Exposing the Credential Stuffing Ecosystem

Inside the Credential Stuffing Ecosystem: Key Players and Their Roles

Over the last two years, we’ve built a team that has successfully infiltrated the credential stuffing ecosystem — a multi-headed serpent made up of intertwined roles, each contributing to a larger attack infrastructure. This operation has given us rare insights into this complex web, allowing us to profile the key players and understand their motivations.

Credential stuffing isn’t the work of a single actor, but a coordinated effort involving multiple participants, all working within a sophisticated supply chain.

These are the four distinct groups involved in every credential stuffing attack:

1. Tool Developers
2. Config Builders
3. Crackers
4. Fraudsters

Let’s break down the roles of each group.

1. Tool Developers

Who they are: Tool developers are software engineers who are responsible for creating tools that automate a credential stuffing attack. These tools are crucial for attackers, functioning as a Swiss Army knife for credential stuffing operations.

Toolkit: The community has evolved around common open source projects, including OpenBullet, SilverBullet, and several other variants.

More recently, developers have forked these projects, launching professional subscription services with enhanced features.

Risk profile: Low. It’s easy to remain anonymous, and their open source software is always created for “educational purposes.”

Income: Tool developers typically make very low income from the software itself.

————————————-

2. Config Builders

Who they are: Stereotypical “hackers,” config builders create configurations (“configs”) targeting specific websites.

A config includes the steps required to login to a site and extract the data required to profile the account.

Value of a config: The value of the config depends on three factors:

1. Exclusivity of the target
2. Difficulty in bypassing security controls
3. Potential profit from the compromised accounts

Config builders sell their product to select crackers, often developing long-term relationships with specific individuals.

Risk profile: Moderate. They risk being doxxed by disgruntled buyers or being exposed by law enforcement if their clients, the crackers, are arrested.

Income: Low to moderate, with configs selling between $0 and $1,000 each.

————————————-

3. Crackers

Who they are: Bot operators. These individuals operate all the pieces required to launch credential stuffing attacks.

Toolkit:

1. Credential stuffing software (e.g. OpenBullet)
2. Bot infrastructure (e.g. RDP, VPNs, proxy networks)
3. Compromised credential sets
4. Site configs
5. Community forum
6. Webstore

Crackers maintain a “fleet” of target websites that they know they can successfully attack. Their “product” is a set of credentials that their customer can use to log into an account.

Crackers operate web stores that list all the sites they have compromised.

A cracker’s goal is to maintain as many compromised accounts as their community of fraudsters require. This typically means they run a large number of smaller attacks.

For example, the Meijer attacker averaged 10 attacks per month over six months.

Risk profile: High. Crackers are in constant communication with other actors in the ecosystem, increasing their exposure. Prison sentences for their crimes can be up to 20 years.

Income: High. Crackers can make $100,000’s per year if they remain active.

————————————-

4. Fraudsters

Who they are: Fraudsters are the end-users of compromised accounts, using them to acquire goods or services of value. Whether it’s scoring free products or turning a profit by reselling items, fraudsters are the ones monetizing stolen credentials.

Common monetization motivations:

1. Free stuff: Food, entertainment, retail products
2. Reselling: Products purchased with are resold on secondary markets for $$
3. Cash: Purchasing gift cards is a very common tactic to convert to cash because it helps them remain anonymous.

These individuals need to take steps to protect their identity. The use of in-store pickup is a common strategy that avoids exposing their address or personal information.

Risk Profile: High. Fraudsters engage directly with stolen goods, services, or loyalty points — putting them at greater risk of being caught.

Income: Ranges from low to high. Income depends on the value of the stolen goods.

Disrupting the Credential Stuffing Supply Chain

The credential stuffing community is best described as “disorganised crime” — a loosely connected yet highly adaptive network of individuals collaborating when it serves their mutual interests. This decentralized structure makes it challenging for defenders and authorities, as removing one player only creates space for another to take their place. Each layer of the ecosystem is fiercely competitive and thrives on its ability to rapidly adapt.

Like a multi-headed serpent, this ecosystem requires multiple components to function, each head contributing to the larger attack strategy. However, the more we know about how these associated individuals operate and interact, the better positioned we are to disrupt their business model at its core.

At Kasada, we focus on deeply understanding both the technology and the human minds behind automated threats. To see how credential stuffing may be impacting your organization, request a personalized site check today and gain an inside look at the early warning signs of these attacks.