What are we doing?

This is a guide on one way a profitable credential stuffing operation can be built, monetized and scaled. It is based on a real case study where SWIM was able to harvest $300-$500 worth of data in just a few hours worth of scanning. Credential stuffing involves the harvesting of account login data from one source, and checking those logins against a number of other sites. For this particular operation, we are selecting a type of account that there is a sizable black market demand for.

Gathering Candidate Credentials

You need a source of login:password combinations in the form of a text file called a combolist. Combolists are easy to find, but come in varying quality. For credential stuffing, SWIM samples a combolist and measures how many match valid Twitter accounts. A good ratio is about 15%.

Pastebin

You can find combolists on Pastebin by searching Google for strings like “site:pastebin.com gmail.com“. Creating a dorking script, SWIM was able to harvest about 100k good quality combos having a Twitter hit ratio above 15%.

Breached Databases

There are many breached databases available online, both with hashes and plaintext passwords. One database SWIM likes is the lsbg.net database, which he has dehashed into a combolist of about 2,000,000 combos with a hit ratio above 15%.

Credential Gathering Resources:

RaidForums Combos Forum – Sharing combolists

RaidForums Database Forum – Sharing breached databases

Mining Valid Logins

SWIM built his own account checking scripts with node.js, but there are a bunch of popular options available. SentryMBA is the most popular. It supports config files for multiple sites, and many config files can be found for free on cracking forums.

SWIM targeted Spotify premium accounts for this operation, so he not only had to write a config to check the account, but log the account type.

In a few hours, SWIM was able to crack about 4,000 Spotify accounts, and about 100 of them wound up being premium.

Login Checking Resources:

Credmap – A free tool that checks accounts on about 30 different sites

Nulled.to Config Forum – A forum for sharing cracking configs

Monetizing the Data

Spotify Premium accounts can be sold on the web for $3.00-$5.00 retail or less in bulk. A google search for “buy spotify premium accounts” reveals a number of forums where accounts are sold. This can be done anonymously through bitcoin, and through crypto based selling platforms like selly.gg.

Scaling

Scaling a credential mapping operation is as easy as simply reinvesting profits into more VPS or RDP servers to run software on, proxies and combo data.