Underground “Search Your Target” Sells Tailored Stolen Logins

underground search – A new layer in the stolen-credentials economy lets buyers query massive infostealer dumps for specific companies, platforms, domains, geographies, or account types—then receive filtered results. But a close look at hundreds of forum posts shows a gap between a

By the time a buyer finds the right forum thread, the hard part is already done.

Infostealers have been roaming devices, collecting credentials, cookies, autofill data, and other browser artifacts. Logs are then aggregated and sold onward. The next step—often missing from how the public imagines credential theft—isn’t just dumping everything and hoping it sticks. Increasingly, there’s a dedicated “search your target” service that turns that chaos into something usable.

Flare researchers analyzed 470 underground forum posts published between January 2025 and June 2026. The posts were tied to actors offering to search for and extract stolen credentials from their databases. including advertisements. reposts. buyer feedback. pricing references. and disputes around quality and validity. The picture that emerges is a marketplace where buyers don’t necessarily purchase a bulk dump. Instead, they send a request—and get back only the credentials that match.

The service model sits between infostealer infections, raw logs trading, and account takeover activity. Threat actors offering these services are often credential brokers or data processors. They monetize not only the sheer volume of captured logs. but also their ability to search. filter. deduplicate. format. and deliver targeted results from large stolen credential collections.

This “search” layer effectively becomes an alternative to classic combo lists. Where combo lists sell broad dumps, the search-service approach allows buyers to query a seller’s existing data and receive results aligned to a specific target: a company, platform, domain, geography, or account type.

The market overlaps with the Initial Access Broker (IAB) ecosystem, but it’s not the same thing. Output formats in the dataset included URL:LOGIN:PASS, MAIL:PASS, LOGIN:PASS, PHONE:PASS, and MAIL:PHONE, along with combinations depending on a buyer’s request.

What makes the model especially concerning is how it plugs directly into the account takeover chain. The flow is straightforward: infostealers infect devices and harvest credentials, cookies, autofill data, and browser artifacts. Then logs are aggregated and inserted into private clouds, ULP databases, public dumps, or exchange-based collections. Finally, “search-service” threat actors extract rows based on buyers’ requests.

Those buyers then validate credentials and use them for account takeover, fraud, spam, phishing, crypto theft, or corporate intrusion. In other words, the sellers in this dataset are often neither the first nor final step. They’re the processing layer that turns stolen credential noise into targeted attack material.

The economy of requests is built around simple inputs and structured outputs. A buyer submits a target—such as a company domain. a login URL. an ecommerce site. a gaming platform. an application. a geographic market. or a list of emails. The seller returns matching credentials in formats such as URL:LOGIN. URL:LOG. MAIL. LOGIN. PHONE. or other combinations based on the request.

Some sellers put hard numbers in their sales pitches. One actor advertised an “ULP 5kkk+ lines” database—5. 000. 000. 000 lines—with quick access within 10–15 minutes. daily updates. and sources that allegedly included private logs. private clouds. personal streams. and public data. Another actor promoted a 10kkk+ line. 1TB+ URL:LOG database. while others claimed access to collections ranging from hundreds of millions to tens of billions of records.

Database size wasn’t the only hook. Sellers also marketed capabilities like freshness, formatting, relevance, and search itself. Some promised simple domain extraction. Others offered more customized extraction—for example, pulling email accounts for a requested shop, website, app, or game. The underlying message was consistent: attackers weren’t just selling data. they were selling indexed databases and convenient search over them.

One example in the dataset described pricing like this: $20 per request, with additional payment based on the returned results.

The posts also included claims of credential enrichment beyond single rows. One actor said they had separate email. password. login. phone. and URL:Login collections and described how those records could be combined. A buyer with only an email list could request matching login pairs. A buyer looking for a specific geography could receive results built from country codes, domains, URLs, cities, and password patterns. The effect mirrors practices of ordinary businesses—labeling, slicing, and packaging data for reuse.

Yet buyer feedback also exposed a brittle gap between the promise and the product.

The dataset showed over-promising and under-delivering. Some sellers were described as not credible. Some buyers claimed credentials were invalid, and sellers responded by saying they never checked whether the credentials were valid. Others said the data was the same as what appears in large combo lists published for free across the underground.

Several posts pointed to duplication problems. One buyer claimed that out of 3,000 records, only 200 were unique. That’s the kind of mismatch that can turn “search your target” from a shortcut into a time sink—unless the buyer’s goal is less about certainty and more about volume and reuse.

The “search your target” model is also framed by threat intelligence as an example of T1589.001 (Gather Victim Identity Information: Credentials). It describes adversaries researching and acquiring credentials prior to exploitation. It also potentially overlaps with T1650 (Acquire Access) when delivered results are indistinguishable from direct access provisioning.

What defenders should take from this isn’t a single technical trick—it’s the change in workflow.

Attackers no longer need to manually process massive dumps to find what matters. They can outsource the work to sellers who specialize in turning noisy credential collections into focused target lists. For defenders. the challenge is to identify and close the exposed paths before a buyer turns search results into active access.

Flare says it helps security teams by providing visibility into underground markets and monitoring exposed employee credentials. corporate domains. login portals. SaaS applications. and related indicators across deep and dark web sources. The claimed goal is to detect when organizations’ access points appear in credential collections or search-service advertisements. then prioritize exposures and respond faster with password resets. session revocation. MFA enforcement. and investigation of possible account misuse.

The sponsors and the reporting are tied to Flare. but the core takeaway from the forum dataset is broader: a marketplace built on targeted credential queries is working its way into the account takeover pipeline—and it’s doing it with the same cold efficiency buyers expect from any service that promises speed. relevance. and results.

stolen credentials infostealers credential marketplaces account takeover underground forums cybersecurity MFA bypass threat intelligence initial access brokers data enrichment