A recent investigation by cybersecurity firm NordVPN reveals a alarming escalation in stolen browser cookies, now empowering account takeovers, identity theft, and widespread fraud across more than 250 countries. The research, conducted between April 23 and April 30, 2025, through NordStellar, a threat exposure management platform, found that hackers illicitly acquired nearly 94 billion browser cookies, marking a significant 74% increase from the previous year.
Cookies, designed to simplify online Browse by saving login details and preferences, are now being weaponized by criminals to breach accounts and pilfer personal information. A concerning discovery indicates that over 20% of these stolen cookies remain active, providing direct access to legitimate online accounts. “Cookies may seem harmless, but they’re a growing threat,” says Adrianus Warmenhoven, cybersecurity expert at NordVPN. “Hackers use them to gain direct access to people’s accounts and information.”
The global impact of cookie theft is extensive, affecting over 250 countries, with Brazil, India, Indonesia, and the U.S. experiencing a major impact. Europe also saw high numbers, particularly Spain and the UK, which recorded a notably high rate of active stolen cookies. Researchers caution that the true scale of the problem could be even larger due to untracked data.
Beyond cookies, the report also uncovered dramatic increases in other forms of exposed data, including 18 billion assigned IDs, 1.2 billion session IDs, and millions of login credentials, authentication tokens, and personal details such as names, email addresses, and physical locations. This trove of compromised data presents a lucrative opportunity for identity theft, fraud, and other malicious activities.
The surge in breaches is attributed to the proliferation of 38 different types of malware, more than triple the number from the prior year. Leading the charge are Redline (responsible for 41.6 billion stolen cookies), Vidar (10 billion), and LummaC2 (9 billion), all specifically designed to harvest browser data. Researchers further identified 26 new malware variants, including RisePro, Stealc, Nexus, and Rhadamanthys, many of which are engineered to evade antivirus tools and rapidly steal credentials.
While the threat is substantial, safeguarding your online presence doesn’t require complex measures. Adopting a few fundamental habits can significantly bolster your protection against cybercriminals:
- Utilize strong, unique passwords for every online account.
- Activate multifactor authentication (MFA) whenever possible.
- Exercise caution and avoid clicking on suspicious links or downloading unknown files.
- Ensure your software and devices are kept up to date.
- Regularly clear your browser cookies and site data.
“Many people close their browser and assume they’re safe. Those sessions often remain valid,” Warmenhoven explains. “Taking just a few simple steps can dramatically reduce your risk of being targeted by cybercriminals.”
The data analysis was performed by NordStellar between April 23 and April 30, 2025. Researchers gathered data from Telegram channels where hackers advertise stolen information for sale, compiling a dataset of over 94 billion cookies. The analysis focused on whether cookies were active or inactive, the type of malware used for theft, the country of origin, and the data contained within the cookies concerning the issuing company, user’s OS, and assigned keyword categories. NordVPN did not purchase stolen cookies or access their content, but rather examined the types of data they contained.
