Stolen web cookies are being sold on dark web forums at an alarming scale, exposing billions of users to session hijacking, identity theft, and advanced cyber threats, according to a new report by NordVPN.
The cybersecurity firm partnered with threat exposure platform NordStellar to analyze over 93.7 billion stolen cookies circulating on dark web marketplaces and Telegram channels.
Their findings reveal a growing underground market where login sessions, authentication tokens, and user profiles are auctioned to cybercriminals targeting individuals, businesses, and even critical infrastructure.
Google platforms were the most targeted
Of the 93.7 billion cookies analyzed, nearly 15.6 billion remained active at the time of analysis.
Around 18 billion contained “ID” tags, 1.2 billion “session,” and hundreds of millions contained “auth” or “login” metadata.
These suggest live access tokens, exposing everything from email accounts and cloud storage to payment platforms and corporate dashboards.
Google accounted for the most targeted platform with over 4.5 billion cookies linked to its services. Microsoft and YouTube followed, with over 1 billion cookies each.
Brazil, India, Indonesia, and the United States were among the most affected countries. Spain topped Europe with 1.75 billion cookies stolen, while the UK showed the highest rate of active cookies (8.3%).
How web cookies are stolen
NordVPN’s investigation found that infostealer malware—particularly Redline, Vidar, LummaC2, and CryptBot—were responsible for most cookie thefts.
Redline alone accounted for nearly 42 billion stolen cookies. Although only 6.2% were still valid, CryptBot stood out with 83.4% of its stolen cookies remaining active, qualifying it as the most efficient malware.
These malware variants often hide in pirated software or malicious downloads, harvesting browser data and transmitting it to attackers’ command servers.
As malware-as-a-service becomes more accessible, the underground cookie trade is expected to grow. Cybercriminals no longer need technical expertise to exploit stolen cookies—they simply buy access.
The growing ease of cookie hijacking presents ongoing challenges for users and cybersecurity professionals alike.
What they’re saying
“Even a single session cookie can be enough to bypass login pages and two-factor authentication,” said Daniel Markuson, a digital privacy expert at NordVPN.
“Once inside, attackers can move laterally, impersonate users, or deploy ransomware.”
The report also warns of cookie types that evade deletion, such as super cookies and zombie cookies, which reappear after removal or hide in local storage, making them nearly impossible to clear manually.
How to protect yourself
Most cookies are harmless, but when stolen, even minor data can fuel large-scale cybercrime.
NordVPN urges users to:
- Reject unnecessary cookies
- Regularly clear browser data
- Use malware protection
- Rely on VPNs to encrypt web traffic
About Author
