Underground credential ecosystem shift changes threat-actor operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
A search-your-target underground service layer is turning stolen infostealer logs into on-demand credentials, raising account takeover and corporate intrusion risk across targeted companies and users. Sellers now let buyers query by company, domain, geography, platform, or account type instead of buying bulk dumps. The market sits between log theft and access abuse, with actors advertising freshness, deduplication, and rapid turnaround while buyer feedback says many results are duplicated or invalid.
Related Happenings
Underground sellers-fraud-oriented sellers alliance reshapes ransomware ecosystem operations
Threat Actor Meta
H score31
First: 25.03.2026 16:02
Last: 25.03.2026 16:02
Sources 1
About this happening:
A growing underground market for **premium AI platform access** is turning **ChatGPT**, **Claude**, **Microsoft Copilot**, and **Perplexity** access into a tradable black-market c...
Underground sellers-fraud-oriented sellers alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: A growing underground market for **premium AI platform access** is turning **ChatGPT**, **Claude**, **Microsoft Copilot**, and **Perplexity** access into a tradable black-market c...
Threat actors ecosystem shift changes threat-actor operations
Threat Actor Meta
H score26
First: 03.03.2026 17:01
Last: 03.03.2026 17:01
Sources 1
About this happening:
**Compromised cPanel access** is being commoditized in **fraudulent chat groups**, creating a scalable supply of trusted hosting infrastructure for **phishing**, **spam**, and **m...
Threat actors ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Compromised cPanel access** is being commoditized in **fraudulent chat groups**, creating a scalable supply of trusted hosting infrastructure for **phishing**, **spam**, and **m...
Jinkusu's Starkiller phishing-as-a-service ecosystem commoditizes account takeover
Threat Actor Meta
H score37
First: 20.02.2026 22:00
Last: 20.02.2026 22:00
Sources 1
About this happening:
A new phishing-as-a-service operation tied to **Jinkusu** is proxying real login pages through attacker infrastructure, making **MFA bypass** and account takeover easier for low-s...
Jinkusu's Starkiller phishing-as-a-service ecosystem commoditizes account takeover
Threat Actor MetaAbout this happening: A new phishing-as-a-service operation tied to **Jinkusu** is proxying real login pages through attacker infrastructure, making **MFA bypass** and account takeover easier for low-s...
Timeline
-
22.06.2026 17:05 2 articles · 1h ago
Flare analyzes underground search-your-target credential broker market
Initial DisclosureFlare analyzed 470 underground forum posts published between January 2025 and June 2026 and identified a growing search-your-target credential-broker market in which sellers search stolen-log databases for specific companies, domains, geographies, or account types and deliver filtered credential results for account takeover, fraud, phishing, crypto theft, or corporate intrusion.
Show sources
- A Glimpse into the “Search Your Target” Market for Stolen Credentials — www.bleepingcomputer.com — 22.06.2026 17:05
- A Glimpse into the “Search Your Target” Market for Stolen Credentials — www.bleepingcomputer.com — 22.06.2026 17:05