European credential theft industry booming as US market sees decline

  • 39% increase in compromised credentials detected in Europe and Russia in 2018
  • Europe-only credential theft success at 62% growth rate
  • Europe and Russia home to half of credential theft victims worldwide (49%)
  • LokiPWS malware family distribution increases over 300% since start of 2017

Today we announced our new report on The Credential Theft Ecosystem. According to Blueliv’s credential detection data, since the start of 2018 there has been a 39% increase in the number of compromised credentials detected from Europe and Russia, compared to the same period in 2017 (January-May). In fact, Blueliv observations conclude that Europe and Russia are now home to half of the world’s credential theft victims (49%).

When Russian credential victims are removed from the dataset, this year-over-year comparison jumps to 62%. The Eurasian growth figures tracked by Blueliv are surprisingly higher than North America’s, which actually recorded a decline by almost half (48%) year over year. These startling increases in cybercriminal success rates suggest that the credential theft industry is growing in the European region both in innovation and scope.

Daniel Solís, CEO and founder Blueliv, said, “All it takes is a single good credential for a threat actor gain access to an organization and cause havoc, so as a European threat intelligence company, we are concerned to see significant credential theft growth rates in our home territory. Our latest special report provides deep insight into the lifecycle of the compromised credential, offering valuable guidance to all levels, from CISOs seeking to protect their business to analysts looking for IOCs to shrink their attack surface. Cybercriminals are constantly improving their weaponry and TTPs – industry collaboration and intelligence-sharing around these is crucial.”

Malware families neck-and-neck

The report also observes some interesting trends in malware families being used to harvest these credentials. Pony, KeyBase and LokiPWS (also known as Loki Bot) have consistently been the most active stealers since the start of 2017, but Pony has always been several lengths ahead of its malware counterparts in terms of popularity. However, since the start of 2018, Blueliv has observed that LokiPWS has been narrowing the gap: the highest number of stealer samples detected by Blueliv’s infrastructure each month has now become a two-horse race between LokiPWS and Pony.

In fact, LokiPWS malware distribution has increased by more than 300% in the past year. More recently, since January to May 2018, there has been a 167% increase in samples classified by Blueliv. Currently, it is possible to purchase LokiPWS from a variety of underground markets as a modular product (stealer, wallet stealer and loader) with prices ranging between $200-400, depending on the desired functionality.

Daniel Solís continued, “According to our analyst team, the number of LokiPWS samples detected implies that its popularity among cybercriminals is increasing. Source code leaks of different versions of in recent years have probably influenced this increase and helped it become one of the fastest-growing credentials stealer families. Pony meanwhile has been active since 2011, and might be experiencing ‘fatigue’ through more successful detection and remediation.”

The report covers in depth:

  • Illicit tactics, techniques and procedures (TTPs) used by cybercriminals to gather credentials;Why credentials are targeted, how they’re used and their value in illegal marketplaces;
  • Methods used to filter, extract and validate credentials;
  • The ways criminals profit from credential theft and how various industries are affected.


This intelligence is part of an ongoing effort to share practical guidance, helping security teams of all sizes access relevant information, implement its value and improve their security posture. Socialising cybersecurity means encouraging parity and fighting cybercrime collaboratively and more effectively.

The Credential Theft Ecosystem report is available to download from the following link:


The Credential Theft Ecosystem

Read free report
Demo Free Trial MSSP