User Login Cyberattacks Surge 156%, with Infostealers and Phishing Tools Leading the Charge

A dramatic surge in identity-based cyberattacks has fundamentally transformed the threat landscape, with new research revealing a staggering 156% increase in identity-driven threats between 2023 and 2025.

According to eSentire’s Threat Response Unit (TRU), these attacks now account for 59% of all confirmed threat cases during the first quarter of 2025, marking a significant shift from traditional system vulnerabilities to credential-focused attack strategies.

The research highlights how modern cybercriminals have recognized that compromising user identities provides direct access to valuable organizational assets with significantly less technical complexity than exploiting system vulnerabilities.

This evolution reflects the rise of sophisticated Cybercrime-as-a-Service ecosystems that have democratized advanced attack capabilities.

Phishing-as-a-Service Platforms Dominate Attack Landscape

Phishing-as-a-Service (PhaaS) platforms have emerged as the primary driver of credential theft, with Tycoon2FA alone accounting for 58% of observed account compromise cases.

These platforms, available for subscription fees as low as $200-$ 300 per month, provide enterprise-grade credential harvesting capabilities, complete with Adversary-in-the-Middle (AitM) functionalities that can bypass traditional multi-factor authentication.

The technical sophistication of these services rivals that of legitimate security tools, featuring user-friendly interfaces, customer support, and regular updates to counter defensive measures.

TRU’s analysis reveals that PhaaS infrastructure spans 229 distinct Autonomous System Numbers and 668 networks across 240 source locations, with 78% of operations originating from the United States, likely due to the use of legitimate hosting providers.

Business email compromise cases have increased by 60% year-over-year, with threat actors moving from credential theft to active fraud within hours rather than days.

The compressed timeline between initial compromise and malicious activity has significantly reduced organizations’ window for detection and response.

Information Stealers Evolve into Comprehensive Identity Harvesting Platforms

Information-stealing malware has evolved beyond simple keyloggers to become comprehensive identity-harvesting platforms, representing 35% of all disrupted malware threats in 2025.

These sophisticated tools systematically extract browser-stored credentials, password manager databases, VPN configurations, and application-specific authentication tokens.

Lumma Stealer, identified as the most disrupted malware family in 2024 and 2025, demonstrates the service-oriented architecture of modern infostealers.

Operating as Malware-as-a-Service since August 2022, it includes built-in filtering capabilities that allow threat actors to prioritize high-value credentials directly within control panel interfaces.

The stolen credentials are immediately monetized through underground marketplaces operating with e-commerce efficiency, enabling threat actors to filter and purchase specific organizational credentials within hours of theft.

Recent law enforcement disruption of Lumma Stealer infrastructure revealed thousands of active customers and millions of stolen credential records, highlighting the massive scale of these operations.

Organizations face mounting pressure to implement phishing-resistant authentication methods and zero-trust identity principles as traditional security models prove inadequate against adversaries possessing valid credentials.