In demand were login credentials of generative AI services, as well as those of gaming platforms aimed at the young.

In a three-year review of credential theft by info stealers, cybersecurity firm Kaspersky has counted more than 36m incidents in its protection ecosystem.

According to the firm, the sale of compromised login credentials occupies a significant part of the Dark Web. Due to their growing popularity, login credentials of various AI services were most in demand. 

Notably, in 2023 where there was widespread generative-AI chatbot adoption, the number of logins and passwords leaked surged by nearly 33 times reaching approximately 664,000 in the firm’s user base. 

Three-year info stealer trends

According to Yuliya Novikova, Head, Kaspersky Digital Footprint Intelligence, the loss of account login credentials stems from info stealer activity, a specialized form of malware designed to steal user credentials for cyberattacks, Dark Web sales, or other malicious activities. “Both personal and corporate devices can be infected by info stealers through phishing emails or websites, public-faced sites with malicious content, and various other means,” she said.

Over the last three years, the following trends were discerned in the firm’s user base:

    • Analysis of the demand credentials can be done through examining the number of Dark Web posts in which threat actors offer or attempt to buy info stealer log files. The demand for ChatGPT account login details spiked in March 2023 after the release of the fourth version of the popular chatbot. Since then, it has stabilized at the same level as that of other AI services.
    • Between 2021 and 2023, almost 34m credentials for Roblox were compromised and posted on the Dark Web, turning the game into a very fruitful target for cybercriminals using info stealing malware. The number of accounts compromised for this popular children’s game had been increasing gradually each year: over the past three years, this figure had risen by 231%, from roughly 4.7m in 2021 to 15.5m in 2023. In general, the average number of compromised accounts in a combination of 11 other random popular gaming platforms or games (Twitch, Electronic Arts, Sony PlayStation, and Steam amongst others) has increased by 112% since 2021.
    • While there were numerous cases of thefts of login credentials on Roblox accounts, they were not the primary goods cybercriminals were seeking. Certain accounts were much more appealing to them: for example, between 2021 and 2023 the number of Dark Web posts selling or buying Steam accounts peaked at approximately 10,000 while advertisements related to stolen Roblox accounts remained at under just 150.
    • The motive behind such high volumes of credential thefts is to exploit children’s vulnerability, as they are susceptible to various kinds of social engineering. For instance, cybercriminals can hide info stealers in files containing cheat codes to deceive young gamers. In some cases, this deception is convincing, as malicious download links can be posted on legitimate and popular social media platforms. As a result, a significant number of compromised accounts have emerged from a game targeted at children.

Novikova added: “Cybercriminals target game accounts to steal valuable items, such as real money, in-game currency, and various in-game items, such as expensive skins. Steam accounts seem to be more appealing to cybercriminals criminals due to the potential to find and steal real money on them. Roblox accounts can be exploited to steal in-game currency Robux; or to pilfer in-game items; or to gain access to premium accounts that allow items to be transferred to other accounts. While users must exercise caution, platform owners can bolster protection by tracking and promptly blocking compromised accounts through specialized services.”