Attackers don’t need to wade through massive credential dumps anymore. They can just pay someone else to find exactly what they’re looking for.
Flare researchers analyzed 470 underground forum posts from early 2025 through June 2026, mapping out a growing service layer that sits between infostealer infections and account takeover. These sellers maintain enormous databases — some claim tens of billions of records — and offer to search them for specific targets.
How it works: a buyer submits a target. Could be a company domain, a specific login URL, a gaming platform, a geographic region, or a list of emails. The seller returns matching credentials, usually formatted as URL:LOGIN:PASS, MAIL:PASS, or similar combinations. Delivery takes 10-15 minutes, according to some listings.
It’s essentially Google for stolen passwords, and it’s changing how initial access works. Instead of buying bulk combo lists and filtering them yourself, you query a broker and get only what you need.
The databases are massive. One seller advertised 5 billion lines. Another claimed 10 billion plus a 1TB+ URL:LOG collection. Sources include private logs, private clouds, personal streams, and public dumps, with daily updates.
But buyer feedback tells a familiar story. The actual results often don’t match the hype — lower volumes, invalid credentials, duplicates. The usable rate is a fraction of what’s advertised.
Still, the model is efficient. It turns raw infostealer noise into targeted attack material with minimal effort. For defenders, this means credential exposure isn’t just about whether your data was breached. It’s about whether someone can find it when they’re looking.
