On 11 June 2025, Europol published its new Internet Organised Crime Threat Assessment report, titled ‘Steal, deal, and repeat’ (.pdf).

A central theme of the report is the pervasive threat of data theft. For example, ‘access credentials’ (login details) to personal accounts are highly valuable because they provide direct access to mailboxes, social media accounts, online shops, financial services, and even information systems used by public administrations. The data can be used to compromise the wider network (called ‘lateral movement’ in computer systems), malware distribution, identity theft, impersonation of victims, and the dissemination of malicious content appearing to originate from trusted sources.

Data as a means to commit cybercrime

Criminals involved in online fraud schemes leverage personal information to profile targets, increasing their chances of success or gaining unauthorized access to accounts. This includes details such as age, interests, location, email addresses, dates of birth, phone numbers, and credit card data. This information allows criminals to craft more convincing and manipulative fraud narratives.

Similarly, child sex exploitation perpetrators collect personal information to tailor their communication with the victims and use it as leverage for sexual and financial extortion. This can encompass victims’ interests, personal connections, home and school addresses, and details about family and friends. The collection of such data also facilitates “doxxing”—the public exposure and shaming of victims by publishing private information online—which can lead to further victimization, cyberbullying, and the re-victimization of children.

Criminals also use stolen personal data to create fake identities for purposes such as applying for subsidies, loans, or credit cards, and committing other financial frauds. Business Email Compromise (BEC) attacks, where criminals impersonate company executives or employees, are also prevalent, tricking others into transferring funds or revealing sensitive information.

Data as a commodity

Information is stolen and converted into a commodity to be further exploited by other criminal actors in their operations. It is then marketed on various criminal platforms, including specialised marketplaces, underground forums, and dedicated channels within end-to-end encrypted (E2EE) communication apps.

Europol identifies several common commodities:

• Unanalysed infostealer logs and breached data dumps (leaked or stolen data), which may contain personal data, user credentials for various services, browser artefacts and other sensitive information;
• Unanalysed or verified credit card dumps (usually gathered by digital skimming), as well as the bulk sale of verified card details;
• Initial access offers, ranging from credentials for remote services and accounts (e.g. RDP, VPN, firewalls, network devices and cloud environments) to established backdoor access to corporate systems and networks;
• Account login credentials for various web services, including email and social media accounts, online shopping environments and adult content sites;
• Criminal services, including subscriptions to phishing-kits, infostealers, exploit kits, droppers, spoofing services and malicious Large Language Models (LLMs);
• Anti-detection solutions, such as VPNs, bulletproof hosting (BPH), residential proxies, money laundering services, operational security (OpSec) manuals, etc

Manuals, guidelines, and tutorials—including individual coaching sessions focused on OpSec and online fraud schemes—are widely available at low cost, often bundled with other products or services.

Infostealers are used to steal login credentials and collect application tokens and session cookies, enabling access to websites and applications as an authenticated user. They also gather information about the user’s device, operating system, settings, and browser data, allowing criminals to mimic a legitimate user’s digital fingerprint. This enables them to bypass some security features during account takeovers by configuring virtual machines to resemble genuine users.

Example: Take down of ‘Lumma’

As part of “Operation Endgame,” Europol partnered with Microsoft in 2025 to dismantle the infrastructure behind ‘Lumma’. Lumma enabled cybercriminals to collect sensitive data from compromised devices on a massive scale, harvesting stolen credentials, financial data, and personal information for sale through a dedicated marketplace. Its widespread use made it a central tool for identity theft and fraud globally.

On 16 March 2025, Microsoft identified over 394.000 Windows computers globally infected by the Lumma malware. More than 1300 domains seized by or transferred to Microsoft, including 300 domains actioned by law enforcement with the support of Europol, will be redirected to Microsoft sinkholes. 

Source: Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool – Microsoft On the Issues

It had the following functionalities according the (more) technical report:

• Browser credentials and cookies: Lumma Stealer extracts saved passwords, session cookies, and autofill data from Chromium (including Edge), Mozilla, and Gecko-based browsers.
• Cryptocurrency wallets and extensions: Lumma Stealer actively searches for wallet files, browser extensions, and local keys associated with wallets like MetaMask, Electrum, and Exodus.
• Various applications: Lumma Stealer targets data from various virtual private networks (VPNs) (.ovpn), email clients, FTP clients, and Telegram applications.  
• User documents: Lumma Stealer harvests files found on the user profiles and other common directories, especially those with .pdf, .docx, or .rtf extensions.
• System metadata: Lumma Stealer collects host telemetry such as CPU information, OS version, system locale, and installed applications for tailoring future exploits or profiling victims.

Lumma Stealer used a robust C2 infrastructure, using a combination of hardcoded tier 1 C2s that are regularly updated and reordered, and fallback C2s hosted as Steam profiles and Telegram channels that also point to the tier 1 C2s. The Telegram C2, if available, is always checked first, while the Steam C2 is checked only when all the hardcoded C2s are not active. To further hide the real C2 servers, all the C2 servers are hidden behind the Cloudflare proxy

Techniques to acquire personal data

The “ClickFix” technique is gaining popularity among cybercriminals. Users encounter fake error or CAPTCHA messages while browsing, tricking them into copying and running malicious content on their devices. These pop-ups prompt users to click buttons labelled ‘Fix It’ or ‘I am not a robot,’ which then either copies a malicious PowerShell script or provides instructions for manual malware execution.

Vishing—the use of fraudulent phone calls—is facilitated by spoofing services, allowing criminals to impersonate trusted entities and increase the effectiveness of social engineering attacks. This technique is frequently used for fraud and gaining initial system access. Increasingly, vishers persuade victims to download malicious payloads, enter credentials on phishing websites, or install Remote Access Tools (RATs) or Remote Monitoring and Management (RMM) tools. Fraudsters impersonating IT solution providers are using this approach to gain access to bank accounts. Initial Access Brokers (IABs) and ransomware operators are also adopting vishing tactics to obtain VPN and user account credentials.

Use of LLM’s and generative AI

LLM’s and genAI can improve phishing techniques. enhance phishing techniques by enabling the creation of highly targeted messages incorporating local language and cultural nuances, significantly increasing click-through rates. CSE perpetrators use LLMs to personalize communications, making them more convincing and facilitating impersonation for information gathering. This makes it harder for victims to recognize manipulation. The automation provided by LLMs allows offenders to scale their grooming operations, targeting multiple victims in various languages simultaneously.

Criminals are also using voice deepfakes to enhance the credibility of spear-phishing campaigns used in BEC and CEO fraud. Generative AI can be exploited to create fake social media profiles for social engineering purposes.

As discussed above, genAI can also be exploited to generate fake social media profiles using a range of social engineering applications. For further information, refer to this Europol podcast featuring a shocking example of AI use in an online child sexual abuse case involving “Kidflix”, which contained approximately 72.000 videos and nearly two million users.

Who are they?

employ the methods previously mentioned, alongside more sophisticated techniques that enable them to compromise valuable targets. These include digital service providers (through supply-chain attacks), international corporations, and government entities; this can involve identifying and creating zero-day exploits, as well as conducting complex, targeted social engineering operations. Such actors typically do not publicise their capabilities but instead monetise their exploits by collaborating directly with cybercrime groups (for example, ransomware groups) or other hybrid threat actors. This means that valuable assets – such as zero-day exploits and access to high-value targets like large international corporations, IT supply chains, and critical infrastructure – are traded privately, often in exchange for a percentage of the buyer’s earnings.

The criminal actors who target financial data and payment system access are the primary customers of services offering phishing kits and digital skimmers. The URLs of these fraudulent webpages are disseminated through phishing campaigns and web-skimmers inserted into misconfigured or unpatched websites – techniques similar to those used by data and access brokers. Stolen account information or payment card details are frequently sold via dedicated online platforms specialising in these commodities.

The final category of actors includes child sexual exploitation and certain fraud perpetrators (such as those involved in romance scams), who do not seek to commodify the personal data they gather from their victims but instead exploit it as an integral part of their criminal processes. Rather than trading data, they use it directly to access accounts or coerce their victims. However, not all CSE offenders operate alone; doxxing channels on end-to-end encrypted (E2EE) applications have been identified, demonstrating a collaborative effort to amplify their coercive power. Within these environments, criminal actors cooperate by sharing personal data gathered on targets, intensifying the pressure imposed on victims subjected to multiple, simultaneous extortion attempts.

Market places and information brokers

Marketplaces and information brokers operate as platforms for selling stolen identities, access credentials, web shells, and financial information. Access credentials, for example, may be sold in bulk without verification of their validity or value. As an example, check out this report by TrendMicro about Russian Market.

alidated credentials and listings from IABs – advertising the systems they have compromised – are typically accompanied by details of the affected entities and sometimes auctioned to the highest bidder. Prices vary considerably depending on factors such as the compromised entity’s sector, size, revenue, geographical location, access type, level, persistence, and exclusivity. High-revenue companies in Europe and North America are particularly sought after.

Forums dedicated to breached data – such as BreachForums (article by Bleepingcomputer) – serve as advertising spaces, while negotiations and transactions increasingly take place on dedicated channels within commercial end-to-end encrypted (E2EE) communication platforms. These listings not only advertise available commodities but also help build the seller’s reputation within the ecosystem; compromising more prominent and valuable targets enhances standing in the community. Consequently, many data brokers tend to exaggerate the classification or value of their assets, which may in reality be fake or based on outdated leaks, used to attract attention.

Example: ‘Cracked’ and ‘Nulled’

On January 2025, the cybercrime forums ‘Cracked.io’ and ‘Nulled.to’ were taken down. German authorities led the operation, plus law enforcement from eight other countries, and they were supported by Europol.

Source: Law enforcement takes down two largest cybercrime forums in the world – The platforms combined had over 10 million users worldwide | Europol

The two platforms, Cracked and Nulled, had more than 10 million users in total. They were key marketplaces for stolen data, including personal data, and cybercrime tools and infrastructure, which were offered as-a-service to individuals with more limited technical skills to carry out cyber-attacks. The two forums also offered AI-based tools and scripts that could automatically scan for security vulnerabilities and optimise attacks.

Cracked.io had over four million users and listed more than 28 million posts advertising cybercrime tools and stolen information, generating approximately USD 4 million in revenue. One product advertised on Cracked offered users access to ‘billions of leaked websites’, allowing them to search for stolen login credentials.

Other associated services were also taken down; including a financial processor named Sellix which was used by Cracked, and a hosting service called StarkRDP, which was promoted on both of the platforms and run by the same suspects.