenient, sure, but it also makes browser data an attractive target.
Think about your own browser for a moment. How many websites would ask you to enter a password if you opened them right now? Most likely, you’ll answer: very few. Email accounts, social media, online stores, banking apps, and work tools often stay open indefinitely.
That persistent access is exactly what attackers are after. Instead of forcing their way into an account, they may already have information that makes them look like a trusted user.
The Cybercrime Product You’ve Probably Never Heard Of
Despite the name, an infostealer log is essentially a collection of data extracted from an infected device.
The issue: the malware behind it is designed to operate quietly – unlike ransomware, which announces itself by locking files and demanding payment – infostealers work in the background. Their goal is to collect valuable data and send it elsewhere without disrupting the system or drawing attention.
According to the IBM X-Force Threat Intelligence Index 2025, infostealer-related attacks grew 84% year over year in 2024, partly because modern variants leave very little forensic trace behind.
The data they collect typically includes saved passwords, browser cookies, session tokens, autofill information, and, in some cases, payment details or cryptocurrency wallet data. SpyCloud’s 2025 Identity Exposure Report found an average of 1,861 cookies harvested per infected device, with 44 credentials exposed per infection on average.
How Cookies Became Keys to Online Accounts
Sure, passwords were long considered the primary target, but nowadays many attackers target cookies and session tokens since it gives them something more valuable. What is that, you ask? Authenticated access without knowing the original password.
The system is pretty simple: you tick the “Remember Me” box after logging in somewhere, and the platform stores information that allows it to recognize your session later. While this saves time and avoids repeated logins, it also makes it impossible for the platform to identify when your session data ends up in the wrong hands.
In some cases, attackers can import stolen session data into their own browser and appear as a legitimate user. Then the session picks up where it left off. No password prompt, no two-factor challenge, no indication that anything has changed.
Then, that session data gets packaged into logs and sold through underground marketplaces. Sometimes even within hours of being harvested.
If you want to get more info on the matter, the CybelAngel research on infostealer logs provides a detailed look at how this criminal economy operates and how quickly stolen data changes hands.
Infected Device
User device compromised
Infostealer Malware
Silent, runs in background
Data Packaged as Logs
Cookies, sessions, passwords
Underground Marketplace
Sold within hours
Fraudster Buys Logs
Imported to their browser
Account Compromise
Financial, ad, e-commerce fraud
The infostealer lifecycle: from device infection to active fraud
From Stolen Data to Active Fraud
A stolen browser session can unlock far more than a personal email inbox and allows fraudsters to use compromised account access across a wide range of schemes.
For example:
- In financial fraud, stolen sessions can be used to initiate transfers, approve transactions, or modify account details before the legitimate owner notices
- In e-commerce, they enable fraudulent purchases using stored payment methods
- In business contexts, access to corporate accounts, project management tools, or communication platforms can be used for reconnaissance, data theft, or financial manipulation.
And advertising and affiliate ecosystems are common targets too. Because access to an established account on an ad platform or affiliate network allows a fraudster to modify campaign settings, redirect payouts, create fraudulent ads, or manipulate traffic in ways that are harder to detect, because the activity originates from a trusted, established account.
The SentinelOne overview of infostealer tactics covers in detail how these compromised sessions are operationalized across different industries.
It all boils down to this: The account has history, reputation, and typical behavior patterns attached to it, so from the platform’s perspective, the activity can initially appear legitimate. Since it doesn’t try to break through security measures, it inherits the trust that already exists – actually, what makes session-based fraud particularly effective.
Sure, the financial impact is one thing – you can often calculate lost funds and, in some cases, recover them. But, the reputational damage to a business or individual whose account was used to commit fraud is harder to undo.
Detection Is Getting Harder
Now, many platforms invest in fraud detection systems designed to flag unusual account behavior. We’re talking about login anomalies, new device fingerprints, unexpected geographic locations, and sudden changes to account settings. Pretty much anything that can serve as a warning signal.
Research from the Deepstrike 2025 Stealer Log Statistics report shows that in 2024 alone, infostealers compromised 4.3 million devices, producing a volume of stolen session data that outpaces many platforms’ ability to screen it.
The thing with these session-based attacks is that often they look just like legitimate activity instead of intrusion attempts. And the system interprets the session as real – real cookies or matching browsing history.
For a more accurate detection, it would take a deeper look at behavioral mishaps rather than signs of forced entry.
Here are six things worth paying closer attention to, even when they appear individually:
1. Unexpected login notifications from unfamiliar locations
2. New devices appearing in account history
3. Changes to payment or payout information
4. Account settings modified without explanation
5. Unusual transaction or campaign activity
6. Traffic or behavior patterns that suddenly shift
Alone, none of these confirms a compromise. Together, they may indicate that something needs immediate investigation.
Final Thoughts
Many might wrongfully think that a strong password is all that matters. And they wouldn’t be all that wrong since strong credentials and two-factor authentication still count. But you also have to factor in the gaps that session-based fraud can exploit.
Cookies, session tokens, and browser data aren’t just minor technical details. They’re more of a shortcut around the security layers that users and platforms rely on every day.
As long as stolen browser data continues to circulate through underground marketplaces, you need to start understanding how it gets used to better protect your account, platform, or business.
And remember: the most effective attacks are often the ones that quietly inherit trust that already exists. If you want to get a broader view of how the identity threat landscape has shifted, check out the SpyCloud 2025 Identity Exposure Report as a useful starting point.