Credential Stuffing - Attack Anatomy

Live Attack Console

Credential Combo List Feed

Live simulation of the attacker's input - breached username:password pairs streaming into the stuffing engine from compiled breach databases.

Attempts

Successes

Failures

Proxy Rotation Pool

Each attempt uses a different residential IP - defeating rate-limit and IP-block defenses.

Requests / Second 847 req/s

Active Proxy Threads 512 threads

Detection Evasion Score HIGH

CURRENT TARGET

streaming-app.com

POST /api/auth/login - 512 concurrent threads

The Breach-to-Takeover Pipeline

Five-stage automated pipeline - from initial breach to mass account compromise

STAGE 01

💥

Breach Acquisition

Buy or download compiled breach databases from dark web markets. Major breaches: LinkedIn (700M), RockYou2024 (10B), Collection #1-5 (2.2B).

26B+ records

STAGE 02

🗂️

Combo List Build

Deduplicate, normalize and format as user:pass pairs. Filter by target-relevant domains (e.g., only Gmail accounts for a Google service attack).

~500M pairs

STAGE 03

🔄

Proxy + Bot Config

Configure stuffing tool (Sentry MBA, SNIPR, OpenBullet) with target site config. Load residential proxy pool. Set rate limits to mimic human traffic.

10k–500k proxies

STAGE 04

🤖

Automated Stuffing

Tool submits credentials in parallel across hundreds of threads. Rotates proxies, user-agents, headers. Handles CAPTCHA via solving services. Logs hits.

847 req/sec

STAGE 05

💰

Account Monetize

Valid credentials sold on dark web markets, used for fraud (streaming, banking), further phishing from trusted accounts, or stored for later exfiltration.

$5–$200/account

Tools & Evasion Techniques

🛠️

OpenBullet / SilverBullet

Open-source credential stuffing framework

Highly configurable stuffing tools with site-specific "configs" (scripts) shared by the attacker community. Supports proxy rotation, CAPTCHA solving API integration, multi-threading, and custom result parsing. New configs for major sites published within hours of a new target being identified.

🌐

Residential Proxy Networks

IP reputation bypass via legitimate home IPs

Attackers rent access to millions of residential IP addresses (often unknowing botnet participants). Each login attempt appears to originate from a different household broadband connection - indistinguishable from legitimate traffic. Defeats IP-based rate limiting entirely.

🤖

CAPTCHA Bypass Services

2captcha, Anti-Captcha, human solving farms

$0.50–$2 per 1,000 CAPTCHAs solved via automated ML models or human solving farms in low-wage countries. Audio CAPTCHAs solved by speech-to-text APIs. reCAPTCHA v3 scored by realistic browser fingerprinting. No CAPTCHA is a reliable long-term defense.

🎭

Browser Fingerprint Spoofing

Headless browser automation - Puppeteer, Playwright

Headless Chrome instances with spoofed fingerprints (canvas hash, WebGL, screen resolution, timezone, installed fonts) mimic legitimate browser profiles. Bypasses device fingerprinting defenses. Each session uses a fresh, unique, pre-warmed fingerprint profile.

⏱️

Low-and-Slow Timing

Rate limit evasion via distributed pacing

Instead of high-volume bursts that trigger rate limiters, sophisticated attacks distribute attempts across thousands of IPs at human-plausible intervals (1–5 requests per IP per hour). A 10,000-proxy pool sending 1 req/hour each generates 10,000 attempts/hour - invisible to per-IP controls.

🗃️

Combo List Optimization

Target-specific credential filtering

Before running a campaign, attackers filter the combo list for accounts likely to exist on the target site - by email domain, registration date, previously verified accounts from other stuffing runs, or accounts cross-referenced against known user lists from LinkedIn scrapes.

Attack Flow Diagram

Step-by-Step Walkthrough

Phase 01 - Breach Data Acquisition

SOURCING THE COMBO LIST

💥

DATA SOURCE

Dark Web Markets + Telegram Channels + Public Pastes

The raw material for credential stuffing is stolen from prior data breaches - not from the target site. Attackers purchase compiled breach databases on dark web markets for as little as $10, or freely download them from Telegram channels and public paste sites. The quality varies: older breaches have higher reuse potential, newer ones have fresher accounts.

Dark web markets (Genesis, RussianMarket) sell breach databases by source, date, and record count
Free sources: RaidForums archives, public paste bins, Telegram combolists channels with millions of subscribers
HIBP tracks 14+ billion pwned accounts - attackers use the same data the service indexes
Freshness matters: a breach from last month has 70–80% active accounts vs. a 5-year-old breach at 20–30%
Premium stealer logs from infostealer malware contain credentials plus cookies - highest value

darkweb market listing - breach purchase

╔══════════════════════════════════════════╗

║ RussianMarket - Breach Listings ║

╠══════════════════════════════════════════╣

║ [HOT] Streaming-App.com - 8.4M records ║

║ Date: Oct 2024 Price: $45 BTC ║

║ [NEW] SocialNetwork - 310M email:sha1 ║

║ Date: Jan 2025 Price: $120 BTC ║

║ [FREE] Combo-All-2024 - 890M user:pass ║

║ Date: Dec 2024 Price: FREE ║

╚══════════════════════════════════════════╝

# Purchase Combo-All-2024 + Streaming breach

[+] Download: combo_all_2024.txt (47GB)

[+] Download: streaming_app_oct24.txt (820MB)

Phase 02 - Combo List Preparation

BUILDING THE WEAPON

🗂️

OUTPUT

Target-filtered user:pass pairs - ready to stuff

Raw breach dumps are messy - multiple formats, duplicates, cracked hashes mixed with plaintext, and irrelevant domains. Before attacking a streaming site, the attacker cleans and filters the data: extract only email:password pairs, deduplicate, remove known-invalid entries, and optionally filter to accounts likely to exist on the target platform.

Parse multiple formats: email:pass, user:hash:pass, email;pass
Deduplicate: 890M raw pairs → ~500M unique after removing duplicates
Domain filter: keep only gmail.com, yahoo.com, hotmail.com (streaming sites use consumer email)
Quality sort: prioritize pairs where the password is complex (likely real, not test data)
Cross-reference: check against previous campaigns' successes - known-valid accounts tried first

python - combo list processing

# Parse, dedupe and filter breach data

$ python3 combobuilder.py

--input combo_all_2024.txt

--filter-domains gmail,yahoo,hotmail

--min-pass-len 8

--dedupe

--output streaming_targets.txt

[*] Parsed 890,421,007 raw entries

[*] After dedup: 514,882,311 unique pairs

[*] Domain filter: 312,447,019 consumer email

[*] Quality sort: done (complex passwords first)

[+] Output: streaming_targets.txt

[+] 312,447,019 pairs ready to stuff

Phase 03 - Tool & Infrastructure Setup

CONFIGURING THE STUFFING BOT

⚙️

TOOLCHAIN

OpenBullet2 + Proxidize + 2Captcha

Modern stuffing tools like OpenBullet2 use "configs" - site-specific scripts that define the exact HTTP requests, response parsing logic, and success/failure detection rules for each target. Configs are bought, sold, and shared in dedicated underground communities within hours of new targets being scoped. Setup takes under an hour.

Download OpenBullet2 config for streaming-app.com - defines POST endpoint, headers, cookie handling
Load residential proxy list - 50,000 IPs from Proxidize or Bright Data (paid residential proxy service)
Configure CAPTCHA API key (2captcha.com) - automatic solving for $0.50/1000
Set thread count: 512 concurrent threads across proxy pool
Configure success/failure detection: HTTP 200 + Welcome back = hit; HTTP 401 = fail; rate limit = rotate proxy

OpenBullet2 - site config (streaming-app.com)

# Block: HTTP Request - Login

REQUEST POST https://streaming-app.com/api/auth/login

HEADER Content-Type: application/json

HEADER User-Agent: <USERAGENT>

HEADER X-Request-ID: <GUID>

BODY {"email":"<USER>","password":"<PASS>"}

# Block: Response Check

KEYCHECK SUCCESS → "access_token" IN RESPONSE

KEYCHECK FAILURE → "invalid_credentials" IN RESPONSE

KEYCHECK RETRY → "rate_limit" IN RESPONSE → ROTATE PROXY

# Proxy config: 50,000 residential IPs loaded

[+] Config validated. 512 threads. Ready.

Phase 04 - Campaign Execution

THE STUFFING RUN

🤖

RATE

847 login attempts per second - 73M per day

With the tool configured and combo list loaded, the campaign runs autonomously. 512 concurrent threads each maintain their own session, proxy, and cookie state. Successful logins are instantly logged with the captured access token. The tool automatically handles retries, proxy rotation on rate limits, CAPTCHA solving, and session management - no manual intervention needed.

Each thread picks the next credential pair from the list and fires the login request
On 429 (rate limit) or IP block response, thread immediately rotates to the next proxy
On CAPTCHA challenge, the captcha image is sent to 2captcha API - solved in ~15 seconds
Successful logins logged: email, password, access token, subscription tier, payment method present
At 0.8% success rate: 73M attempts/day → 584,000 compromised accounts per day

OpenBullet2 - live campaign output

╔═══════════ CAMPAIGN RUNNING ══════════╗

║ Tested: 2,841,047 │ CPM: 50,820 ║

║ Hits: 22,728 │ Rate: 0.80% ║

║ Failed: 2,815,681 │ Proxies: 49.8k ║

╚═══════════════════════════════════════╝

[HIT] user@gmail.com:Summer2019! → Premium

[FAIL] user2@yahoo.com:baseball123

[FAIL] user3@gmail.com:password1

[HIT] user4@gmail.com:K@thleen#7 → Premium+4K

[RATE] 185.220.x.x → rotating proxy

[FAIL] user5@yahoo.com:dragonball

[HIT] user6@gmail.com:P@ti4ever → Basic

Phase 05 - Hit Validation & Triage

VERIFYING THE COMPROMISED ACCOUNTS

✅

OUTPUT

Verified accounts sorted by value tier

Raw hits are automatically triaged by the stuffing tool: subscription tier, stored payment methods, profile data, and linked accounts are extracted from the authenticated session. High-value accounts (saved credit cards, premium subscriptions, high loyalty balances) are separated and sold at premium. The validated hit list is then packaged for sale or immediate use.

Tool parses authenticated API response: extracts subscription tier, payment method, profile name
Sorted into tiers: Premium (with stored card) > Premium (no card) > Basic > Trial
Cross-reference against banking, retail, email - same password tried on ~50 other platforms automatically
Accounts with stored credit cards flagged CRITICAL - worth $20–200 on dark web markets
Loyalty point accounts (airlines, hotels) tallied and bundled - sold for instant cash-out

hit sorter - account triage output

# Sorted hit file breakdown

$ python3 hit_sorter.py hits_streaming_20250312.txt

TIER-1 (stored credit card): 1,847 accounts

→ Value: $25–$200 each on dark market

TIER-2 (premium, no card): 14,203 accounts

→ Value: $2–$8 each (bulk resale)

TIER-3 (basic): 6,678 accounts

→ Value: $0.50–$1 each

# Cross-stuff same passwords to other sites

[*] Trying 22,728 creds on: gmail, amazon,

paypal, netflix, chase, airbnb...

[+] 2,104 additional hits from cross-stuffing

Phase 06 - Account Monetization

CASHING OUT

💰

REVENUE

$45,000–$280,000 from a single 24-hour campaign

Compromised accounts are monetized through multiple channels simultaneously. A single large-scale stuffing campaign generates revenue across dark web sales, direct fraud, and downstream attacks. The economics are compelling - $45 spent on breach data can yield tens of thousands of dollars in a single run with minimal operational risk to the attacker.

Account resale: Bulk upload to Genesis Market, Russianmarket - streaming accounts sell in minutes
Credit card fraud: Stored payment methods used for purchases before victim notices
Subscription resale: Premium streaming credentials sold on Telegram at $2–5 each
BEC / phishing pivot: Compromised email accounts used to send trusted phishing to victim's contacts
Loyalty fraud: Airlines, hotel, and retail points liquidated via specialized redemption services

campaign economics - 24hr run summary

╔═══════════ CAMPAIGN P&L ════════════╗

║ COSTS ║

║ Breach data: $45 BTC ║

║ Proxy (24hr): $120 ║

║ CAPTCHA solving: $35 ║

║ VPS (automation): $15 ║

║ TOTAL COST: ~$215 ║

╠═══════════════════════════════════════╣

║ REVENUE ║

║ Tier-1 (card) x1847: $46,175 ║

║ Tier-2 bulk x14203: $28,406 ║

║ Credit card fraud: $12,400 ║

║ TOTAL REVENUE: ~$87,000 ║

║ NET PROFIT: ~$86,785 (403x) ║

╚═══════════════════════════════════════╝

Phase 07 - Detection & Response

SPOTTING THE ATTACK

🔍

KEY SIGNAL

Credential stuffing leaves a distinct signature in authentication logs - a sharp spike in failed login attempts, often from thousands of unique IP addresses, targeting valid accounts with incorrect passwords. The challenge: at 847 req/sec spread across 50,000 proxy IPs, each individual IP looks like a single user making a single login attempt. Behavioral analytics across the full population is required.

Authentication failure rate spikes from baseline 1–2% to 40–80% across all login attempts
Login attempts from thousands of unique ASNs (residential proxies) within a short window
User-Agent strings rotate unnaturally - same account tried with 10+ different browsers within seconds
Impossible travel: account login from New York, then Tokyo 3 minutes later - same session
High login volume against non-existent accounts (attacker's combo list includes old/deleted accounts)

SIEM detection - stuffing signature

// Splunk - detect credential stuffing spike

index=auth_logs action=login

| bucket _time span=5m

| stats count as total,

count(eval(result="fail")) as fails,

dc(src_ip) as unique_ips by _time

| eval fail_rate = round(fails/total*100,1)

| where fail_rate > 40 AND unique_ips > 500

14:00 │ total: 51,240 │ fail_rate: 78.3% │ unique_ips: 4,847

↑ CREDENTIAL STUFFING ATTACK DETECTED

↑ 40,120 failed logins in 5 minutes

[!] Auto-response: CAPTCHA enforced globally

[!] WAF rule: block known proxy ASNs

STEP 1 OF 7

Target Site Risk & Success Rate Analysis

Credential stuffing success rates vary significantly by site category - driven by MFA adoption and bot protection maturity

Site Category	MFA Adoption	Bot Protection	Stuffing Success Rate	Attack Volume	Attacker Priority
Online Banking	High (70%+ mandated)	Advanced (behavioral)	0.1–0.3%	HIGH - automated	CRITICAL - high payout
Streaming Services	Low (optional)	Moderate (rate limits)	0.5–1.5%	VERY HIGH	HIGH - volume resale
E-Commerce / Retail	Very Low (optional)	Basic (CAPTCHA only)	1–3%	VERY HIGH	CRITICAL - saved cards
Corporate SaaS / Email	Moderate (conditional)	Good (Azure AD / Okta)	0.2–0.8%	HIGH	CRITICAL - BEC pivot
Airline / Hotel Loyalty	Low (optional)	Weak	1–4%	HIGH	HIGH - points fraud
Gaming Platforms	Low–Moderate	Basic	1–5%	VERY HIGH	MED - item/currency resale
Healthcare / Insurance	Growing (HIPAA pressure)	Moderate	0.3–0.9%	MEDIUM	CRITICAL - PII value

Detection Signals & Bot Indicators

CRITICAL

Auth Failure Rate Spike

Login failure rate jumps from baseline 2–5% to 40–80%+ within minutes. The single clearest signal of credential stuffing - attackers are testing stolen passwords that are mostly wrong for any given account. Alert threshold: failure rate >15% sustained over 5 minutes.

ALERT: fail_rate > 40% for 5m
ALERT: fail_count > 10k/5min

CRITICAL

Distributed Source IP Anomaly

Thousands of unique IP addresses all targeting the login endpoint within a short window. Each IP appears to make only 1–3 attempts - invisible individually, unmistakable in aggregate. Correlate: 4,000+ unique IPs hitting /login in 5 minutes is not organic traffic.

ALERT: dc(src_ip) > 1000
on /login within 5min window

HIGH

User-Agent Cycling

A single account targeted by multiple login attempts using rapidly rotating User-Agent strings. Legitimate users have a consistent browser. Bots rotate through pre-generated UA strings to evade fingerprinting. Same email + 8 different UAs in 60 seconds = bot.

ALERT: dc(user_agent) > 3
for same email within 60s

HIGH

Non-Existent Account Targeting

Combo lists contain many email addresses that never registered on the target site. A spike in "account not found" (HTTP 404 on login) responses indicates a bot working through an external credential list rather than targeting known accounts - a strong stuffing indicator.

ALERT: account_not_found rate
> 20% of all login attempts

MEDIUM

Impossible Travel / Geography

Successful logins from geographically impossible locations: account logging in from London, then Mumbai 90 seconds later. Residential proxies span the globe - an account being tested from different continents minutes apart is a strong account takeover indicator requiring immediate re-auth.

ALERT: distance/time
> 500mph between sessions

MEDIUM

Residential Proxy ASN Clustering

Known residential proxy providers (Luminati/Bright Data, Oxylabs, Smartproxy) have identifiable ASNs that appear in Threat Intelligence feeds. A disproportionate share of login traffic from proxy-associated ASNs warrants elevated scrutiny and CAPTCHA enforcement even at low volumes.

TI Feed: block/challenge
known proxy ASN ranges

Defensive Countermeasures

🔑

Phishing-Resistant MFA

Even a perfectly valid stolen credential pair is useless if MFA is required. TOTP (authenticator app) stops stuffing. FIDO2/passkeys are better - they're cryptographically bound to the legitimate domain and cannot be replayed. Eliminating passwords entirely with passkeys makes credential stuffing structurally impossible.

Passkeys: zero credential to steal
TOTP: blocks 99.9% of stuffing

🛑

Breached Password Detection

Integrate with HaveIBeenPwned's Pwned Passwords API (k-anonymity model - no privacy risk) or Enzoic to check every password at registration and login against billions of known-breached credentials. Block or force-reset any password that appears in breach databases.

HIBP API: k-anon SHA1 prefix
Block if count > 0 in breach DB

🤖

Advanced Bot Detection

Deploy behavioral bot management (Cloudflare Bot Management, Akamai Bot Manager, DataDome, Shape Security). These systems score every request based on 200+ signals: mouse movement patterns, keystroke dynamics, TLS fingerprint (JA3), HTTP/2 settings, timing consistency, and browser environment integrity.

⚡

Adaptive Rate Limiting

Rate limiting must be account-based, not just IP-based. A residential proxy stuffing attack presents thousands of unique IPs - IP rate limits are ineffective. Limit to 5–10 failed login attempts per account per hour across all IPs. Lock accounts temporarily after threshold.

Limit: 10 fails/account/hour
across ALL source IPs combined

🌡️

Monitor authentication failure rate, unique IP count per time window, ASN diversity, User-Agent cycling, and non-existent account targeting. When stuffing indicators exceed thresholds: auto-enforce CAPTCHA globally, block known proxy ASNs, alert SOC, and trigger emergency MFA enrollment.

🗝️

Password Manager Promotion

The root cause of credential stuffing is password reuse across sites. Actively promote and simplify password manager adoption for users. Display clear 'use a unique password' messaging at registration. Some organizations offer free password manager licenses to users.

📬

Proactive User Notification

When a login succeeds from a new device, IP, or geography - immediately email the account owner with a "Was this you?" alert and a one-click "Not me - secure my account" link. This converts post-breach detection from weeks to minutes and empowers users to self-remediate.

🧩

Device Fingerprinting & Trust

Build a device trust model: known devices get frictionless login; new or unrecognized devices require step-up authentication. Bots by definition are "new devices" on every request - a strong device trust system makes automated stuffing require step-up auth on every attempt.

📊

Credential Exposure Monitoring

Subscribe to dark web monitoring services that alert when your organization's user credentials appear in breach compilations or underground markets. Proactively force password resets for exposed users before attackers can stuff them. SpyCloud, Digital Shadows, and Recorded Future offer enterprise-grade breach monitoring.