A Glimpse into the “Search Your Target” Market for Stolen Credentials
Home<br>News<br>Security<br>A Glimpse into the “Search Your Target” Market for Stolen Credentials
A Glimpse into the “Search Your Target” Market for Stolen Credentials
Sponsored by Flare
June 22, 2026
10:05 AM
Threat actors are increasingly turning massive infostealer-derived credential collections into searchable underground services, allowing buyers to request credentials for a specific company, platform, domain, geography, or account type.
Flare researchers analyzed 470 underground forum posts published between January 2025 and June 2026, across different sources, related to actors offering to search for and extract stolen credentials from their databases. The dataset included advertisements, reposts, buyer feedback, pricing references, and disputes around quality and validity.
The findings show a dedicated service layer sitting between infostealer infections, raw logs trading and account takeover activity. The profile of the threat actors who offer these services is divided between the Malware-as-a-Service (MaaS) providers and the MaaS consumers.
In many cases, they function as credential brokers or data processors, monetizing the vast number of logs and their ability to search, filter, format, and deliver targeted results from large stolen credential collections.
Key Points
Analysis of 470 underground posts illustrates a pinpointed service that offers targeted extraction, filtering, deduplication, formatting, and freshness, from large infostealers databases containing tens of billions of lines. It is functioning as an alternative to combo lists, where instead of purchasing a bulk dump, buyers query a seller's existing data and receive only the results that match their target.
The market overlaps with the Initial Access Broker (IAB) ecosystem, but is not identical to it, when the common output formats included URL:LOGIN:PASS, MAIL:PASS, LOGIN:PASS, PHONE:PASS, MAIL:PHONE, and MAIL:LOGIN.
Interestingly buyer feedback showed there’s a gap between what is advertised and the actual results in terms of in reality the volume is lower, the credentials are often invalid, duplicated and generally usable.
How Does the “Search Your Target” Service Work
The “search your target” market sits in the middle of the account takeover chain.
First, infostealers infect devices and collect credentials, cookies, autofill data, and browser artifacts. Then logs are aggregated and inserted into private clouds, ULP databases, public dumps, or exchange-based collections. Next, the “search-service” threat actors extract rows based on buyers' requests. Buyers then validate the credentials and use them for account takeover, fraud, spam, phishing, crypto theft, or corporate intrusion.
This means the sellers in this dataset are often neither the first nor final step. They are the processing layer that turns stolen credential noise into targeted attack material.
Figure 1 – the "search your target" flow
From a threat intelligence framework perspective, this service model represents a practical example of T1589.001 (Gather Victim Identity Information: Credentials), where adversaries actively research and acquire credentials prior to exploitation, and potentially T1650 (Acquire Access), given that some sellers deliver results indistinguishable from direct access provisioning.
Supply-Chain Attacks Have an Underground Paper Trail
From GitHub access sales to leaked vendor repositories, the warning signs exist — they're just buried in forums and marketplaces most teams aren't watching.
Flare surfaces them before they become incidents.
Start Monitoring for Supply-Chain Exposure For Free
The “Search Your Target” Market Economy
Much like in the DDoS market, where the buyer submits a domain and the service provider attacks it, the service is duplicated and offers the same pipeline.
A buyer sends a target
The seller returns matching credentials
That target can be a company domain, login URL, ecommerce site, gaming platform, application, geographic market, or a list of emails. The output is usually delivered in formats such as URL:LOGIN, URL:LOG, MAIL, LOGIN, PHONE, or other combinations depending on the request.
Several sellers in the underground specify the size of their database as a selling point. One actor advertised an “ULP 5kkk+ lines” database (5,000,000,000), quick access within 10–15 minutes, daily updates, and sources that allegedly included private logs, private clouds, personal streams, and public data. Another actor promoted a 10kkk+ line, 1TB+ URL:LOG database, while others claimed access to collections ranging from hundreds of millions to tens of billions of records.
Screenshot taken from Flare's platform.<br>Sign up for the free trial to access if you aren’t already a customer.
The size of the database isn’t the only selling point. Threat actors also...