In the massive crime industry that hacks multi-billion dollar companies

On October 20, a hacker calling himself Dark X said he logged into a server and stole the personal information of 350 million Hot Topic customers. The following day, Dark The day after, Dark X said Hot Topic kicked them out.

Dark You happened to receive login credentials from a developer who had access to Hot Topic's crown jewels. To prove this, Dark Alon Gal from the cybersecurity firm Hudson Rock, which first discovered the connection between infostealers and the Hot Topic breach, sent me a message saying that the hacker had sent him the same credentials.

The luck part is true. But the alleged Hot Topic hack is also the latest breach directly tied to a sprawling underground industry that has made hacking some of the world's most important companies easy.

AT&T. Ticketmaster. Santander bank. Neiman Marcus. Electronic Arts. These were not just isolated cases. Instead, they were all hacked thanks to “infostealers,” a type of malware designed to steal passwords and cookies stored in the victim’s browser. In return, infostealers have created a complex ecosystem that has been able to grow in secret and in which criminals take on different roles. There are Russian malware programmers who constantly update their code; Teams of professionals who hire contractors to spread the malware on YouTube, TikTok or GitHub with dazzling advertising; and English-speaking teenagers on the other side of the world who then use the stolen credentials to break into businesses. At the end of October, a collaboration of law enforcement agencies announced an operation against two of the world's most common thefts. But the market has been able to grow and mature so much that it is unlikely that criminal prosecutions against even a portion of it will permanently curb the spread of infostealers.

Based on interviews with malware developers, hackers using the stolen credentials, and a review of manuals showing new employees how to distribute the malware, 404 Media has mapped this industry. The bottom line is that a single person's download of an innocuous-looking piece of software can lead to a data breach at a multi-billion dollar company, trapping Google and other tech giants in an ever-escalating game of cat-and-mouse that malware developers use to kill people and to protect companies.

“We are professionals in our field and will continue to work to circumvent future Google updates,” an administrator of LummaC2, one of the most popular infostealer malware, told me in an online chat. “It will take time, but we have all the resources and knowledge to continue the fight against Chrome.”

The thieves

The infostealer ecosystem starts with the malware itself. There are dozens of them with names like Nexus, Aurora, META and Raccoon. According to cybersecurity firm Recorded Future, the most widespread infostealer currently is RedLine. A pre-built malware package also significantly lowers the barrier to entry for an aspiring new hacker. The administrator of LummaC2, which is one of the top 10 infostealers according to Recorded Future, said that it welcomes both beginners and experienced hackers.

Initially, many of these developers were interested in stealing credentials or keys related to cryptocurrency wallets. This would allow hackers to empty a victim's digital wallets and make money quickly. Many today still market their tools with the ability to steal Bitcoins and have even introduced OCR to detect seed phrases in images. But recently, the same developers and their collaborators discovered that any other data stored in a browser – passwords for the victim's workstation, for example – could generate a secondary source of income.