Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    I Have Thoughts About That Kylie Jenner Meta Glasses Ad

    June 30, 2026

    New BioShocking attack manipulates AI browser into data theft

    June 30, 2026

    The OSINT Newsletter – Issue #112

    June 30, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»A Glimpse into the “Search Your Target” Market for Stolen Credentials
    News

    A Glimpse into the “Search Your Target” Market for Stolen Credentials

    adminBy adminJune 23, 2026No Comments7 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Logging into an account

    Threat actors are increasingly turning massive infostealer-derived credential collections into searchable underground services, allowing buyers to request credentials for a specific company, platform, domain, geography, or account type.

    Flare researchers analyzed 470 underground forum posts published between January 2025 and June 2026, across different sources, related to actors offering to search for and extract stolen credentials from their databases. The dataset included advertisements, reposts, buyer feedback, pricing references, and disputes around quality and validity.

    The findings show a dedicated service layer sitting between infostealer infections, raw logs trading and account takeover activity. The profile of the threat actors who offer these services is divided between the Malware-as-a-Service (MaaS) providers and the MaaS consumers.

    In many cases, they function as credential brokers or data processors, monetizing the vast number of logs and their ability to search, filter, format, and deliver targeted results from large stolen credential collections.

    Key Points

    • Analysis of 470 underground posts illustrates a pinpointed service that offers targeted extraction, filtering, deduplication, formatting, and freshness, from large infostealers databases containing tens of billions of lines. It is functioning as an alternative to combo lists, where instead of purchasing a bulk dump, buyers query a seller’s existing data and receive only the results that match their target.

    • The market overlaps with the Initial Access Broker (IAB) ecosystem, but is not identical to it, when the common output formats included URL:LOGIN:PASS, MAIL:PASS, LOGIN:PASS, PHONE:PASS, MAIL:PHONE, and MAIL:LOGIN.

    • Interestingly buyer feedback showed there’s a gap between what is advertised and the actual results in terms of in reality the volume is lower, the credentials are often invalid, duplicated and generally usable.

    How Does the “Search Your Target” Service Work

    The “search your target” market sits in the middle of the account takeover chain.

    First, infostealers infect devices and collect credentials, cookies, autofill data, and browser artifacts. Then logs are aggregated and inserted into private clouds, ULP databases, public dumps, or exchange-based collections. Next, the “search-service” threat actors extract rows based on buyers’ requests. Buyers then validate the credentials and use them for account takeover, fraud, spam, phishing, crypto theft, or corporate intrusion.

    This means the sellers in this dataset are often neither the first nor final step. They are the processing layer that turns stolen credential noise into targeted attack material.

    Figure 1 – the
    Figure 1 – the “search your target” flow

    From a threat intelligence framework perspective, this service model represents a practical example of T1589.001 (Gather Victim Identity Information: Credentials), where adversaries actively research and acquire credentials prior to exploitation, and potentially T1650 (Acquire Access), given that some sellers deliver results indistinguishable from direct access provisioning.

    From GitHub access sales to leaked vendor repositories, the warning signs exist — they’re just buried in forums and marketplaces most teams aren’t watching.

    Flare surfaces them before they become incidents.

    Start Monitoring for Supply-Chain Exposure For Free

    The “Search Your Target” Market Economy

    Much like in the DDoS market, where the buyer submits a domain and the service provider attacks it, the service is duplicated and offers the same pipeline. 

    1. A buyer sends a target

    2. The seller returns matching credentials

    That target can be a company domain, login URL, ecommerce site, gaming platform, application, geographic market, or a list of emails. The output is usually delivered in formats such as URL:LOGIN, URL:LOG, MAIL, LOGIN, PHONE, or other combinations depending on the request.

    Several sellers in the underground specify the size of their database as a selling point. One actor advertised an “ULP 5kkk+ lines” database (5,000,000,000), quick access within 10–15 minutes, daily updates, and sources that allegedly included private logs, private clouds, personal streams, and public data. Another actor promoted a 10kkk+ line, 1TB+ URL:LOG database, while others claimed access to collections ranging from hundreds of millions to tens of billions of records.

    Screenshot taken from Flare’s platform.
    Sign up for the free trial to access if you aren’t already a customer.

    The size of the database isn’t the only selling point. Threat actors also indicate  other capabilities, as part of their sales pitch. The sellers are also advertising their search capabilities, freshness, formatting, and relevance.

    Some offer simple domain extraction, while others offer more customized services, such as extracting email accounts for a requested shop, website, app, or game. De-facto, attackers are advertising their technical capabilities of indexing data inside databases, updating and enabling quick and convenient search on it.

    As an example, one of the sellers advertised that customers could submit a request for only $20 per request, and add additional payment based on the returned results.

    Screenshot taken from the forum of one of the posts in the dataset
    Screenshot taken from the forum of one of the posts in the dataset

    The dataset also showed more advanced forms of credential enrichment. One actor claimed access to separate email, password, login, phone, and URL:Login collections, and described how those records could be combined.

    For example, a buyer with only an email list could request matching login pairs, or a buyer looking for a specific geography could receive results built from country codes, domains, URLs, cities, and password patterns.

    This further indicates that threat actors are using data best practices (e.g. labeling, slicing), much like ordinary legitimate businesses around the world.

    Customers Feedback Shows a Gap Between Ads and Reality

    Customer feedback indicates that the sellers are over-promising and under-delivering. They claim that some sellers aren’t credible. Some claim that the credentials are invalid, and sellers answer in return that they didn’t ever check if the credentials were valid. Some said that this is the same data that appears in large combo lists published for free across the underground.

    Others claim that these databases contain many duplications (one even claimed that out of 3,000 records only 200 were unique).

    While the concept of large combo lists or aggregated credential files, isn’t new. This service is still something unique that can eventually, if operated correctly,  put a lot of businesses and organizations at risk.

    Developed Alongside the Infostealers Market

    Over the past several years, infostealer families and log marketplaces produced enormous quantities of records that include browser-stored credentials, cookies, autofill data, and device information. These collections are constantly growing and create a challenge for buyers to sort it out for profit.

    The operation to more easily extract value was an opportunity for commercialization. Therefore, a buyer who usually has a specific pinpointed goal can save time and money with this service.

    Comparison Between the “Search Your Target” Market and the IAB Market

    The “search your target” market is often tied to a  general search for an email or business or person, the validity and “freshness” of access isn’t guaranteed, and you are basically paying for search, find, and results. This market partially overlaps with the initial access broker’s (IAB) market.

    When buyers are looking for access to corporate VPNs, SaaS platforms, email accounts, cloud environments, admin panels, or remote access systems, the output can become initial access if these markets overlap.

    Nevertheless, the IAB market is often more expensive, prestigious and serves as a “white glove service” when they sell validated access, which often can bypass MFA, and ultimately  get into an organization.

    What Defenders Should Learn

    The “search your target” market shows that attackers no longer need to manually process massive dumps to find what matters. They can outsource that work to sellers who specialize in turning noisy credential collections into focused target lists. For defenders, the challenge is to identify and close those exposed paths before a buyer turns them into access.

    Flare helps by giving security teams visibility into these underground markets and by monitoring exposed employee credentials, corporate domains, login portals, SaaS applications, and related indicators across deep and dark web sources.

    This allows organizations to detect when their access points appear in credential collections or search-service advertisements, prioritize the most relevant exposures, and respond faster with password resets, session revocation, MFA enforcement, and investigation of possible account misuse.

    Learn more by signing up for our free trial.

    Sponsored and written by Flare.



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleMicrosoft fixes AutoGen Studio flaw that enabled code execution
    Next Article CVE-2026-28496 – FOSSBilling Auth Bypass and Twig SSTI to Unauthenticated RCE | Blog
    admin
    • Website

    Related Posts

    News

    I Have Thoughts About That Kylie Jenner Meta Glasses Ad

    June 30, 2026
    News

    New BioShocking attack manipulates AI browser into data theft

    June 30, 2026
    News

    The OSINT Newsletter – Issue #112

    June 30, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views

    Defending Canada’s Digital Frontier: Combating Phishing, Social Engineering, Ransomware, and Malware

    March 23, 202632 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views

    Defending Canada’s Digital Frontier: Combating Phishing, Social Engineering, Ransomware, and Malware

    March 23, 202632 Views
    Our Picks

    I Have Thoughts About That Kylie Jenner Meta Glasses Ad

    June 30, 2026

    New BioShocking attack manipulates AI browser into data theft

    June 30, 2026

    The OSINT Newsletter – Issue #112

    June 30, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.