Normal view

Kodak Admits Data Breach After ShinyHunters Hack Claims

18 June 2026 at 09:18

Kodak told SecurityWeek it believes there is no threat to its systems or operations as a result of the cybersecurity incident.

The post Kodak Admits Data Breach After ShinyHunters Hack Claims appeared first on SecurityWeek.

AI, jobs, and the next generation

10 June 2026 at 15:00

In 1838, the invention of the camera sparked predictions that photography would make artists obsolete. When the noted French painter Paul Delaroche first saw an early photograph on a metal plate, he declared that “From today, painting is dead!” As he reasoned, why would anyone pay an artist to slowly and laboriously paint a scene when a camera could do the job more accurately, more quickly, and at a lower cost? 

This question has echoed through technological shifts and has resurfaced with intensity in recent weeks, as university students graduated on campuses across the United States. Today’s topic obviously is not photography but the societal impact of artificial intelligence. And as graduates booed the mention of AI during commencement addresses, they have provided a powerful reminder of several important truths. To start, people will insist on having a say in deciding when and how AI is used. 

The student message to tech leaders  

The reactions of this year’s graduates are a powerful wake-up call for the tech sector. Hopefully, leaders across our industry will listen and seek to learn from this reaction. For the past half century, the youngest generation of people and workers has led the way in adopting new digital technologies. A new Microsoft study shows this trend is true with AI. Counties with large college towns and outsized populations between the ages of 18 and 24 have the highest rates of AI adoption in the United States. When people who use a new technology complain about it, we had better take notice. 

It’s perhaps no surprise that college campuses are among the best places to learn about these emerging views firsthand. Over Memorial Day weekend at Princeton University, I found no shortage of discussion and even examples of student action. Graduating seniors have long donned “beer jackets” for celebrations, each class selecting its own unique design. This past year, however, a brief controversy emerged until class officers, responding to a student petition, rejected a popular design because it had been created with the help of AI. In its place, graduates wore jackets labeled both “100 percent cotton” and “100 percent human.” 

The rejection of artificial fibers and artificial intelligence illustrates how human tastes shape market economics even as efficiency and productivity advance. Machines don’t buy products. People do.  

Students and graduates recognize AI’s benefits. But they want to keep AI in its proper place. They rightly believe in the indispensable role of human agency. They want the future to be determined by humans deciding the role of machines, not by machines deciding the role of humans. And they want these decisions to reflect input from a broad community, especially the next generation of the workforce, rather than just a narrow group of elites. 

Today’s graduates are sending another powerful message as well: the American Dream has always stood for even more than a better job and greater economic opportunity, although that has been at its core. The American Dream has been founded on the dignity of work and the critical role it plays in giving life purpose. Great countries are built on great economies and great jobs. To those in the tech sector who seemingly want to pursue a future where computers replace jobs and AI becomes more capable than people, the next generation of people has offered a compelling response: “not so fast.” 

The ambitions of people 

The good news is that human ambition is irrepressible. It has been almost 300 years since the start of the first industrial revolution, and technology has changed many times over. But there is more human creativity at work in the world today than ever before. 

A trip to an art museum shows this is true even for the impact of the camera on painting. The invention of the camera initially led to a decline in portrait painting. But even that made a comeback. More remarkable was the way accurate photos spurred new forms of artistic expression. By the 1870s, photography’s “artificial eye” led a new generation of artists to portray emotion rather than detail. Impressionist artists captured the effects of light, color, and atmosphere in ways that a camera shutter could not. New artistic movements followed – Post-Impressionism, Fauvism, Cubism, and Surrealism – and continue today, expanding what it means to be an artist. As it turns out, few things are as resilient as human creativity. 

In 1986, I insisted on having a computer on my desk before I accepted a job at a leading law firm in Washington, D.C. For most of the past 40 years, I’ve been part of the tech sector – first as an outside lawyer, then a Microsoft attorney, and since 2001, in the company’s leadership ranks. I’ve long been an informal “liberal arts representative” among a group of extraordinary computer scientists and engineers.  

As I’ve followed technologists across our industry, I’ve often marveled at their vision, intellectual dexterity, and engineering prowess. But I’ve also seen many insightful individuals across the industry repeat two mistakes. First, they frequently overestimate the arrival of new technology, especially the pace of its impact. And even more importantly, they underestimate the capabilities of people. 

Human capability is neither fixed nor finite. Each discovery creates a stronger foundation that enables people to stand taller and reach higher. People have been proving this for millennia. There came a day when people discovered that a horse could run faster than a human. People learned how to ride horses.  

Real causes for concern 

None of this is meant to dismiss the anxiety of today’s graduates. They’re right to raise concerns and ask hard questions, including about AI and its impact on their future. They face multiple headwinds as they enter the job market. This includes AI automation of tasks in current entry-level positions and, especially in the tech sector, corporate pressure to reduce headcount to help pay for AI’s enormous capital expenditures. It also involves other factors, including geopolitical uncertainty, trade tensions, and correction from over-hiring in the early years of the decade. Like a perfect storm, the wind is blowing from multiple directions. 

Today’s graduates have been through a lot. They spent much of their high school years living through a pandemic while studying and socializing at home through a screen. They are digital natives, with all the good and bad that social media, ubiquitous mobile devices, and other technologies have created. Now AI is coming, and they worry that jobs will start to disappear.  

So, what should the next generation – and all the rest of us – do about AI? 

AI in context 

First, we should put AI in context. No one has a crystal ball for the future, but we all can learn from the past. AI is the latest in a list of technologies that will reshape the economy and society. It has become the next “General Purpose Technology,” a term economists apply to technologies that, like electricity, are applied across the economy. Some of these technologies, including ironworking, machine tools, and digital computing, have profoundly reshaped not just job categories but economic power among nations. AI likely will be one of the most important general purpose technologies of the next quarter century. And like previous general purpose technologies, AI will displace some jobs, even as it creates others and changes many of the ways we currently work. 

But it takes time for technology to diffuse across an economy and around the world. There are some who look at the power of AI and predict its massive diffusion in just a few years. It’s always possible that this time will be different, but the world has never previously seen technology diffusion at that pace. The reason is not grounded in technology. It’s people. As Professors Arvind Narayanan and Sayash Kapoor have written, “diffusion is limited by the speed of human, organizational, and institutional change.”  

Put in historical context, broad AI transformation over the next quarter century would itself be remarkable. That pace of change appears to be reflected in Microsoft’s own recent data. Our most recent AI Diffusion Report estimates that 17.8 percent of the world’s working age population currently uses generative AI. The rate in the United States is higher than the global average, but still only at 31.3 percent. And as Professor Narayanan has shown, the impact of new technology across a high percentage of work typically lags well behind this type of initial usage rate.  

As the legendary UCLA basketball coach John Wooden, who led his teams to 10 national championships, advised his players two generations ago, we should “be quick, but don’t hurry.” In other words, we should act quickly and decisively and with preparation and purpose. But we need not – and should not – rush in a way that creates mistakes or panic.  

The key is to think things through. One good way to start is to consider some of the insights that have emerged already. For each of us as individuals. For companies and organizations. And for society.  

The implications for individuals 

In the three-and-a-half years since the release of ChatGPT, one initial insight is profound yet unsurprising. AI often is at its best when we use it to strengthen existing human capabilities and endeavors. In short, people can use AI to make themselves better.  

I see this every day in the work of Microsoft’s AI for Good Lab, which works with non-profits and governments around the world. Firefighters in California are using AI to help spot wildfires more quickly. Legal professionals in Africa are using it to help provide advice to women who don’t have access to a lawyer. Teams in Ukraine are using AI to help identify and remove landmines that threaten civilians. And conservationists around the world are using it to help farmers develop more productive and sustainable agricultural practices. 

There is a clear pattern in these examples. People are acting with ambition. They are using AI not to replace their subject matter expertise but to give it more impact. They are taking their knowledge, passion, and sense of purpose and using AI to help solve problems they care about.  

My colleagues Ryan Roslansky and Aneesh Raman have been focusing on these issues in recent years, based on their longstanding work at LinkedIn. They recently published an important book on the topic, Open to Work: How to Get Ahead in the Age of AI. In my view, it’s the first book that combines a view on where AI is going with practical advice for individuals.  

The more I’ve thought about it, two of their themes are particularly important. The first is for each of us in the workforce today to think about our job not as a title but a bundle of tasks. Their advice is to write down a list of your tasks and put them into three buckets: the bucket of tasks that AI can do; the bucket of tasks that you can do with AI; and the bucket of tasks that humans must do by themselves.  

If almost everything is in the first bucket, then one should think about pursuing a different type of job. But for most people, most tasks fall into the second bucket. In other words, if I can get AI to do the tasks in the first bucket, then I can focus my attention on the second and third buckets and consider how to use AI as a tool to help become more productive and impactful.  

There’s a second insight in the book that is even more important. In an Age of AI, there are perhaps even more opportunities to distinguish ourselves based on the soft skills that are uniquely human. Ryan and Aneesh point to five, all of which start with the letter C – curiosity, creativity, compassion, communications, and courage. Even when AI automates multiple tasks, people must continue to oversee its work. This creates the need for additional human observation and insight. In short, human judgment remains essential. 

All this speaks to one of the questions I hear repeatedly from students and their parents. What should people study to prepare for the future? Call me old fashioned, but I believe people should continue to pursue their passions. Develop expertise in an important field that fascinates you. Keep working hard to master it. At the same time, develop AI fluency so you can use AI to help apply your expertise better than has ever been possible before. This doesn’t mean the future will be easy. It seldom is. But it’s a recipe that will continue to prepare you for success. 

The impact on companies and organizations 

These insights apply as much to organizations as to individuals. After all, employers must thrive for employees to thrive. And successful businesses, like successful individuals, rely on distinctive and often deep expertise – about products, business processes, operating rhythms, and a deep understanding of customers. AI should not replace this foundation; it should strengthen and extend it. 

This can build on where AI technology is going. Organizations can now move beyond chat-based assistants to a network with AI agents that can help employees reason, make decisions, and run workflows across their data and systems.  

Organizations can implement their own AI systems that harness the power of multiple AI models and access their own unique enterprise knowledge. They can strengthen the effectiveness of these systems through AI tools that provide evaluations (“evals”) of a system’s performance and constantly make incremental improvements to it. Like climbing up a hill, each organization can manage an AI system that moves towards better outcomes and higher performance over time. Instead of solely consuming a frontier AI model, organizations can build their own “hill climbing machine” and participate more fully on their own terms in the AI ecosystem. 

By taking this approach, organizations can use AI to accelerate learning rather than replace it. Leaders can use AI to add capabilities inside their organizations, ensuring that their human expertise and judgment remain key competitive differentiators.  

This points to an age-old necessity. Business leaders and individual entrepreneurs must harness the latest technology while protecting their expertise and intellectual property, including through patents, copyrights, and trade secrets. AI adds a new dimension here. The benefits of AI for a business will be short-lived if it transfers and trains someone else’s AI model using a firm’s unique knowledge and expertise. This helps explain why each company needs to develop its own internal AI capabilities and control its own data.  

This is emerging as a critical issue not only for organizations but for today’s graduates, our economies, and even nations. The best way to promote broad economic and job growth is to ensure that every economic sector can harness the power of AI without surrendering its unique expertise. Sovereignty must be preserved not only for countries but for companies. And privacy must be protected not only for individuals but for organizations.  

A broader public conversation 

For individuals and organizations alike, the key is to harness AI’s benefits while preserving timeless human values and economic needs. Given the magnitude of the AI transformation, we’ll need innovative and collaborative efforts that bring the public and private sectors together to help prepare people for success in the Age of AI. This should start with a sobering recognition. The technological, economic, and societal transformations of the past three decades have left too many people behind. We’ll need to try different approaches, built on more shared responsibilities, if we’re going to do better as we move forward.  

Even in a time of fractured public discourse, it will be critical to find more ways to bring more people together to develop common solutions. This requires a big tent with a breadth of perspectives. We need to make room not only for technology companies, employers, and governments, but for non-profits, students, the world’s religions, labor leaders, and workers themselves. As Liz Shuler, the President of the AFL-CIO, said recently, “Who knows best how workplaces function and how work gets done than people who work for a living?” 

Our role at Microsoft 

As a company, we’re committed to playing an active part and constructive role in addressing these issues. We bring not only new technologies and ways of working, but perspective born of experience. For more than 50 years, Microsoft has helped workers and organizations adapt to technological changes, whether in offices, labs, classrooms, or factories. Our mission has been to build products to empower people and organizations to achieve more. And then help them put those tools to work.  

Our experience gives us determination and even a dose of optimism. We remember when people worried that word processing would lead to the end of jobs for people who typed for a living. But what came next – knowledge work and entirely new industries to support the computer age – transformed what “work” was. When spreadsheets automated calculations, people didn’t do less math. They built more sophisticated financial models. When emails made communication instant, people didn’t write less. They communicated more frequently and with more people. When technology increases supply, human ambition often generates more demand. As humans, we don’t plateau. We expand. 

This isn’t just philosophical. It’s our business model. Workers have been Microsoft’s lifeblood from the start. If the world’s people don’t have jobs, then neither do we. And if we’re not doing our part to help people use technology to pursue better jobs, then we’re not doing the job we were born to do. 

Heeding the next generation’s call 

This context shapes our reaction to recent commencement ceremonies. Graduating students who grimace or even boo at references to AI are telling us what we need to hear, that it’s time once again to raise the bar. That has been a frequent refrain from students for decades. The key is always to channel uncertainty into purposeful steps that build a better future. Across the tech sector and in business, non-profits, and government, we can do precisely that. 

I would add a second message for today’s graduates: you’re in a unique position to have a positive impact. You’ve lived through significant challenges. While it may feel unfair that the job market is so uncertain, you were made for this moment. Technology is second nature to your generation. Constant change has taught you how to adapt quickly. As AI reshapes how we work, you don’t need to unlearn decades of habits the way some of us do. You are better equipped to move forward.   

Technology will change, but you can stand firmly and speak loudly for values that are timeless. Agency. Ambition. Dignity. All fulfilled through work and technology that gives us purpose.  

Do everything you can to help advance these values.  

The post AI, jobs, and the next generation appeared first on Microsoft On the Issues.

Identity Is the New Attack Surface: How Infostealers Are Reshaping Enterprise Risk

Blogs

Blog

Identity Is the New Attack Surface: How Infostealers Are Reshaping Enterprise Risk

Our new guide explores how infostealers are fueling modern identity-based attacks and how organizations can build a proactive defense before stolen access is weaponized.

SHARE THIS:
Default Author Image
June 10, 2026

The New Reality of Identity-Based Threats

A publicly exposed database surfaced in early 2026 containing more than 149 million stolen login credentials. The records were not tied to a single breach or organization. Instead, they had been quietly collected over time from devices infected with information-stealing malware, with each record containing usernames, passwords, session data, and the context needed to use them.

Unlike traditional breach dumps, this data was structured, searchable, and immediately actionable. Credentials were mapped to specific services, session artifacts reflected active logins, and much of the information was recent enough to enable direct access without triggering traditional security controls.

This incident reflects a broader shift in the threat landscape.

More than 11.1 million devices were infected with infostealers last year, fueling a supply of over 3.3 billion stolen credentials, session cookies, cloud tokens, and other forms of identity data now circulating across illicit markets.

11.1 million infected hosts and devices
3.3 billion stolen credentials
Top 5 most prolific infostealers in 2025 (by infected hosts or devices):
Lumma
Acreed
Rhadamanthys
Vidar
StealC
Top 6 countries affected by information-stealing malware, 2025:
India
Brazil
Indonesia
Vietnam
Phillipines
United States

For security teams, the challenge is no longer simply detecting a breach after it occurs. It is understanding when access may already exist — where compromised credentials are circulating, how they are being used, and how quickly they can be weaponized.

That’s why Flashpoint created Identity Is the New Attack Surface: A Guide to Infostealers and Proactive Defense.

Drawing on Flashpoint’s Primary Source Collection (PSC) and analyst-driven intelligence, this guide helps IT, Threat Intelligence, Fraud, and HUNT teams understand how infostealers operate, how stolen identity data fuels real-world attacks, and how organizations can move from reactive response to proactive defense.

The guide explores:

  • How today’s most active infostealers power modern attack chains
  • How threat actors weaponize stolen credentials, cookies, and session data
  • How organizations can operationalize infostealer intelligence for proactive defense
  • How to evaluate infostealer intelligence providers and detection capabilities

Why Identity Has Become the Preferred Attack Surface

For years, security teams focused on vulnerabilities, malware delivery, and network intrusion as the primary paths to compromise. Increasingly, however, threat actors are taking a different

Modern infostealers such as Lumma, StealC, Vidar, Acreed, and Rhadamanthys provide attackers with something more valuable than initial access: usable identity. These malware families collect credentials, browser artifacts, session cookies, application data, and host metadata that help threat actors understand how a victim authenticates and what systems they can access.

A single infected device can expose credentials, browser artifacts, session cookies, application data, host metadata, and access to enterprise SaaS platforms. Together, these artifacts create a detailed profile of how a user authenticates, what systems they access, and how those systems trust that identity.

This is what makes infostealer data so valuable.

For years, organizations have invested heavily in detecting malware, blocking exploits, and hardening infrastructure. Meanwhile, attackers have increasingly shifted to a simpler strategy: logging in with valid identities.

Infostealers have fundamentally changed the economics of access. Threat actors no longer need to compromise a network directly when billions of credentials, session cookies, and authentication artifacts are already circulating in underground ecosystems. The challenge for defenders has risen from preventing compromise to identifying where access already exists and how quickly it can be weaponized.

Ian Gray, Vice President of Intelligence at Flashpoint

Identity data is inherently reusable. A stolen credential can be tested across multiple services. A session cookie can potentially allow attackers to hijack authenticated sessions. Browser and host metadata can help threat actors recreate a victim’s environment and bypass security controls designed to detect suspicious logins.

What begins as a single infection can quickly evolve into access across multiple systems, applications, and organizations.

What Is an Identity-Based Attack?

Identity-based attacks occur when threat actors use legitimate credentials, session cookies, authentication tokens, or other identity artifacts to gain access to systems and applications. Rather than exploiting a vulnerability or deploying malware inside a target environment, attackers authenticate as trusted users using stolen identity data.

This shift is one of the primary reasons infostealers have become so valuable. Modern infostealer logs often contain far more than usernames and passwords. They may also include browser cookies, session information, host metadata, application data, and other artifacts that help attackers understand how a user authenticates and what systems they can access. When combined, this information enables account takeover, fraud, lateral movement, and other forms of identity-based abuse.

From Credential Theft to Identity Exploitation

The way threat actors operationalize stolen data is evolving just as rapidly as the data itself.

Historically, attackers often had to manually review stolen credentials and determine which accounts were worth pursuing. Today, that process is increasingly automated.

Infostealer logs can be aggregated, tested, and prioritized at scale, allowing threat actors to rapidly identify valid access across enterprise systems, SaaS platforms, VPNs, and cloud environments.

Flashpoint identifies this as a hybrid threat: the convergence of large-scale identity compromise and automated exploitation.

Once valid access is identified, attackers can move quickly. Credentials may be reused across services. Session data can be leveraged for account takeover. Access can be sold to ransomware operators, fraud actors, or other criminal groups. In many cases, exposure itself becomes part of the attack lifecycle rather than merely a precursor to it.

The result is a threat landscape where stolen identity data is not simply stored and sold. It is continuously tested, validated, reused, and operationalized.

Turning Exposure Into Actionable Intelligence

For defenders, prevention remains important. But prevention alone is no longer enough.

Organizations must also be able to identify when credentials, session cookies, and other identity artifacts have already been exposed and are circulating within underground ecosystems.

The earliest opportunity to intervene is often after data has been exfiltrated but before attackers have successfully operationalized it.

Achieving that visibility requires more than traditional breach feeds or aggregated datasets.

Flashpoint’s Primary Source Collection approach provides direct visibility into the forums, marketplaces, Telegram channels, malware repositories, and illicit communities where infostealer activity originates. Rather than relying solely on recycled breach data, Flashpoint continuously collects from the environments where stolen identity data is first shared, sold, and operationalized.

However, collection alone is not enough.

Raw infostealer logs are noisy, fragmented, and difficult to operationalize at scale. Flashpoint transforms these logs into structured intelligence through a multi-stage workflow that includes:

  • Source ingestion from underground ecosystems
  • Normalization and de-duplication of collected data
  • Automated parsing and enrichment of credentials, cookies, host metadata, and malware attribution
  • Structured output that supports alerts, investigations, and integrations across existing security workflows

This process helps defenders understand not only what was exposed, but who may be affected, how exposure occurred, what systems may be at risk, and how quickly action is required.

Building a Proactive Defense Across the Identity Layer

The rise of infostealers has fundamentally changed how organizations should think about attack surface management.

The attack surface is no longer limited to infrastructure, endpoints, or internet-facing applications. It now includes the digital identities of employees, partners, vendors, and customers.

Security teams need visibility into the identity layer itself — understanding where exposure exists, how attackers are leveraging stolen data, and what actions should be taken before access is exploited.

By combining direct visibility into underground ecosystems with structured, actionable intelligence, organizations can identify compromised accounts earlier, uncover infection trends, prioritize response efforts, and reduce the likelihood of downstream compromise.

Download Identity Is the New Attack Surface: A Guide to Infostealers and Proactive Defense to learn how your organization can build a proactive defense program across the identity layer.

Key Infostealer Statistics

According to Flashpoint research:

  • More than 11.1 million devices were infected with infostealers in the last year.
  • Over 3.3 billion credentials, session cookies, cloud tokens, and identity artifacts are circulating across illicit markets.
  • Flashpoint analysts identified 30+ active infostealer strains being sold across underground ecosystems.
  • Flashpoint’s credential database contains 48+ billion credentials, including more than 1 billion tied to infostealer activity.
  • More than 4.2% of infostealer-exposed credentials include browser cookies that may support session hijacking.
  • Flashpoint can collect and parse some infostealer logs within one to two days of infection.

Frequently Asked Questions (FAQ)

FAQ: Infostealers and Identity-Based Threats

What is an infostealer?

An infostealer is a type of malware designed to collect sensitive information from an infected device. Depending on the strain, this can include usernames and passwords, browser cookies, session tokens, saved payment information, cryptocurrency wallets, system metadata, and other identity-related artifacts.

How do infostealers work?

Infostealers infect a victim’s device and collect information such as credentials, browser data, session cookies, autofill information, cryptocurrency wallet data, and system metadata. The stolen information is packaged into files known as infostealer logs, which can then be sold, shared, or operationalized by threat actors.

What information can infostealers steal?

Depending on the malware family, infostealers can collect usernames and passwords, session cookies, authentication tokens, browser history, saved payment information, cryptocurrency wallet data, system information, installed applications, and other identity-related artifacts. The goal is to provide attackers with enough information to access accounts and impersonate legitimate users.

What are the most common infostealers?

The infostealer ecosystem changes rapidly, but Flashpoint analysts currently track strains such as Lumma (also known as LummaC2/Remus), StealC, Vidar, Acreed, and Rhadamanthys among the most prominent malware families driving credential theft and identity-based attacks.

Why are infostealers so dangerous?

Infostealers provide attackers with more than credentials. Modern infostealer logs often contain the context needed to use stolen data, including session information, browser artifacts, and device metadata. This allows threat actors to perform account takeovers, move laterally within environments, and gain access to business-critical systems. According to Flashpoint’s 2026 Global Threat Intelligence Report, more than 11.1 million devices were infected with infostealers last year, contributing to a pool of over 3.3 billion stolen credentials, session cookies, cloud tokens, and other identity artifacts.

What is an infostealer log?

An infostealer log is a package of data collected from an infected device. Logs may contain credentials, cookies, browser data, application information, host metadata, and other artifacts that help attackers understand how a victim authenticates and what systems they can access.

Can infostealers bypass multi-factor authentication (MFA)?

In some cases, yes. While multifactor authentication remains a critical security control, stolen session cookies and authenticated session data can sometimes allow threat actors to hijack existing sessions without needing to complete the MFA process themselves. Flashpoint found that more than 4.2% of infostealer-exposed credentials in its dataset were associated with browser cookies, highlighting the growing importance of session-based risk.

How do threat actors obtain infostealer logs?

Infostealer logs are frequently bought and sold across illicit marketplaces, forums, Telegram channels, and other underground communities. Many are distributed through Malware-as-a-Service (MaaS) offerings that make infostealer capabilities accessible to a wide range of threat actors. Flashpoint analysts identified more than 30 unique infostealer strains actively offered for sale across underground ecosystems.

How can organizations detect credential exposure from infostealers?

Organizations can monitor underground sources where stolen data is shared and sold, identify exposed credentials associated with their domains, and investigate related artifacts such as cookies, host metadata, and malware attribution. The earlier exposure is identified, the greater the opportunity to remediate before attackers operationalize access. Flashpoint collects and parses some infostealer logs within one to two days of infection, helping organizations detect exposure closer to the point of compromise.

What should organizations do if employee credentials appear in an infostealer log?

Organizations should immediately assess the scope of exposure, reset affected credentials, invalidate active sessions, review authentication activity, investigate the infected device, and determine whether additional accounts or systems may have been impacted.

How is Flashpoint’s approach to infostealer intelligence different from traditional breach monitoring?

Many organizations rely on aggregated breach feeds or credential dumps that may be weeks or months old by the time they are discovered. Flashpoint’s Primary Source Collection (PSC) approach provides direct visibility into the forums, marketplaces, Telegram channels, and underground communities where stolen identity data is first shared, sold, and operationalized.

In addition to collecting raw infostealer logs, Flashpoint parses and enriches the data with context such as malware attribution, session cookies, host metadata, browser artifacts, and affected identities. Today, Flashpoint’s credential database contains more than 48 billion credentials, including over 1 billion tied to infostealer activity, providing organizations with actionable intelligence rather than raw exposure data.

Request a demo today.

The post Identity Is the New Attack Surface: How Infostealers Are Reshaping Enterprise Risk appeared first on Flashpoint.

Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure

Blogs

Blog

Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure

As part of our ongoing series, we focus on the shared infrastructure that fuels threat actors; the intersection of mainstream social media, open-source messaging platforms, and gaming communities.

SHARE THIS:

Threat actors and their illicit communities do not exist in a vacuum. To scale their operations, coordinate financial fraud, deploy malware, and recruit new talent, threat actors must interface with the broader digital world. This means leveraging everyday, public digital spaces to facilitate illicit activity, effectively hiding in plain sight.

The Clearnet Threat Landscape: Hiding in Plain Sight

When conceptualizing the cybercriminal underground, it is easy to focus exclusively on Tor-based onion sites or restricted-access dark web forums and marketplaces. However, a massive portion of modern illicit activity thrives on the clearnet. Threat actors heavily utilize commercial social media and public messaging networks to coordinate fraud, deploy malware, and run public relations campaigns for their operations.

At first glance, conducting illicit operations on highly monitored, mainstream platforms seems counterintuitive. However, the massive, continuous volume of legitimate traffic on the clearnet provides a form of operational security. By blending into the noise, threat actors can maintain a highly accessible digital presence. This visibility is crucial for their business models: it allows them to maintain a low barrier to entry for potential recruits and targets who know exactly what markers to look for, or who are systematically funneled into these spaces.

How Threat Actors Weaponize Consumer Platforms

The misuse of mainstream communication tools has changed how threat actors interact. Rather than waiting for users to seek out the dark web, cybercriminals are actively meeting their targets or co-conspirators on platforms designed for daily socialization.

Discord

Originally built to connect gaming communities, Discord’s rapid growth and robust infrastructure have inadvertently made it a target for malicious activity. Cybercriminals treat the platform as a multi-functional tool for both technical infrastructure, social engineering, and radicalization.

On a technical level, advanced persistent threats (APTs) and other threat actors exploit Discord’s content delivery network (CDN) to host and distribute malware. Because traffic to Discord domains is generally trusted by corporate networks, threat actors can potentially use it to deliver payloads—such as infostealers and remote access trojans (RATs)—bypassing standard security perimeters.

Beyond hosting malware, extremist groups across various ideological spectrums often target the platform’s demographic, which skews heavily towards younger tech-savvy users. This group provides an impressionable pool of adolescents who may be susceptible to grooming, indoctrination, and recruitment into illicit operations.

Case Study: The Targeting and Recruitment Mechanics of “The Com”

While monitoring The Com, Flashpoint analysts have observed the systematic use of platforms like Discord, Roblox, and Minecraft to run predatory extortion pipelines. The mechanics of this ecosystem takes place through a multi-phase methodology:

  1. Platform Scouting: Recruiters patrol servers on popular youth-centric gaming platforms, such as Discord, Roblox, and Minecraft. They look for minors showing signs of social isolation, depression, disordered eating, or a desire to belong.
  2. Building Trust and “Love Bombing”: Initial engagements are seemingly harmless. However, trust is built quickly to establish a sense of indebtedness. Recruiters offer gifts such as in-game perks/currency, premium subscriptions, or other digital items. In some cases, a romantic facade is used to establish a connection. In either scenario, “love bombing” creates an immediate feeling of psychological obligation in the target.
  3. Platform Migration: Once rapport is established, the recruiter moves the target away from the game and into an encrypted app or private Discord server, following a public-to-private strategy. By moving the interaction away from the original platform’s safety controls, the recruiter can isolate the target in a more controlled environment.

Once isolated, perpetrators coerce victims into sending sensitive imagery or CSAM. This material is immediately compiled and weaponized as leverage for blackmail via doxxing. This creates a severe psychological trap in which the victim feels compelled to partake in escalating illegal activity to keep their previous actions hidden. This drives the victim to transition from a victim into an aggressor to escape their own abuse.

Telegram

While many social media and messaging platforms can serve as an initial funnel for engagement, Telegram has been known to be used from time to time as an operational hub for the broader illicit ecosystem. Since the arrest of Pavel Durov, Telegram has begun working more closely with law enforcement, leading to several key arrests and major disruptions due to their cooperation. 

The platform occupies a unique space in threat intelligence and open source intelligence (OSINT). While the vast majority of its user base is entirely benign, its minimal moderation policy and robust channel architecture have made it vital to public and private intelligence gathering.

Telegram functions as an open marketplace and real-time coordination center for a vast spectrum of threat actors. Flashpoint has observed it being used by:

  1. State-sponsored APT groups and hacktivists
  2. Geopolitical actors and mercenary groups distributing battlefield intelligence and propaganda
  3. Cybercriminal syndicates coordinating financial fraud schemes, check fraud, and the sale of compromised data.

Furthermore, threat actors routinely use other public-facing platforms like X (formerly Twitter) alongside Telegram to amplify their impact. They leverage the broad reach of social media to broadcast proof of their compromises, hype up ransomware leaks, and exert public pressure on corporate victims during extortion cycles. Concurrently, Telegram often acts as the backend repository where the stolen data is hosted, discussed, and monetized.

Monitor the Clearnet Using Flashpoint

The evolution of illicit ecosystems demonstrates that the lines between the dark web and the clearnet have intersected. Whether analyzing the activities of extremist and threat actor groups or tracking the predatory pipelines of The Com, defenders must look beyond traditional intelligence sources.

Because malicious actors rely heavily on consumer messaging apps and social platforms to coordinate attacks, leak data, and target people, monitoring these public-to-private pipelines is an essential component of threat intelligence. Uncovering these physical and cyber threats requires best-in-class threat intelligence and OSINT investigations capable of parsing the massive noise of the clearnet to find the signals of illicit coordination.

Request a demo to see how Flashpoint empowers security teams to monitor these decentralized threat landscapes to proactively protect their critical assets.

Check out the rest of our “Understanding Illicit Ecosystems” series:
Understanding Illicit Ecosystems: The Hybrid Threat of “The Com”
Understanding Illicit Ecosystems: XSS and the Current State of the Russian-Speaking Underground

See Flashpoint in Action

The post Understanding Illicit Ecosystems: Weaponizing Mainstream Apps and Social Infrastructure appeared first on Flashpoint.

❌