Cybercrime is evolving – and so is the scale of the threat.
New research from cybersecurity firm NordVPN reveals that a staggering 94 billion cookies have been stolen through malicious software, up from 54 billion just one year ago.
These small text files, once considered benign tools for user convenience, have become potent weapons in the hands of hackers targeting payment data and digital identities.
The UK has found itself worryingly placed 27th out of 253 countries for total leaked cookies, with nearly 800 million compromised – of which 66.5 million remain active and potentially exploitable.
Though only 8.3% are currently “live,” the scale still constitutes a major breach of digital trust and a growing risk for financial fraud.
Cookies Store Essential Data
Cookies store essential session data – such as login credentials, preferences, and behavioural patterns – that are vital for seamless e-commerce and online banking.
But cybercriminals are increasingly hijacking them to impersonate users, bypass authentication protocols, and gain access to financial services without needing passwords.
“Cookies may appear innocuous,” warns NordVPN cybersecurity expert Adrianus Warmenhoven, “but they are effectively digital skeleton keys to people’s most sensitive information.”
Rapid Expansion
The latest findings show a rapid expansion not just in volume but in sophistication.
Over 38 distinct malware variants were used to harvest stolen data, up from just 12 the year before.
The most prolific families include Redline, which extracted over 41 billion cookies, Vidar, and LummaC2 – all well-known for raiding browsers for saved passwords, autofill data, and tokens.
Significantly, the malware targeted major platforms including Google (4.5 billion stolen cookies), YouTube (1.33 billion), Microsoft (1.1 billion), and Bing (almost 1 billion).
These services underpin daily digital life – from communications and transactions to document storage – amplifying the threat to both individuals and institutions.
Particularly concerning for the payments sector is the rise in exposed session IDs and authentication tokens, which allow fraudsters to imitate users and execute unauthorised transactions.
The 2025 figures point to a 70% increase in exposed assigned IDs and a 62% jump in session IDs, reflecting the growing sophistication of cybercriminal operations.
New Malware Strains
New malware strains—such as RisePro, Stealc, and Rhadamanthys – have further intensified the threat landscape.
These tools not only extract credentials but are designed to evade detection, emulate legitimate user activity, and escalate access once inside a network.
To mitigate the risks, experts recommend frequent clearing of site data, enabling multifactor authentication, maintaining strong, unique passwords, and staying current with software updates.
As Warmenhoven puts it, “Even after you close the browser, a session can remain active. That lingering vulnerability is where much of the danger lies.”
The post Cookie theft: Cybercriminals exploit browsers for payment fraud appeared first on Payments Cards & Mobile.
