Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

The threat of compromised credentials reached unprecedented levels in 2025, with infostealer malware surging to infect millions of devices and dark‑web marketplaces trading billions of stolen logins. 

According to our research, over 200,000 devices are compromised by infostealer malware every month, resulting in billions of stolen credentials every year.

The explosion of credential leaks is forcing businesses to rethink their security strategies.
Organizations must now implement advanced measures to proactively detect stolen credentials on the dark web and prevent account takeovers before they occur.

The Evolving Threat: Infostealers and Dark‑Web Marketplaces

Infostealer malware is responsible for 75% of all stolen credentials, making it the leading cause of breaches and representing a 33% year-over-year increase in compromised logins.

These lightweight yet powerful Trojans primarily target Windows endpoints, where they harvest browser-stored passwords, session cookies, and auto-fill data at scale.

A diverse ecosystem of infostealer variants is driving this surge. According to Twilight Cyber research, LummaC2 dominated in March 2025, accounting for 70% of all observed infostealer infections. Other prominent strains include Rhadamanthys, Vidar, and StealC.

By targeting everything from saved browser credentials to crypto wallet files and VPN profiles, these modular kits give attackers unprecedented agility in harvesting high-value data.

The stealer-as-a-service model has driven prices down to as little as $200 per month, enabling even low-skill actors to launch large-scale credential-harvesting campaigns without deep technical expertise.

In parallel with these malware advancements, stolen credentials are actively traded across the dark web marketplace ecosystem. Despite high-profile takedowns such as Genesis Market in 2023 and periodic seizures of RaidForums and BreachForums – new hubs frequently emerge within days, often hosted on Telegram, Discord, or hidden onion-based storefronts.

These markets aggregate infostealer logs, organize them by domain, country, and ISP, and sell bundled access along with RDP and SSH credentials.

The Role of Real‑Time Identity Threat Protection and Dark‑Web Monitoring

Traditional security programs typically detect stolen credentials an average of 194 days after a breach, by which time attackers have often already moved beyond initial access to data exfiltration, lateral movement, and fully weaponized attacks.

To close this gap, organizations in 2025 are adopting continuous, AI-driven dark web surveillance that can detect leaked credentials within hours of exposure.

Modern platforms like Twilight Cyber’s Identity Guardian monitor over 50,000 dark and deep web sources, including TOR marketplaces, I2P sites, ZeroNet shops, private Telegram and Discord channels, and paste sites, collecting millions of new data points every hour.

Unlike traditional methods, Identity Guardian also accesses the innermost circles of the dark web, typically unreachable by conventional tools. This deeper visibility also enables early detection of infostealer activity and other high-risk threats.

Advanced machine learning classifiers and natural language processing models automatically filter out irrelevant noise, surfacing only high-confidence credential dumps and PII exposures.

Automatic Account Takeover Prevention

Rather than simply generating standalone leak alerts, Identity Threat Protection tools can feed dark‑web findings directly into an organization’s IAM system or authentication platform to automatically resolve compromised credentials.

• Revoke active sessions

• Trigger forced password resets

• Enforce step‑up MFA challenges

This is exactly how Twilight Cyber’s Account Takeover Prevention service works, seamlessly transforming dark‑web signals into automated containment actions and neutralizing stolen credentials before they can be weaponized.

This is how Twilight seamlessly transforms dark web intelligence into automated containment -neutralizing stolen credentials before they can be weaponized. By the time threat actors attempt to use them, those credentials are already obsolete at the login stage.

Streamlined Incident Response & Investigations

The intelligence generated by Twilight Cyber’s Identity Guardian can be seamlessly integrated into your existing SIEM and EDR ecosystem to accelerate threat detection and response.

When exposures are identified in one of the many data sources like infostealer logs, exposed databases, or PII exposures – often within hours of surfacing in the core layers of the dark web – Twilight’s feed is ingested into your SIEM. There, correlation rules automatically match exposed usernames, hashes, or tokens against recent authentication logs, triggering high-fidelity alerts the moment compromised accounts show signs of activity.

From there, your EDR solution can be activated to gather endpoint telemetry – such as process activity, network behavior, and file access – and run behavioral analytics to trace attacker movement and intent. This real-time connection between identity exposure and endpoint insight ensures you know not only who is at risk, but also where an attacker may have landed and what they’ve touched.

Injecting Twilight’s signals into your SIEM/EDR pipeline empowers your security analysts with valuable, context‑rich information that reduces manual data‑gathering and accelerates containment.

Say “No” to Infostealers With Twilight Cyber

With stolen credentials behind most breaches, only a truly integrated, automated defense can keep pace with today’s infostealer‑driven threats. By combining continuous identity threat protection and streamlined incident response, organizations can reduce attacker dwell time from months to hours and turn every leaked login into a neutralized incident, not a catastrophe.

Twilight Cyber delivers that unified solution. Our platform empowers your team to detect new leaks within seconds. Cross‑layer correlation ensures that every credential dump is validated against live telemetry, while our automated containment playbooks revoke access, isolate endpoints, and reset credentials without manual effort. 

The result is end‑to‑end credential security that adapts and scales with your environment, closing the gap between detection and remediation once and for all.

Ready to see how rapid, automated credential defense can transform your security posture?

👉 Request a personalized demo of Twilight Cyber today, or try our FREE scan below:

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Leave your email and get critical updates and alerts from Twilight Cyber straight to your inbox