Flare researchers analyzed 470 underground forum posts published between January 2025 and June 2026 that advertise services to search stolen-credential collections and return only the rows that match a buyer's request.
The middle layer between infostealers and account takeover
The market described in those posts is not simply another dump of credentials. According to the reporting, it is a specialized processing layer sitting between infostealer infections, raw logs trading and account takeover activity. Infostealers harvest credentials, cookies, autofill data and browser artifacts; logs are then aggregated into private clouds, ULP databases, public dumps or exchange collections; the “search-service” actors extract rows tailored to a buyer’s brief; buyers validate and use those credentials for account takeover, fraud, spam, phishing, crypto theft or corporate intrusion.
In short, sellers in this dataset operate as credential brokers and data processors: they index, filter, deduplicate, format and deliver targeted results from very large stolen-credential collections rather than selling bulk combo lists wholesale.
How the “search your target” service works
Flare’s analysis of the 470 posts shows a straightforward workflow: a buyer submits a target (company domain, login URL, ecommerce site, gaming platform, application, geographic market, or a list of emails), the seller searches their indexed collection, and the seller returns matching credentials in a requested format.
Common output formats recorded in the dataset include URL:LOGIN:PASS, MAIL:PASS, LOGIN:PASS, PHONE:PASS, MAIL:PHONE and MAIL:LOGIN. Some sellers advertised simple domain extraction; others offered enrichment by combining separate email, password, login, phone and URL:Login collections so a buyer with an email list could request matching login pairs or a buyer seeking a specific geography could receive results built from country codes, domains, URLs, cities and password patterns.
Marketplace mechanics, scale and pricing
Several sellers promoted the sheer size and refresh frequency of their collections as a primary selling point. One actor advertised an “ULP 5kkk+ lines” database — presented in the posts as 5,000,000,000 lines — with quick access in 10–15 minutes and daily updates, drawing on private logs, private clouds, personal streams and public data. Another promoted a “10kkk+ line, 1TB+ URL:LOG database,” while other sellers claimed access to collections ranging from hundreds of millions to tens of billions of records.
Pricing models varied. The dataset included examples such as a seller asking for $20 per request with additional payment tied to returned results. That buyer-seller dynamic — pay for a search, then pay more depending on results — mirrors legitimate data-business practices such as indexing, labeling and slicing, repurposed in a criminal market.
Buyer feedback: advertised reach versus actual results
Customer comments included repeated complaints that sellers over-promised and under-delivered. Buyers reported that the actual volumes were lower than advertised, that many credentials were invalid, and that duplicated records were common — one buyer claimed that out of 3,000 records only 200 were unique. Sellers sometimes responded by saying they had not validated credential usability before delivering results, and others suggested the returned data were the same as large combo lists freely published elsewhere on the underground.
That mismatch matters because the service’s value proposition depends on delivering fresh, valid, deduplicated credentials. When sellers do not or cannot guarantee “freshness” or validity, the output is search results rather than confirmed access — although the dataset shows some offers that produce results indistinguishable from direct access provisioning.
TTP mapping: credentials as pre-exploitation tradecraft
From a formal threat-intelligence perspective, the model documented in the posts maps cleanly to known reconnaissance and access acquisition techniques. The dataset represents what the source frames as an example of T1589.001 (Gather Victim Identity Information: Credentials), where adversaries actively research and acquire credentials prior to exploitation. In cases where sellers deliver usable access, the activity also aligns with T1650 (Acquire Access).
Flare’s reporting points out that the market sometimes overlaps with Initial Access Broker (IAB) activity but is not identical: the “search your target” services are typically cheaper and focused on search and extraction, while IAB offerings — described in the dataset as more expensive, prestige “white glove” services — sell validated access that may bypass multi-factor protections.
What this means for security teams, enterprises, and end users
- Security teams and technologists: monitor for targeted exposures across deep and dark web sources, prioritize detections of corporate domains, login portals and SaaS applications, and be prepared to act with password resets, session revocation and MFA enforcement when hits appear.
- Affected enterprises and procurement leaders: expect that attackers can outsource the labor of finding relevant credentials; the presence of a searchable service reduces the time and effort required to find organizational credentials in large dumps and raises the importance of rapid detection and response.
- End users and the general public: credentials that appear in large combo lists can be resold or reassembled into targeted lists; the fact that sellers sometimes do not validate returned logins does not eliminate the risk that usable accounts will be found and exploited.
The core takeaway is simple and concrete: a specialized market has emerged to turn noisy credential collections into targeted attack material, and defenders must treat exposed credentials as a live, queryable threat rather than a static archive. Flare says it surfaces these forum signals and monitors exposed employee credentials, corporate domains and login portals to give security teams early visibility; the marketplace evidence in the 470 posts shows why that visibility matters.
