ProBackend
cloud security incidents
1 hour ago8 min read

The Rise of Search Your Target

A deep look into the underground market where attackers pay others to filter billions of stolen credentials for specific targets—transforming noisy infostealer dumps into precise attack payloads.

Jules Firewall

A few years ago, if you wanted to hack someone’s online accounts, you needed to dig through mountains of leaked credentials—thousands, sometimes millions of username and password combos buried in dark web dumps. You’d spend hours—days, if you were unlucky—filtering through the garbage to find just a few dozen working pairs for your target. It was tedious, inefficient, and wildly hit-or-miss.

That’s all changed.

Today, you don’t need to sift through gigabytes of raw data yourself. You just fire off a search request—maybe $20, maybe $150—and walk away while someone else does the heavy lifting for you. Attackers can ask: “Show me all employee logins from Acme Corp’s VPN portal” or “Give me banking credentials from customers in Berlin last week”, and, within minutes, they’ll get exactly what they need.

This isn’t speculative fantasy. It’s the rise of “Search Your Target”, an underground service economy that has quietly transformed credential theft from a painstaking, artisanal craft into a standardized, on-demand operation. And if you’re still relying on the old-school idea that attackers need to manually parse every stolen dump, you’re already behind.

What follows is what we learned from analyzing nearly five hundred underground forum posts between January 2025 and June 2026—advertisements, buyer reviews, disputes, pricing logs, and even customer complaints. This isn’t just theory; it’s how threat actors operate today.

And yes, a lot of this sounds like sci-fi gone wrong. But the data doesn’t lie.

The Day Cybercrime Got an Upgrade

How the Underground Market Works

Think of it like this: instead of buying a library, you’re now hiring the librarian to find exactly one book for you—and they’ll do it in under ten minutes.

In practice, the “Search Your Target” pipeline looks something like this:

  1. Infostealers hit the ground: Malicious software infects devices and harvests credentials, cookies, autofill data, and other browser artifacts.
  2. Logs get pooled: The stolen credentials don’t vanish into the ether; they’re aggregated into massive databases—some stored in private clouds, others in ULP (ultra-large public) collections or exchange-based marketplaces.
  3. Threat actors act as middlemen: These are the “search-service” operators—sometimes Malware-as-a-Service (MaaS) providers themselves, sometimes just savvy data processors. They don’t always create the dumps; they just offer search and delivery.
  4. Buyers specify: A request might look like “all Gmail logins from a UK domain”, “Shopify admin panel access with 2FA bypass attempts”, or even “banking credentials matching these five city zip codes”.
  5. Targeted data is delivered: The seller runs the query, extracts matching rows, formats them into your preferred layout (URL:LOGIN:PASS is common), and ships it back.

The key point here is that sellers are rarely the first link in the chain—nor the final one. They’re processing. Think of them as data janitors who’ve gotten really good at sorting through mountains of stolen loot to pull out just the pieces you care about.

Flare’s analysis covered over 470 forum posts, everything from ads to buyer complaints. The sheer volume of activity confirmed how deeply entrenched this model has become. And it’s not niche either; the sellers actively court buyers by emphasizing database size, search speed, daily updates, and formatting precision.

How the Underground Market Works

Database Sizes: From Hundreds of Millions to Billions

It’s worth pausing here on scale, because that’s where the real danger lies.

One seller advertised an “ULP 5kkk+ lines” database—roughly five billion records—with quick access in under fifteen minutes and daily refreshes. Another pushed a “10kkk+ line, 1TB+ URL:LOG” database, meaning they claimed access to data on par with some national telecoms’ subscriber lists.

These aren’t just random numbers. When you factor in the average “combo list” size and deduplication rates seen across past breaches, a single billion-record database, even at 50% duplication, still yields hundreds of millions of usable entries. Multiply that across dozens of sellers and hundreds of daily queries, and you’ve got a system optimized for scale, not precision.

What makes this especially worrying is how mature the technical packaging has become. Sellers no longer just trade raw dumps; they’ve essentially turned credential harvesting into an API-driven service, complete with search endpoints, format preferences, and tiered access options.

That said, size alone doesn’t guarantee quality—and that brings us to the next section.

The Search-and-Deliver Business Model

The core proposition is simple: for a fixed fee plus optional result-based surcharges, sellers deliver only the records you ask for.

Basic requests start as low as $20, with some sellers adding performance-based fees depending on the number of valid credentials returned. A “premium” query—say, search for all enterprise SaaS logins with admin roles in the finance sector—can easily hit $150 or more.

Here’s how it looks on the ground:

  • Search interface: Buyers submit their criteria (domain, URL, geo, date range, account type).
  • Extraction pipeline: Sellers use their indexing infrastructure to pull only matching rows.
  • Formatting layer: Output is delivered in standard formats like URL:LOGIN, MAIL:PASS, LOGIN:PHONE, or custom combinations.

What separates the top-tier sellers from the rest is how they advertise their extras: deduplication, freshness (daily updates), geo-tagging, password-pattern matching by region, and even password enrichment services.

One seller’s marketing copy was blunt: “You get only the data you asked for, no combo lists, no fluff. If your request is for Tokyo-based Amazon logins, we’ll give you Tokyo Amazon logins—or money back.”

The truth is messier, but the pitch is precise. And precision sells.

Credential Enrichment: The Final Step Before Attack

The real power of the “Search Your Target” model becomes obvious once you see how attackers layer enrichment on top.

Here’s the thing: most breaches aren’t clean. A password dump might lack logins, or a login list might be missing domains. That’s where enrichment comes in.

Sellers advertise advanced “data combining” services:

  • Email-to-login matching: If you have a list of emails but no logins, they’ll cross-reference their separate collections to produce full credentials.
  • Geographic enrichment: Add city-level filters or country codes to refine results further.
  • Domain targeting: Pull only records matching your exact internal domain, not the generic @company.com patterns.

One seller even offered a three-step pipeline: (1) extract logins by URL, (2) match with separate password logs, and (3) return deduplicated results in the format you prefer.

This is where the model bleeds into Initial Access Broker (IAB) territory. If your search returns employee VPN logins or admin panel credentials, you’re no longer buying search—you’re buying direct access.

That distinction matters because IABs charge a premium for validated access with MFA bypass. “Search Your Target” sellers, at the time of our research, were less concerned with validation than volume. But the overlap is real—and growing.

The Gap Between Ads and Reality

Here’s the uncomfortable truth: many buyers who purchased these services were disappointed.

Customer reviews in our dataset revealed a consistent pattern:

  • Credentials often didn’t work.
  • Sellers openly admitted they didn’t verify credentials before delivery.
  • Massive duplication rates: one buyer reported only ~200 unique records out of 3,000.
  • Data frequently overlapped with freely available combo lists—sellers weren’t above repackaging the same open-source dumps as “exclusive” offerings.

This doesn’t mean the threat is overblown. On the contrary, when a search does work—and it sometimes does—it becomes devastatingly effective. A single valid admin credential, pulled from billions, is all it takes to pivot into a corporate network.

Think of it like fishing with sonar instead of casting blindly: the yield is still low per attempt, but the precision compensates for it. And that’s where defenders start to feel the pressure.

Defensive Implications: Monitoring the Deep Web Yourself

Defenders can’t stop this underground market—but they can monitor when their own systems show up in it.

Here’s what works:

  • Credential exposure monitoring: Watch deep/dark web sources for employee credentials, corporate domains, and login portals.
  • SaaS and admin panel tracking: Look for mentions of your internal SaaS tools, VPN endpoints, or admin interfaces in database advertisements.
  • Credential mass-leak correlation: If your employee emails start appearing in “targeted search” ads, that’s a red flag worth investigating immediately.

Once you spot a leak, the response playbook looks like this:

  1. Password resets: For affected users or targeted departments.
  2. Session revocation: Force re-authentication across sessions, especially for admin accounts.
  3. MFA enforcement: If it wasn’t already mandatory, this is the moment.
  4. Investigation: Trace how the leak occurred—browser credential theft, phishing, or another vector—and harden that surface.

The key insight: you don’t need to prevent all credentials from leaking. You just need to detect the leaks fast enough that attackers can’t turn them into access before you do.

Final Thoughts: It’s Not a Question of If, but When

“Search Your Target” isn’t a fringe experiment. It’s the logical endpoint of credential theft: automation, specialization, and on-demand delivery.

The fact that attackers can now outsource the grunt work of sorting through billions of stolen logs means faster, cheaper, and more targeted attacks. And unlike earlier years—where you had to be tech-savvy just to browse the dark web—you only need $20 and a Telegram account to start.

For defenders, the takeaway is simple but critical: assume your employees’ credentials will show up in these services at some point. The job isn’t to prevent leaks entirely—that’s unrealistic—but to reduce the dwell time between exposure and detection.

That means investing in monitoring, not just prevention; in rapid response, not just perimeter defense. It’s a shift in mindset, but one we’re already seeing reflect in how advanced threat actors operate today.

The hunt for credentials is over. What matters now is who finds your data first—the attackers, or you.

Related blogs

cloud security incidents

When the Body Silences Its Signals: How Self-Model Collapse May Shape Near-Death Experiences

A neuroscientific hypothesis proposes that near-death experiences arise when the brain’s continuous integration of bodily signals breaks down under extreme physiological stress, causing a simplified self-model to emerge in the absence of normal interoceptive input.

1 hour ago · 5 mincloud security incidents

BadHost Vulnerability CVE-2026-48710 Exposes Millions of AI Agents to Authentication Bypass

A critical Starlette vulnerability (CVE-2026-48710, nicknamed BadHost) allows attackers to bypass authentication via malformed Host headers, impacting FastAPI-based AI systems including vLLM, LiteLLM, and MCP gateways. The flaw affects Starlette versions prior to 1.0.1.

3 hours ago · 5 mincloud security incidents

Chinese Espionage Group UNC5221 Deploys Brickstorm Backdoor to Maintain Persistent Access to Microsoft 365 Environments

Analysis of UNC5221's Brickstorm backdoor campaign targeting Microsoft 365 environments, including technical details, attribution to Chinese APT groups (APT31, APT41), and defensive recommendations for enterprise security teams. Also covers related incidents including the Fortinet credential harvesting campaign affecting 30K devices.

4 days ago · 4 min
More engineering analysis and backend guidance from ProBackend.
More blogs