Billions of stolen cookies currently on sale on cybercrime marketplaces, NordVPN researchers warn

According to new data released by VPN provider NordVPN, there are billions of stolen browser cookies on underground marketplaces. The company’s research reveals that more than 93.7 billion stolen cookies are currently available for sale, primarily on the dark web and Telegram-based forums. Of those, between 7–9 percent remain active and exploitable, giving attackers a direct line into users' online accounts and personal data.

“Cookies may seem harmless, but in the wrong hands, they're digital keys to our most private information,” said Adrianus Warmenhoven, cybersecurity advisor at NordVPN. “What was designed to enhance convenience is now a growing vulnerability exploited by cybercriminals worldwide.”

While the majority of stolen cookies (about 90 percent) contain user identification data used for ad tracking, a significant portion includes session cookies that allow attackers to impersonate victims without ever needing their login credentials. Over 1.2 billion of these session cookies are still live and accessible to buyers.

“Many users don't realize that active sessions may persist even after they close their browser,” Warmenhoven added. “Clearing this data helps reduce the window of opportunity for unauthorized access.”

Infostealers are the real threat

Cybercriminals use infostealer malware such as Redline, Vidar, LummaC2, and Meta to harvest these cookies. Redline alone was linked to 44 percent of the total stolen cookie haul. Despite recent takedown efforts by law enforcement, access to these tools remains relatively cheap. The price for entry-level versions starts at just $150.

The use of session cookies enables attackers to bypass multi-factor authentication, access sensitive data across email accounts, banking platforms, and corporate networks, and in some cases, escalate their access privileges. In environments that use Single Sign-On (SSO) systems, compromised session cookies can serve as entry points for ransomware gangs seeking to move laterally through enterprise networks.

Mitigation

NordVPN advises users to rethink their approach to cookie consent. “Think twice before accepting the cookies,” the company said, acknowledging the widespread annoyance caused by website cookie banners.

Users are encouraged to reject unnecessary cookies, particularly third-party tracking cookies, whenever possible.

In addition to cookie hygiene, NordVPN recommends keeping operating systems and browsers up to date and regularly clearing browser histories and stored cookies. Reviewing privacy settings on online accounts is also key.

“Just because you can accept all cookies, doesn’t mean you have to,” Warmenhoven noted. “Most websites still function fine without them.”