Hackers have stolen 94 billion cookies and are selling them on the dark web. More than 20% of them are still active, leaving hundreds of millions of browser users worldwide at risk of account hijacking.
According to the latest research by the cybersecurity firm NordVPN, hackers have stolen 94 billion browser cookies and are selling them in data dumps across Telegram channels.
Twenty percent of these cookies are still active and tied to real user activity, posing an ongoing risk to users’ online privacy. “That’s hundreds of millions of people globally potentially exposed to cybercrime,” says Adrianus Warmenhoven, cybersecurity expert at NordVPN.
The stolen cookies came from users in 253 countries. The highest concentration came from Brazil, India, Indonesia, and Vietnam. The US ranked 4th among the most affected countries, with over 3.6 billion cookies found on the dark web.
Researchers' data suggests that over 4.5 billion stolen cookies were from Google, another 1.33 billion from YouTube, over 1.1 billion from Microsoft, and about 1 billion from Bing.
The most commonly stolen cookies were session IDs and assigned user IDs, which are both the core data that websites use to recognize you and keep you logged in. This leaves users vulnerable to account hijacks.
Personal information such as name, email address, password, and physical address was also frequently exposed. This data is often exploited for identity theft, fraud, and unauthorized account access.
NordVPN says cookie theft is exploding. Hackers went from swiping 54 billion cookies last year to 94 billion this year, showing a 74% surge.
Cybercriminals are after cookies, and that’s a huge threat
Cookies are what keep the internet running smoothly. These tiny text files that browsers store are the reason your shopping cart doesn’t disappear and your favorite sites load in a flash. They also store your browsing behavior and allow you to stay logged in across sessions.
While cookies seem harmless enough, in the wrong hands, they become powerful tools for account hijacking. With a stolen cookie, hackers can not only access your private information but also bypass logins to slip into your accounts undetected.
“What was designed to enhance convenience is now a growing vulnerability exploited by cybercriminals worldwide,”
comments Warmenhoven.
“Most people don’t realize that a stolen cookie can be just as dangerous as a password. Once intercepted, a cookie can give hackers direct access to accounts and sensitive data, no login required,” he adds.
Who are the biggest cookie thieves?
NordVPN’s researchers traced the cookie heist back to 38 different information-stealing malware strains, with the three most prominent infostealers on the list.
Redline is suspected of stealing 41.6 billion cookies. It’s one of the most aggressive infostealers in circulation, pulling saved passwords, cookies, and autofill data directly from users’ browsers.
Vidar, with 10 billion stolen cookies on its account, operates in much the same way, but it also downloads secondary malware, turning infected systems into launchpads for more complex attacks.
According to researchers, LummaC2 has been responsible for 9 billion stolen cookies. This infostealer is particularly evasive, frequently updating its tactics to slip past antivirus tools and spread quietly across devices.
Researchers also identified 26 new malware strains that didn’t exist in 2024. Among them, RisePro and Stealc are optimized to rapidly steal browser credentials and session data.
Nexus targets banking details using mobile emulation, and Rhadamanthys stands out for its stealth and versatility, enabling the deployment of additional malware once inside a system.
Telegram's response
After initial reporting, Cybernews has been contacted by Telegram's spokesperson. According to the official statement, the sale of private data is expressly forbidden by Telegram's terms of service and is removed whenever discovered.
“Moderators empowered with custom AI and machine learning tools proactively monitor public parts of the platform and accept reports in order to remove millions of pieces of harmful content each year,” the spokesperson said, and encouraged sharing any groups or channels that are distributing private data with Telegram’s moderators.
Your email address will not be published. Required fields are markedmarked