Brandefense Academy
Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover Now
Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover NowJUNE 11, 2026
From credential dump purchase to account takeover: the complete technical anatomy of infostealers, combo lists, and credential stuffing tools.
A threat actor opens a tab to a dark web marketplace. They search for combolists filtered by a specific corporate email domain. They find a 40,000-line file of verified email-and-password pairs, scraped from five different breach databases and cross-referenced against a recent infostealer log batch. Price: $85. They purchase it with cryptocurrency, download it, and load it into OpenBullet 2.
They configure a config file targeting the corporate SSO portal. They route their traffic through a residential proxy pool of 3 million IPs sourced from a botnet of compromised home routers. They set the thread count to 50 and the delay to 2-8 seconds, randomized. They press start. The tool runs overnight. By morning, it has tested 31,000 credential pairs against the login endpoint. 214 have produced successful logins. Of those, 38 have MFA that was bypassed via session cookie replay from the infostealer component of the original log. The attacker now has 38 confirmed active corporate accounts.
This is not a sophisticated attack. It does not require vulnerability research, zero-day exploitation, or advanced malware development. It requires an $85 purchase, a freely available open-source tool, and a $30/month residential proxy subscription. The entire setup takes less than an hour. The attack runs unattended.
This blog is the complete technical anatomy of that attack: where credentials come from; how combolists are assembled, filtered, and priced; how credential stuffing tools work at the technical level; how attackers evade detection; what happens after successful validation; and what detection signals each phase creates.
| 193B credential stuffing attempts recorded in a single year across major online platforms | 70% password reuse rate among users exposed in multiple breaches; the foundation of every stuffing campaign | 0.5-2% typical success rate per stuffing campaign; at 10 million attempts this produces 50K-200K valid accounts | $85 typical cost of a filtered 40K-line corporate combolist; no technical skill required to deploy |
The credential supply that feeds account takeover campaigns originates from four distinct sources. Each source produces different credential types with different characteristics, different freshness levels, and different exploitation patterns. Understanding the source determines the appropriate detection and response strategy.
Data Breaches: The Legacy Supply When a service is breached and its user database is exfiltrated, that database eventually reaches dark web markets. Major historical breaches (LinkedIn 2012, Adobe 2013, Collection 1-5 aggregation) contributed billions of records to the available credential pool. These are typically email-and-hashed-password pairs. Attackers crack the hashes offline using GPU-accelerated tools (Hashcat, John the Ripper) or purchase pre-cracked pairs, then test the resulting plaintext credentials against other services.
Infostealer Logs: The Fresh Supply As covered in our infostealer analysis, malware deployed on endpoint devices extracts browser-saved credentials as plaintext, along with active session cookies and tokens. Infostealer logs are the highest-quality credential source because they are already in plaintext (no cracking required), they include the exact URLs where the credential was used (so the attacker knows exactly which service to target), and they frequently include valid session cookies that bypass authentication entirely. Infostealer-derived credentials are the fastest path from credential to account access.
Phishing and Adversary-in-the-Middle Credential harvesting phishing campaigns and AiTM (Adversary-in-the-Middle) proxy attacks produce real-time credential collection: credentials are captured at the moment of entry, meaning they are guaranteed valid and have not yet been changed. AiTM attacks additionally capture the post-authentication session token, which remains valid even if the victim immediately changes their password after noticing suspicious activity. Phishing-derived credentials are typically sold within hours of collection.
Credential Guessing: The Manufactured Supply For specific high-value targets, attackers generate credential candidates algorithmically: common passwords, password patterns derived from known personal information, and corporate password convention patterns (CompanyName+Year+Symbol). These are not stolen credentials but generated candidates. They are deployed in password spraying campaigns, which test one password against many accounts rather than many passwords against one account. The goal is to identify accounts using predictable passwords without triggering per-account lockout thresholds.
A combolist (or combo list) is a structured file of username-and-password pairs assembled from one or more credential sources. The format is simple: one credential pair per line, separated by a colon or other delimiter. The sophistication is in the assembly, deduplication, filtering, and validation process.
# Typical combolist format (email:password pairs, one per line)
user@company.com:Password123!
john.smith@enterprise.org:Summer2024!
admin@targetdomain.com:Welcome1
… [40,000 lines total]
Assembling a high-quality combolist requires several processing steps that specialized operators perform as a commercial service. The raw material is breach databases, which may be in various formats: SQL dumps, CSV exports, JSON structures, or binary databases. Operators parse these into a unified format, deduplicate entries (removing duplicate email-password pairs that appear in multiple source databases), and optionally filter by domain, country, or data quality indicators.
The critical quality indicator for credential stuffing is whether the password is plaintext or hashed. Hashed passwords require an additional cracking step; plaintext passwords are immediately deployable. Infostealer-derived credentials are always plaintext. Breach database credentials are often hashed with varying algorithms: MD5 (fast to crack), bcrypt (slow to crack), SHA-1 (fast), Argon2 (very slow). The cracking difficulty is a primary pricing factor.
Raw combolists sell for very low prices per record because they include low-quality entries: outdated credentials, duplicate entries, and credentials from low-value services. Filtered combolists command significant price premiums because the filtering work has already been done:
| Combolist Type | Typical Size | Filtering Applied | Price |
| Raw breach dump | 100M+ lines | None; multiple sources combined | $2-$20 |
| Deduplicated combolist | 10M-50M lines | Duplicates removed; invalid formats excluded | $5-$50 |
| Domain-filtered combolist | 5K-500K lines | Filtered to specific email domain(s) | $20-$200 |
| Verified combolist (hit list) | 1K-50K lines | Pre-tested against target; only successful logins | $50-$500 |
| Corporate SSO filtered + fresh | 500-5K lines | Enterprise domains, recent infostealer-derived, plaintext | $100-$2,000 |
| Single high-value account (verified) | 1 account | Confirmed active with known privilege level | $200-$5,000+ |
| 💡 Why 0.5-2% Is Enough A 1% success rate on a 40,000-line combolist produces 400 confirmed valid accounts. If 10% of those are corporate accounts with meaningful access, that is 40 accounts. If 1 of those 40 has domain admin or SSO admin privileges, the entire campaign cost of $85 plus a few hours of compute time has produced a corporate breach. This is the economic logic that makes credential stuffing the dominant ATO vector: the marginal cost of each attempt is effectively zero, so even very low success rates are commercially viable. |
Credential stuffing at scale requires tooling that automates the login attempt process, manages proxy rotation, parses authentication responses, handles multi-step login flows, and stores results. The open-source ecosystem around credential stuffing tools is mature, well-documented, and freely available.
OpenBullet 2 is the most widely deployed credential stuffing framework. It is open-source, actively maintained, and supports a rich configuration ecosystem. The tool uses a config file format (.opk) that defines exactly how to interact with a target login endpoint: the HTTP requests to send, how to parse the response, what constitutes a successful login versus a failed one, and what data to extract and log from successful attempts.
| # OpenBullet 2 config structure (conceptual; educational use only) # Simplified OpenBullet 2 config structure # (educational representation of config concepts) SETTING Name = “CorporateSSO” SETTING Type = “credentials” # Step 1: GET the login page (capture CSRF token) REQUEST GET “https://login.target.com/” PARSE css “input[name=csrf_token]” -> CSRF # Step 2: POST credentials with CSRF token REQUEST POST “https://login.target.com/authenticate” CONTENT “email=<EMAIL>&password=<PASSWORD>&_token=<CSRF>” # Step 3: Check response for success indicators KEYCHECK <STRING> Contains “Welcome, ” -> SUCCESS KEYCHECK <STRING> Contains “Invalid password” -> FAIL KEYCHECK <STRING> Contains “Too many attempts” -> RETRY |
The config file handles the complete HTTP interaction with the target: following redirects, maintaining cookie sessions across requests, handling JavaScript challenges via headless browser integration, and parsing JSON or HTML responses to determine outcome. Advanced configs handle multi-step authentication flows, CAPTCHA solving via third-party solving services, and MFA prompts.
| Tool | Primary Use | Technical Characteristics |
| OpenBullet 2 | Full credential stuffing automation | Config-driven; proxy support; result parsing; CAPTCHA integration; open source; community config library |
| SNIPR | Targeted stuffing on specific platforms | Pre-built modules for common targets; faster setup than OpenBullet; less flexible |
| SentryMBA | Legacy stuffing tool | Older architecture; still in use for legacy targets; config ecosystem on underground forums |
| Vertex | Commercial stuffing tool | Paid tool; better evasion and performance; used by more sophisticated operators |
| Custom Python/Go scripts | High-speed targeted campaigns | Operator-built for specific targets; async request libraries (aiohttp, fasthttp); harder to detect |
| Hydra / Medusa | Password spraying | Network authentication protocols (SSH, RDP, SMTP); not browser-based; used against non-web targets |
The primary detection mechanisms deployed against credential stuffing campaigns are IP-based rate limiting, device fingerprinting, behavioral analytics, and CAPTCHA challenges. Mature credential stuffing operations have developed systematic countermeasures against each of these.
The most impactful evasion technique is residential proxy routing. A residential proxy routes attacker traffic through the IP addresses of legitimate home users, whose devices have been compromised and enrolled in a commercial proxy botnet. From the target’s perspective, login attempts appear to arrive from diverse residential IP addresses in the target country’s major cities, indistinguishable from legitimate user traffic.
Commercial residential proxy services provide access to millions of residential IPs through subscription models starting at $30-$50 per month for several gigabytes of traffic. The service handles IP rotation automatically, ensuring no single IP address makes enough attempts to trigger a per-IP rate limit. The requests are geographically distributed across the target country’s population centers, matching the expected geographic distribution of legitimate users.
Automated credential testing at maximum speed generates request patterns that are statistically distinguishable from human login behavior: constant inter-request timing, no time spent reading pages, uniform user-agent strings, and sequential rather than random username ordering. Detection systems trained on behavioral baselines flag these patterns.
OpenBullet 2 and similar tools include configurable timing controls: random delays between requests (typically 2-8 seconds), simulated human interaction patterns including time-on-page delays, and request ordering randomization. Advanced operators randomize user-agent strings, accept-language headers, and connection characteristics to produce request profiles that match real browser diversity.
Where targets deploy CAPTCHA challenges, attackers use commercial CAPTCHA-solving services that relay challenges to human solvers (typically low-wage workers who solve CAPTCHAs in bulk for payment) or to AI-based automated solvers for common CAPTCHA types. Services like 2Captcha and Anti-Captcha provide API integrations that connect directly to OpenBullet configs, automatically solving challenges and returning solutions within seconds. The cost is fractions of a cent per solved CAPTCHA.
Browser fingerprinting systems attempt to identify credential stuffing bots by detecting patterns in the browser environment: canvas fingerprinting, WebGL renderer information, installed fonts and plugins, screen resolution, timezone, and hundreds of other attributes. Sophisticated credential stuffing operations use Puppeteer or Playwright-based automation with stealth plugins that spoof these fingerprint components to produce browser profiles consistent with real user devices.
| 🔴 The Detection Arms Race Every detection mechanism deployed against credential stuffing has a commercial bypass product available in the underground market. IP reputation blocks are defeated by residential proxies. Rate limits are defeated by request timing randomization. CAPTCHAs are defeated by solving services. Fingerprinting is defeated by stealth browser automation. The security team deploys a control; the underground market produces a bypass. This is why behavioral anomaly detection at the platform level (unusual login volume, new device fingerprints, unusual geographic distribution) provides more durable detection than any single authentication-layer control. |
The output of a credential stuffing campaign is a hits file: a list of email-and-password pairs that produced successful logins. This raw output requires post-processing to sort by value and prepare for the next phase of exploitation.
For each successful login, the OpenBullet config captures the data it was programmed to extract from the authenticated session: account subscription tier, account balance, payment method on file, personal information visible in the account, and any other data accessible from the first authenticated page. The resulting hits file is structured by data category, enabling rapid sorting by account value.
| # Hits file structure: each successful login with captured account data (conceptual) # Example hits file format (educational representation) HIT user@company.com:Password123! Account Type: Enterprise Admin Last Login: 2026-06-02 MFA Status: SMS OTP (not FIDO2) SSO Connected Apps: 47 (Salesforce, GitHub, AWS, Jira…) Session Cookie: [captured] HIT john@domain.com:Summer2024 Account Type: Standard User Last Login: 2026-05-28 MFA Status: None Department: Finance |
The hits file is sorted into tiers based on account value:
Tier 1 (highest value): Admin accounts, SSO sessions with many connected applications, cloud console access with IAM permissions. Sold to IABs or used directly for lateral movement and ransomware staging.
Tier 2 (medium value): Corporate email accounts, CRM access, project management tools. Used for BEC campaigns, data theft, or sold as lower-tier IAB listings.
Tier 3 (consumer value): E-commerce accounts with stored payment methods, streaming service accounts, gaming accounts. Sold in bulk on carding forums or used for direct fraud.
Tier 4 (bulk resale): Accounts with no immediately obvious value. Repackaged into a new hits file and sold as a bulk lot, since an unknown account may have value that only the buyer can assess.
| ⚙️ The Credential Stuffing Success Rate Math A 1% success rate against a 1 million line combolist produces 10,000 valid accounts. The attacker paid perhaps $200 for the combolist and $30/month for proxy access. The resulting 10,000 accounts, sorted by tier, generate: 50-100 Tier 1 accounts ($500-$10,000 each on IAB markets), 500-1,000 Tier 2 accounts ($50-$500 each), and 8,000+ Tier 3/4 accounts ($1-$20 each in bulk). Total potential revenue: $50,000 to $500,000+. Total cost: under $500. This return profile is why credential stuffing has industrialized. |
A validated account credential is not yet a completed account takeover. The attacker must convert their temporary access into persistent control that survives password resets and MFA changes by the legitimate account owner.
When an infostealer component provides a valid session cookie alongside the credential, the attacker replays the cookie directly: they inject the stolen cookie into a browser session and access the account without authenticating. This technique bypasses all authentication controls including MFA, because the session was created by the legitimate user during a proper authentication event. The attacker inherits an already-authenticated session.
Immediately upon gaining access, the attacker races to establish persistence mechanisms that will survive the credential rotation that will eventually occur. These include:
OAuth application authorization: authorizing a new third-party application to the account creates a persistent access pathway that survives password resets. Many OAuth tokens remain valid indefinitely unless explicitly revoked.
Email forwarding rules: creating a silent forwarding rule copies all incoming email to an attacker-controlled address. This continues even after the victim changes their password and the attacker loses direct account access.
MFA device enrollment: on accounts that allow adding new MFA devices without re-authentication, adding an attacker-controlled phone number or authenticator app provides a re-entry mechanism after the original credentials are rotated.
Recovery contact modification: changing the account recovery email or phone number to attacker-controlled values enables account recovery even after the victim has locked the attacker out through other means.
For corporate accounts accessed via credential stuffing, the attacker uses the compromised account’s existing OAuth connections and SSO integrations to enumerate and access connected services. A single compromised Microsoft 365 account with an authenticated session may have pre-authorized connections to Salesforce, SharePoint, Jira, GitHub, and HR platforms. The attacker accesses each through the compromised account’s existing authorizations, without triggering new authentication events.
| RELATED READING: CISO’s Guide to Account Takeover Prevention: Detection, Response, and Recovery Full ATO incident response framework including persistence indicator detection, OAuth audit procedures, and recovery steps for each phase of the takeover lifecycle. |
Each stage of the credential-to-ATO lifecycle creates signals that, if monitored, provide detection opportunities. The earliest signals, those in the dark web credential distribution stage, are available days to weeks before any authentication attempt reaches the target’s systems.
| Lifecycle Stage | Detection Signal | Data Source and Response |
| Credential in stealer log | Domain credentials in stealer log distribution (T+24-48h post-infection) | Dark web monitoring: force targeted credential reset before stuffing campaign begins |
| Credential in combolist | Domain email addresses in sold/traded combolist | Combolist market monitoring: elevate alert level, prepare forced reset for affected accounts |
| Stuffing attempt (IP-based) | Elevated failed login volume from unusual IP ranges or datacenters | Auth logs: IP reputation and ASN analysis; datacenter IP range blocking |
| Stuffing attempt (distributed) | Low-volume failures spread across many IPs with consistent timing patterns | Platform-level auth analytics: per-session behavioral analysis, not per-IP |
| Session cookie replay | Authenticated session from IP/device that did not perform the original authentication | Session analytics: device fingerprint mismatch; impossible travel after session established |
| Persistence establishment | OAuth app authorization from unfamiliar application; email rule creation; new MFA device | Post-auth monitoring: OAuth grant logs; email rule change events; MFA enrollment audit |
| Lateral movement | Unusual SaaS application access through OAuth; data export patterns; privilege requests | Behavioral analytics: baseline deviation detection; UEBA for identity |
The credential-to-ATO lifecycle has multiple intervention points. Defending effectively requires operating at the earliest available point, which means external credential intelligence rather than authentication-layer controls alone.
Integrating your authentication layer with a breached password database checks every submitted credential against known compromised pairs at the moment of login. Microsoft and Google provide this natively for their identity platforms. For custom authentication systems, the HaveIBeenPwned k-anonymity API provides the same capability without exposing the full password to the checking service. Any credential that matches a known breach entry triggers an immediate forced reset before any session is established.
Per-account failed login rate limiting, the standard control against brute force, provides minimal protection against credential stuffing because stuffing campaigns make exactly one attempt per account. Detection requires platform-level analysis: elevated failure rates across all accounts simultaneously, unusual geographic distribution of attempts, new device fingerprint patterns appearing at scale, and correlated timing signatures that differ from the human login baseline.
Standard MFA (SMS OTP, TOTP authenticator apps) is partially effective against credential stuffing: it stops password-only attacks but not session cookie replay from infostealers or AiTM phishing. FIDO2 hardware security keys and device-bound passkeys provide protection against all of these attack types because authentication is cryptographically bound to the legitimate domain and cannot be replayed or proxied. Deploying phishing-resistant MFA for privileged accounts and high-value identities removes them from the hits file’s Tier 1 category.
The single highest-impact defensive investment is external intelligence that monitors for your domain’s credentials appearing in combolist distributions and stealer log markets. Detection at the distribution stage, 24-72 hours after credential theft and before the stuffing campaign runs, provides a forced reset window that eliminates the credential from the attack’s working set before any authentication attempt reaches your systems.
The credential-to-ATO lifecycle operates almost entirely outside your environment until the authentication attempt arrives at your login endpoint. Closing the gap requires intelligence that operates where the credentials are, not where you are.
| Brandefense Capability | ATO Lifecycle Coverage |
| Combolist and Breach Market Monitoring | Continuous monitoring of dark web combolist markets, breach databases, and credential trading forums for your domain; detects domain credentials in the distribution chain before stuffing campaigns begin |
| Infostealer Log Intelligence | Real-time monitoring of Telegram stealer log channels and marketplaces; earliest available signal at T+24-48h post-infection, before credential validation begins |
| Stuffing Campaign Targeting Signals | Dark web forum monitoring for discussions targeting your specific platform, login endpoint patterns, or authentication implementation; early warning when attackers are preparing configs for your environment |
| Session Cookie Exposure Detection | Specific monitoring for active session tokens associated with your critical applications; session cookie theft requires faster response than password-only exposure because MFA is bypassed |
| Post-Breach Domain Credential Validation | When any third-party service breach affects platforms your employees use, Brandefense identifies affected accounts and provides an actionable reset list before credential stuffing campaigns are assembled |
| 24/7 Analyst-Supported Alerting | All credential exposure detections reviewed by analysts; high-severity findings involving SSO admin, cloud console, or VPN credentials receive immediate escalation with specific response guidance |
The attacker in the opening scenario paid $85 and pressed a button. They did not need to exploit any vulnerability. They did not need any technical skill beyond configuring a tool that comes with a community forum and tutorial videos. The sophistication is not in the attack. It is in the supply chain that makes the attack possible: the breach databases, the infostealer ecosystem, the combolist market, the proxy network, the CAPTCHA-solving service.
Defending against this does not require matching the attacker’s technical sophistication at the authentication layer. It requires cutting the supply chain that feeds them. That means detecting credentials in the distribution pipeline before they are deployed, not detecting failed logins after they have been attempted.
Take control of your digital security with an exclusive demo of our powerful threat management platform.
