Cyberattacks on User Logins Jump 156%, Fueled by Infostealers and Phishing Toolkits

Identity-driven assaults have increased by a shocking 156% between 2023 and 2025, making up 59% of all confirmed threat instances in Q1 2025, according to data conducted by eSentire’s Threat Response Unit (TRU).

This dramatic shift from traditional asset-focused exploits to sophisticated identity-centric campaigns underscores a fundamental change in adversarial tactics.

Identity-Based Threats

Cybercriminals are increasingly targeting user credentials and authentication mechanisms, exploiting the direct access these provide to valuable organizational assets with minimal technical complexity.

The rise of Cybercrime-as-a-Service (CaaS) ecosystems has further fueled this trend, offering low-cost, high-return tools that democratize advanced attack capabilities for threat actors of varying skill levels.

At the forefront of this epidemic are Phishing-as-a-Service (PhaaS) platforms like Tycoon2FA, which alone accounts for 58% of observed account compromise cases, and information stealer malware, representing 35% of disrupted malware threats in 2025.

Tycoon2FA, available for as little as $200-300 USD per month, provides enterprise-grade credential harvesting with Adversary-in-the-Middle (AitM) functionalities that bypass traditional multi-factor authentication (MFA) by intercepting and replaying authentication tokens.

Phishing Toolkits

Meanwhile, infostealers such as Lumma Stealer, the most disrupted malware family in 2024 and 2025, have evolved into comprehensive identity harvesting platforms.

These tools extract browser-stored credentials, password manager databases, VPN configurations, and application-specific tokens, which are then monetized on underground marketplaces with e-commerce-like efficiency.

The rapid timeline from credential theft to active fraud often within hours exacerbates the challenge for organizations, as seen in business email compromise (BEC) cases, which constitute 41% of total incidents in Q1 2025, up from 25.6% in 2024.

The exploitation of monitoring blind spots adds another layer of complexity to this threat landscape.

Unmanaged devices, shadow IT infrastructure, and third-party supply chain partnerships create invisible attack surfaces that evade traditional security controls.

TRU’s analysis highlights how stolen credentials, often acquired via infostealers, are used to access corporate networks through legitimate channels like VPNs, only becoming detectable during late-stage attacks such as ransomware deployment.

Industries like Construction, Manufacturing, Business Services, and Software face elevated exposure to email-based threats, though no sector remains immune.

The geographic diversity of attack infrastructure, with 78% of phishing operations tied to U.S.-based hosting providers (despite globally distributed threat actors using VPNs and proxies), further complicates detection and mitigation efforts.

This seismic shift demands a reevaluation of organizational security architectures. Traditional perimeter defenses and endpoint protection are no longer sufficient against adversaries wielding valid credentials.

eSentire recommends adopting phish-resistant authentication methods like FIDO2/WebAuthn, implementing Zero Trust principles with continuous identity verification, and enhancing monitoring for authentication anomalies and dark web credential exposure.

As identity-based attacks continue to dominate, organizations must act swiftly to transform their security posture, prioritizing rapid response and proactive defenses to mitigate the escalating risks of financial loss, regulatory violations, and reputational damage posed by these sophisticated cyber threats.

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.