Inside the Information Stealer Ecosystem: From Compromise to Cash-Out
Olivier Bilodeau
BSidesSF 2025 — Here Be Dragons · Day 1 · Main
Information stealer malware — a category that requires no admin rights, leaves no persistence, and can exfiltrate an entire computer's credentials in one shot — has become the backbone of the modern cybercrime economy. Olivier Bilodeau, drawing on a dataset of over 120 million deduplicated stealer logs, walked through the complete lifecycle from infection to cash-out, revealing that the threat goes far beyond passwords: TOTP secrets, password vault files, active cookies, and even Google "master cookies" are all harvested and sold through a sophisticated underground marketplace. ---
AI review
Bilodeau brought 120 million deduplicated stealer logs to the conversation and has the technical depth to match the dataset. The TOTP secret extraction from browser extension LevelDB files is the single finding that changes how defenders think about software MFA — live demo, reproducible, devastating. The RedLine/Meta 'competition was the same operator' reveal is a nice intelligence bonus.