How one threat actor turned stolen credentials into a global breach portfolio
Between December 2025 and January 2026, a single threat actor posted 25 data sales listings on a Russian-language cybercrime forum. The victims spanned 15 countries and every major sector from aviation to critical infrastructure. Prices ranged from free to $150,000.
The actor goes by "Zestix." And despite the sophisticated pricing and global reach, the attack method is almost embarrassingly simple.
No zero-days. No advanced malware. No chained exploits. Zestix parses old infostealer logs for cloud credentials and tests each one until something works. When MFA is absent, they walk right in through the front door.
The Infostealer Economy
Infostealers like RedLine, Lumma, and Vidar have become commodity malware. An employee downloads a pirated game or clicks a malicious link. The malware quietly harvests every saved password from their browser. Those logs get sold in bulk on underground markets. Buyers like Zestix sift through them looking for corporate file-sharing URLs.
ShareFile. Nextcloud. OwnCloud. These platforms hold sensitive documents. They're often exposed to the internet. And they're frequently protected by nothing more than a username and password.
The barrier to entry is essentially zero. Parse the logs for corporate URLs, try the credentials, take whatever access you get.
The Victim Portfolio
The scale is remarkable. We’ve seen Zestix's forum activity since the public reports emerged in early 2026 spanning back to just September of 2025. The confirmed victims include:
- A U.S. engineering firm with LiDAR mapping data for major power utilities (listed for 6.5 Bitcoin, roughly $600,000)
- A European airline with 77GB of aircraft maintenance programs and fleet configurations ($150,000)
- A Canadian transit infrastructure project with geotechnical reports and construction risk assessments (1.8 Bitcoin)
- A Brazilian military police healthcare provider (2.3 terabytes of medical records)
- An Algerian logistics company with 123GB of customer data
The common thread across all 50+ confirmed breaches? Lack of MFA on externally accessible file-sharing platforms.
Beyond Credential Theft
Forum intelligence reveals Zestix operates at multiple capability tiers. The credential harvesting is volume play. But the actor has also shared detailed EDR evasion techniques for bypassing SentinelOne, provides operational support for investment fraud schemes, and claims to run real-time deepfake systems for video call social engineering.
The credential harvesting funds the operation. The higher-tier capabilities are available for high-value targets.
The Uncomfortable Truth
These companies weren't hacked by nation-state actors with unlimited resources. They weren't targeted by custom malware or sophisticated exploit chains. They were compromised because an employee's device got infected with commodity malware, and the organization never rotated the password or enabled a second factor.
Every single breach was preventable with basic security hygiene.
What Organizations Should Do
Enable MFA everywhere. Not SMS-based. FIDO2 keys or passkeys. Every externally accessible system, no exceptions.
Rotate passwords regularly. Some credentials in Zestix's portfolio sat in infostealer logs for years before exploitation. A malware infection from 2022 became a data breach in 2025.
Monitor for credential exposure. Services exist that scan dark web markets and infostealer dumps for your organization's credentials. When exposure is detected, immediate password reset and session revocation.
Assume breach. If you're running cloud file-sharing without MFA, operate under the assumption that someone already has the password.
The infostealer economy has made credential theft scalable and cheap. The only defense is making those credentials worthless through proper authentication controls.
Mike Bell is Founder and CEO of Suzu Labs, building AI-powered platforms for meeting intelligence, business intelligence, and secure document processing. With over two decades in cybersecurity spanning penetration testing, incident response, security architecture, and AI security, he brings a security-first perspective to threat analysis.
