Threat actors are increasingly turning massive infostealer-derived credential collections into searchable underground services, allowing buyers to request credentials for a specific company, platform, domain, geography, or account type.
Flare researchers analyzed 470 underground forum posts published between January 2025 and June 2026, across different sources, related to actors offering to search for and extract stolen credentials from their databases. The dataset included advertisements, reposts, buyer feedback, pricing references, and disputes around quality and validity.
The findings show a dedicated service layer sitting between infostealer infections, raw logs trading and account takeover activity. The profile of the threat actors who offer these services is divided between the Malware-as-a-Service (MaaS) providers and the MaaS consumers.
In many cases, they function as credential brokers or data processors, monetizing the vast number of logs and their ability to search, filter, format, and deliver targeted results from large stolen credential collections.
Key Points
-
Analysis of 470 underground posts illustrates a pinpointed service that offers targeted extraction, filtering, deduplication, formatting, and freshness, from large infostealers databases containing tens of billions of lines. It is functioning as an alternative to combo lists, where instead of purchasing a bulk dump, buyers query a seller’s existing data and receive only the results that match their target.
-
The market overlaps with the Initial Access Broker (IAB) ecosystem, but is not identical to it, when the common output formats included URL:LOGIN:PASS, MAIL:PASS, LOGIN:PASS, PHONE:PASS, MAIL:PHONE, and MAIL:LOGIN.
-
Interestingly buyer feedback showed there’s a gap between what is advertised and the actual results in terms of in reality the volume is lower, the credentials are often invalid, duplicated and generally usable.
How Does the “Search Your Target” Service Work
The “search your target” market sits in the middle of the account takeover chain.
First, infostealers infect devices and collect credentials, cookies, autofill data, and browser artifacts. Then logs are aggregated and inserted into private clouds, ULP databases, public dumps, or exchange-based collections. Next, the “search-service” threat actors extract rows based on buyers’ requests. Buyers then validate the credentials and use them for account takeover, fraud, spam, phishing, crypto theft, or corporate intrusion.
This means the sellers in this dataset are often neither the first nor final step. They are the processing layer that turns stolen credential noise into targeted attack material.
From a threat intelligence framework perspective, this service model represents a practical example of T1589.001 (Gather Victim Identity Information: Credentials), where adversaries actively research and acquire credentials prior to exploitation, and potentially T1650 (Acquire Access), given that some sellers deliver results indistinguishable from direct access provisioning.
From GitHub access sales to leaked vendor repositories, the warning signs exist — they’re just buried in forums and marketplaces most teams aren’t watching.
Flare surfaces them before they become incidents.
The “Search Your Target” Market Economy
Much like in the DDoS market, where the buyer submits a domain and the service provider attacks it, the service is duplicated and offers the same pipeline.
-
A buyer sends a target
-
The seller returns matching credentials
That target can be a company domain, login URL, ecommerce site, gaming platform, application, geographic market, or a list of emails. The output is usually delivered in formats such as URL:LOGIN, URL:LOG, MAIL, LOGIN, PHONE, or other combinations depending on the request.
Several sellers in the underground specify the size of their database as a selling point. One actor advertised an “ULP 5kkk+ lines” database (5,000,000,000), quick access within 10–15 minutes, daily updates, and sources that allegedly included private logs, private clouds, personal streams, and public data. Another actor promoted a 10kkk+ line, 1TB+ URL:LOG database, while others claimed access to collections ranging from hundreds of millions to tens of billions of records.
Sign up for the free trial to access if you aren’t already a customer.
The size of the database isn’t the only selling point. Threat actors also indicate other capabilities, as part of their sales pitch. The sellers are also advertising their search capabilities, freshness, formatting, and relevance.
Some offer simple domain extraction, while others offer more customized services, such as extracting email accounts for a requested shop, website, app, or game. De-facto, attackers are advertising their technical capabilities of indexing data inside databases, updating and enabling quick and convenient search on it.
As an example, one of the sellers advertised that customers could submit a request for only $20 per request, and add additional payment based on the returned results.
The dataset also showed more advanced forms of credential enrichment. One actor claimed access to separate email, password, login, phone, and URL:Login collections, and described how those records could be combined.
For example, a buyer with only an email list could request matching login pairs, or a buyer looking for a specific geography could receive results built from country codes, domains, URLs, cities, and password patterns.
This further indicates that threat actors are using data best practices (e.g. labeling, slicing), much like ordinary legitimate businesses around the world.
Customers Feedback Shows a Gap Between Ads and Reality
Customer feedback indicates that the sellers are over-promising and under-delivering. They claim that some sellers aren’t credible. Some claim that the credentials are invalid, and sellers answer in return that they didn’t ever check if the credentials were valid. Some said that this is the same data that appears in large combo lists published for free across the underground.
Others claim that these databases contain many duplications (one even claimed that out of 3,000 records only 200 were unique).
While the concept of large combo lists or aggregated credential files, isn’t new. This service is still something unique that can eventually, if operated correctly, put a lot of businesses and organizations at risk.
Developed Alongside the Infostealers Market
Over the past several years, infostealer families and log marketplaces produced enormous quantities of records that include browser-stored credentials, cookies, autofill data, and device information. These collections are constantly growing and create a challenge for buyers to sort it out for profit.
The operation to more easily extract value was an opportunity for commercialization. Therefore, a buyer who usually has a specific pinpointed goal can save time and money with this service.
Comparison Between the “Search Your Target” Market and the IAB Market
The “search your target” market is often tied to a general search for an email or business or person, the validity and “freshness” of access isn’t guaranteed, and you are basically paying for search, find, and results. This market partially overlaps with the initial access broker’s (IAB) market.
When buyers are looking for access to corporate VPNs, SaaS platforms, email accounts, cloud environments, admin panels, or remote access systems, the output can become initial access if these markets overlap.
Nevertheless, the IAB market is often more expensive, prestigious and serves as a “white glove service” when they sell validated access, which often can bypass MFA, and ultimately get into an organization.
What Defenders Should Learn
The “search your target” market shows that attackers no longer need to manually process massive dumps to find what matters. They can outsource that work to sellers who specialize in turning noisy credential collections into focused target lists. For defenders, the challenge is to identify and close those exposed paths before a buyer turns them into access.
Flare helps by giving security teams visibility into these underground markets and by monitoring exposed employee credentials, corporate domains, login portals, SaaS applications, and related indicators across deep and dark web sources.
This allows organizations to detect when their access points appear in credential collections or search-service advertisements, prioritize the most relevant exposures, and respond faster with password resets, session revocation, MFA enforcement, and investigation of possible account misuse.
Learn more by signing up for our free trial.
Sponsored and written by Flare.