Hackers Circulate Over 93 Billion Stolen User Cookies on the Dark Web
Web cookies, those ubiquitous pop-ups we routinely dismiss with a click, are small text files stored on your device by websites you visit.
While cookies are essential for a seamless browsing experience—remembering your login, shopping cart, or language preferences—they also serve as powerful tracking tools.
There are several types, each with unique technical implications:
- First-party cookies are set by the website you’re visiting and typically store session IDs, user preferences, and login credentials.
- While generally seen as less intrusive, if these cookies are stolen, attackers can hijack accounts or even gain access to corporate networks.
- Third-party cookies are placed by domains other than the one you’re visiting, often for advertising or analytics, and track your activity across multiple sites.
- Super cookies and zombie cookies are advanced tracking mechanisms. Super cookies use storage outside the browser (like Flash local storage or HTML5 local storage) and can reappear even after deletion.
- Zombie cookies are recreated automatically from backup locations, making them almost impossible to remove and a persistent privacy threat.
Technical code snippet for reading cookies in JavaScript:
javascript// Accessing all cookies in the browser
console.log(document.cookie);
How Cybercriminals Harvest and Exploit Cookies
Recent research by NordStellar, a threat exposure management platform, analyzed 93.7 billion cookies circulating on the dark web.
The findings reveal that most stolen cookies are harvested using malware, specifically infostealers, trojans, and keyloggers.
These malicious programs scan browser cookie storage and send the data to a command-and-control server, often within minutes of infection.
Prominent malware tools identified include:
- Redline Stealer: Responsible for nearly 42 billion stolen cookies, though only 6.2% remained active.
- Vidar: Harvested 10.5 billion cookies, with 7.2% still valid.
- LummaC2: Accounted for over 8.8 billion cookies, 6.5% of which were active.
- CryptBot: Collected 1.4 billion cookies, but a staggering 83.4% remained active, making it the most effective in terms of valid data.
Stolen cookies are often tagged with keywords like “ID,” “session,” “auth,” and “login,” indicating their potential use for session hijacking, allowing attackers to bypass passwords and even two-factor authentication.
Many cookies also contain personal information such as names, email addresses, locations, and birthdays, which can be exploited for identity theft or targeted phishing attacks.
Platforms, Geography, and Devices
The research highlights that cookies associated with major platforms like Google (over 4.5 billion), YouTube, and Microsoft (over 1 billion each) are prime targets.
These platforms are attractive due to their integration with multi-factor authentication and access to sensitive data.
Geographically, Brazil, India, Indonesia, and the United States are among the most affected countries.
In Europe, Spain leads with 1.75 billion stolen cookies, while the UK stands out for a high percentage of active cookies (8.3%).
Most cookies are scraped from Windows devices, but attacks on other operating systems are also significant.
Risk Factors Table
| Risk Factor | Description | Severity |
|---|---|---|
| Session Hijacking | Attackers use session cookies to bypass logins | High |
| Identity Theft | Personal info in cookies used for impersonation | High |
| Phishing Attacks | Data enables targeted social engineering | Medium |
| Bypassing 2FA | Cookies mark device as trusted, bypassing extra checks | High |
| Lateral Network Movement | Access to SSO cookies enables broader network attacks | High |
| Financial Data Exposure | Cookies may grant access to banking or payment accounts | Critical |
| Ransomware Deployment | Stolen credentials used to escalate attacks | Critical |
Protecting Yourself: Best Practices
To reduce risk:
- Reject unnecessary cookies, especially third-party trackers.
- Regularly clear cookies, particularly after using public devices.
- Use security tools to block malware and scan downloads.
- Avoid public Wi-Fi or use a VPN to encrypt your traffic.
Web cookies may seem harmless, but as research shows, they can open the door to significant privacy and security threats if left unguarded.