- NordVPN’s search reveals 94 billion cookies stolen on the dark web
- Only a small percentage of them are always active
- These cookies represent a serious risk for customers
New research from NordVPN has revealed cookies, the small information files generated from web servers and sent to web browsers, are disclosed and used on the Dark web in large numbers.
The results calculate around 94 billion cookies circulating on the dark canvas, with almost 42 billion of these from Redline, a notorious infostor malware – although only 6.2% of them are always active, which means that they have a relatively short lifespan.
In fact, most were inactive, with only 7.2% of 10.5 billion cookies identified from Vidar showing as valid, as well as 6.5% of Lummac2 – a more recent infospector service – which collected a total of 8.8 billion stolen cookies. However, there is an aberrant value, Cryptbot proving by far the most effective malware given that 83.4% of the 1.4 billion stolen cookies are still active.
What is inside?
This is not the first time that NordVPN has warned that cookies have been abused, with millions of stolen consumer internet navigator cookies disclosed on the dark canvas in 2024, although the total of the total for 2024 is 54 billion – describing an increase of the year.
These cookies of the data set contained a range of different types of information, the most common keywords being “ID” (18 billion), alongside “session” (1.2 billion), “author” (292 million) and “connection” (61 million) – this is particularly worrying, because it suggests that they could be used “Hijack Live Sessions without password”. Researchers warn;
“Cookies may seem sweet, but sometimes they can leave a bad taste. The truth is that even the most unimportant cookies can do a lot of damage to you or your business. Once a door is open, it is not so difficult to open others. Session cookies, especially active cookies, are a gold mine. They allow attackers to jump for connection pages.”
That’s not all, however. These cookies could allow attackers to resume social media accounts, bypass two -factor authentication, to launch social engineering attacks or even access to sensitive financial information.
