20 Stealer Log Statistics You Need to Know in 2025

Stealer logs are a common tool used by cybercriminals to collect sensitive data from infected devices. These logs often contain login credentials, cookies, browser history, and other personal information. In recent years, they’ve become a key part of the cybercrime ecosystem, especially in credential theft and account takeover attacks.

In this blog, we’ll walk through 20 important statistics about stealer logs.

Stolen credentials are already for sale, are you monitoring for them? Stealer malware harvests login data daily, creating invisible attack vectors that bypass traditional defenses. Our Identity & Access Intelligence module continuously scans for compromised credentials.

Stealer Logs and the Ransomware Connection

The first signs of how dangerous stealer logs are come from their link to ransomware. Logs don’t just sit in underground forums, they actively enable ransomware operators by providing initial access.

1. According to Verizon’s 2025 DBIR, more than half of ransomware victims had their domains listed in stealer logs, linking these logs with high-impact attacks.
2. Supporting the previous connection, IBM reported an 84% year-over-year increase in phishing emails delivering infostealers, helping threat actors scale credential theft with minimal effort.
3. IBM reports that identity-based attacks account for 30% of all security breaches. For the second consecutive year, threat actors have increasingly favored covert, long-term attack strategies, with valid account usage detected in almost one-third of incidents analyzed by X-Force. The rise in phishing campaigns that deploy infostealer malware and harvest credentials drives this pattern, potentially linked to attackers using artificial intelligence to expand their operational scale.
4. 40% of ransomware incidents involved corporate email credentials. Access to corporate email accounts provides threat actors with a reliable foothold for privilege escalation, insider reconnaissance, and the initiation of ransomware attacks.

Verizon’s 2025 DBIR shows that Basic Web Application Attacks, primarily leveraging stolen credentials, account for a staggering portion of breaches.

5. According to the report 88% of breaches involve the use of stolen credentials. Credential theft continues to be the primary method of compromise, outpacing even zero-day exploitation in real-world attack scenarios.

Enterprise Exposure and High-Value Systems

Stealer logs are not limited to personal devices they also expose enterprise systems, unmanaged endpoints, and critical servers. This combination makes organizations especially vulnerable.

6. 30% of compromised systems were enterprise-licensed.
7. 46% of systems with corporate credentials were non-managed devices. Threat actors exploit vulnerabilities in BYOD and personal devices, where security controls are often weaker compared to managed corporate assets.
8. 34% of Windows versions found in stealer logs were Enterprise editions or servers. The exposure of high-value systems, including outdated Windows XP servers, poses significant risks to organizational resilience and critical infrastructure.

Overlap Between Stealer Logs and Ransomware Victims

Researchers found a direct operational connection between ransomware incidents and prior stealer log exposure. By cross-referencing ransomware extortion sites with infostealer marketplaces, the overlap became clear.

9. 9. 54% of ransomware victims had domains exposed in stealer log marketplaces. The operational link between stolen credentials and ransomware deployment is clear, demonstrating how stealer logs directly enable broader network compromise.

Analysis from Verizon’s 2025 DBIR shows a strong operational connection between stealer log exposure and ransomware incidents.

By cross-referencing victims listed on ransomware extortion sites with known infostealer marketplaces, it was found that:

1. 10. 54% of ransomware victims had their domains appear in stealer logs and 40% of these cases involved the compromise of corporate email credentials.

Popular Domains and the Scale of Data

In our article Stealer Logs: Everything You Need to Know we analyzed stealer logs by focusing on the most visited domains globally, highlighting how the malware intercepts user traffic and captures credentials transmitted across these popular sites.

11. The top 5 among these domains are as follows:

Detailed inspection of leaked stealer log datasets reveals alarming figures.

12. 12.3 million domains and nearly 5.9 million URLs tracked. Attackers can use harvested domain and URL lists to map potential targets, conduct large-scale phishing campaigns, or develop targeted exploits based on frequently accessed web applications.
13. 1.34 million email addresses collected. Collected emails serve as valuable assets for credential stuffing, spamming, phishing, and BEC (Business Email Compromise) attacks, significantly expanding the attack surface.
14. 534,320 password hashes recorded. Many password hashes are likely weakly protected using outdated algorithms like MD5 or SHA-1, making them vulnerable to cracking via rainbow tables, dictionary attacks, or brute-force methods. Successful decryption can expose plaintext credentials and enable privilege escalation.
15. 136,348 credit card BINs (Bank Identification Numbers) identified. Exposed BIN data allows threat actors to determine issuing banks, card types, and regions, facilitating tailored financial fraud strategies such as carding operations and social engineering attacks against specific financial institutions.
16. The victim country distribution reveals a clear concentration of affected users in emerging markets, with Brazil leading at 9.51%, followed by India (7.93%) and Indonesia (4.30%). These regions may be particularly vulnerable due to a combination of high internet usage growth, limited cybersecurity awareness, and less stringent digital protection infrastructures.

17. Drilling deeper, a breakdown of top domains exposed within the top three victim countries reveals focus areas:

Infostealer Families and Types of Accounts Targeted

18. IBM X-Force data reveals that Lumma dominates the infostealer marketplace with significantly more listings than any competitor. RisePro ranks second, with Vidar, Stealc, and RedLine following in the top five. Individual listings often bundle hundreds of stolen credentials together.

19. A majority of ransomware victims had their credentials exposed in infostealer logs shortly before the attack, with the most common timing being just 2 days prior. This highlights a strong link between stealer infections and later ransomware deployment, suggesting that infostealer logs are often used as a precursor for targeted ransomware operations.

20. Social media, gaming, and streaming accounts are the most frequently captured credentials across all stealer log sources, with social media credentials appearing in over 60% of logs. In contrast, sensitive platforms like banking and crypto sites show much lower capture rates, indicating that infostealers more often compromise everyday online services than high-security financial platforms.

These findings underscore that stealer log exploitation is not confined to isolated incidents. It represents a global-scale threat, systematically impacting users, businesses, and digital ecosystems across borders.

Understanding how stealer logs work helps us better protect ourselves and our organizations. These 20 facts show just how widespread and dangerous this threat can be. Whether you’re in security or just want to stay informed, keeping an eye on trends like these is essential.

Stay aware, stay secure.