New research from NordVPN has uncovered a massive trove of stolen browser cookies circulating on the dark web. The report estimates that around 94 billion cookies are currently being traded or sold illegally.
These cookies—small data files created by websites and stored in browsers—can pose serious security risks. They often contain sensitive information that can be used to hijack user sessions or bypass login credentials.
Malware Behind the Theft
The majority of these stolen cookies come from infostealer malware. Key findings include:
- Redline malware is responsible for nearly 42 billion cookies, though only 6.2% remain active.
- Vidar has stolen 10.5 billion cookies, with 7.2% still valid.
- LummaC2, a newer malware, accounts for 8.8 billion cookies, with 6.5% active.
- CryptBot stands out with 1.4 billion cookies, of which a staggering 83.4% are still active.
Active cookies are especially dangerous because they can allow attackers to access accounts without needing passwords.
A Growing Threat
This isn’t the first time NordVPN has raised the alarm. In 2024, millions of cookies from UK users were leaked online. Globally, 54 billion cookies were stolen that year—highlighting a sharp increase in 2025.
The stolen cookies contain various types of data. Common keywords found in the dataset include:
- “ID” – 18 billion instances
- “Session” – 1.2 billion
- “Auth” – 292 million
- “Login” – 61 million
These terms suggest that many cookies could be used to hijack live sessions, bypassing login pages entirely.
Why It Matters
NordVPN researchers warn that even seemingly harmless cookies can be dangerous. In their words:
“Cookies may sound sweet, but sometimes they can leave a bad taste. Even the most seemingly unimportant cookies can do a lot of damage. Session cookies, especially active ones, are a goldmine. They let attackers skip login pages altogether.”
Potential Consequences
If exploited, these cookies could allow cybercriminals to:
- Take over social media accounts
- Bypass two-factor authentication
- Launch social engineering attacks
- Access sensitive financial data
The findings underscore the importance of strong cybersecurity practices and regular cookie management.