Hackers Prefer Password Theft to Direct Technical Exploits

A.R. Perez, Netlok, June 24, 2025

Like most people and organizations, cybercriminals value their time and cost of doing business. As a result, they have increasingly shifted their tactics from complex technical exploits to credential theft to increase their ROI. This preference for “logging in” rather than “hacking in” represents a fundamental change in attack methodology that has profound implications for organizations and individuals alike 1, 2. The reasons behind this strategic shift are multifaceted, combining economic incentives, technical advantages, and human vulnerabilities.

The Path of Least Resistance

Cybercriminals, like most rational actors, seek the most efficient route to their objectives 3. Password theft has emerged as the definitive path of least resistance in the cybercrime ecosystem for several compelling reasons:

Lower Technical Barriers

Traditional hacking methods often require specialized technical knowledge, including understanding of software vulnerabilities, network protocols, and custom exploit development 4. In contrast, credential theft can be executed with minimal technical expertise using widely available tools 5. This accessibility has democratized cybercrime, allowing a broader range of threat actors to participate regardless of their technical background 6.

The commoditization of the underground economy has created multiple paths of lower resistance, with suppliers providing different services for various aspects of fraud operations6. These services significantly lower the cost of attacks and reduce the barrier to entry for aspiring cybercriminals 6, 7.

Higher Success Rates

IBM’s X-Force threat intelligence team reported a staggering 71% increase in attacks relying on valid login credentials in 2023 compared to the previous year 1, 8. This dramatic shift reflects the effectiveness of credential-based approaches compared to technical exploits 5. Charles Henderson, global head of IBM’s X-Force team, described this as “an aha moment on the part of threat actors in shifting to something that works” 5.

The success of credential theft is further amplified by human behavior patterns, particularly password reuse across multiple services 9. Research shows that 52% of users reuse or modify their passwords across different online services, creating a cascading vulnerability effect where a single breach can compromise multiple accounts 10.

Economic Advantages

Cost-Effectiveness

From a purely economic perspective, password theft offers cybercriminals an exceptional return on investment compared to technical hacking methods 5:

1. Lower operational costs: Credential theft requires minimal resources and can be executed using free or low-cost tools 5.
2. Reduced development expenses: Zero-day exploits have become increasingly expensive, with prices for iOS zero-days reaching $5-7 million and Android zero-days costing up to $5 million 11. This price inflation reflects the growing difficulty of finding and exploiting technical vulnerabilities as companies improve their security postures 11.
3. Scalability through automation: Password theft operations can be easily automated and scaled, allowing attackers to target thousands or even millions of accounts simultaneously 12. Credential stuffing attacks, which automatically try stolen username/password combinations across multiple services, have a success rate of 0.2-2.0%—seemingly low but highly profitable at scale 12.

Abundant Supply of Credentials

The dark web marketplace for stolen credentials has reached unprecedented scale, creating a self-sustaining ecosystem that fuels further attacks 13. Over 15 billion usernames and passwords from 100,000 data breaches are currently available on underground marketplaces 13. This number represents a 300% increase since 2018, equivalent to more than two compromised accounts for every person on Earth 13.

More recently, cybersecurity researchers confirmed that nearly 16 billion passwords were leaked and exposed in data breaches between 2024 and 2025, providing attackers with an enormous arsenal for conducting further attacks 9, 7.

Stealth and Detection Evasion

Blending with Legitimate Traffic

One of the most significant advantages of credential-based attacks is their ability to evade detection by security systems 5. When attackers use valid credentials, they can blend in with normal traffic patterns, making it extremely difficult for security tools to distinguish malicious activity from legitimate user behavior 25.

Traditional security measures such as firewalls and intrusion detection systems are designed to identify anomalous network activity or malicious code execution 2. However, when an attacker simply logs in with valid credentials, these systems often fail to detect the intrusion because the activity appears legitimate from a technical perspective 28.

Extended Dwell Time

The stealthy nature of credential-based attacks allows cybercriminals to maintain a persistent presence within compromised systems 5. According to IBM’s Cost of a Data Breach Report, breaches involving compromised credentials take significantly longer to detect and contain, averaging 292 days—the longest of any attack vector studied 14.

This extended dwell time provides attackers with ample opportunity to move laterally within networks, escalate privileges, and exfiltrate sensitive data without triggering security alerts 25. By the time the breach is discovered, the damage has often already been done 14.

Human Vulnerability Exploitation

Predictable Password Behaviors

Cybercriminals exploit fundamental human tendencies in password creation and management 9. Despite decades of cybersecurity education, password practices remain fundamentally flawed 9. Analysis of exposed passwords revealed that 94% were reused or duplicated across multiple accounts, with only 6% being unique 9.

The most commonly used passwords continue to be predictably weak, with “123456,” “admin,” “12345678,” “password,” and “Password” topping the list 9. Additionally, 42% of users rely on passwords with only 8-10 characters, with eight characters being the most popular length 9. These predictable patterns make password guessing attacks highly effective 9 15.

Password Modification Patterns

Even when users attempt to create variations of their passwords across different services, they typically follow predictable modification patterns that can be easily anticipated by attackers 10. Research shows that among a large user population, there is only a small set of rules that users often apply to modify their passwords 10. This “low variance” makes modified passwords highly predictable, with algorithms able to guess 30% of modified passwords within just 10 attempts 10.

The Cybercriminal Ecosystem

Specialized Roles and Services

The credential theft ecosystem has evolved into a sophisticated supply chain with specialized roles 16:

1. Malware developers who create credential-stealing tools
2. Distributors who deploy the malware through phishing and other methods
3. Data aggregators who collect and organize the stolen credentials
4. Initial access brokers who sell verified credentials to other attackers

This specialization has increased the efficiency and effectiveness of credential theft operations, allowing cybercriminals to focus on their specific expertise while participating in the broader ecosystem16.

Infostealer Malware Proliferation

A significant development in recent years is the dramatic rise of infostealer malware specifically targeting credentials 1. The X-Force team observed a 266% year-on-year uptick in the deployment of infostealing malware 8. These specialized tools extract passwords from browsers, password managers, and system files, then transmit them to command-and-control servers operated by cybercriminals 16, 8.

The proliferation of infostealers has created a self-reinforcing cycle where compromised credentials fuel further attacks 1. More than 23 million devices have been affected by infostealers, creating vast repositories of stolen login data that criminals can exploit 1.

Conclusion: The Shifting Cybersecurity Paradigm

The preference for password theft over direct hacking methods represents a fundamental shift in the cybersecurity landscape 2. As Charles Henderson of IBM noted, “What this establishes is that the criminals have figured out that valid credentials are the path of least resistance, and the easiest way in” 5.

This shift requires a corresponding evolution in defensive strategies 2. Organizations must recognize that traditional perimeter-based security models are insufficient against credential-based attacks 2. Instead, a more comprehensive approach is needed that addresses both the technical and human aspects of security, including stronger authentication mechanisms, improved monitoring of user behavior, and enhanced security awareness training 25.

One viable passwordless solution is Netlok’s Photolok^Ò MFA login because it replaces passwords with photos and uses randomization to protect against AL/ML attacks. For users, it is simple to use, ultrasecure, and cost effective when compared to passwords.

As attackers continue to refine their credential theft techniques, the gap between the effort required to compromise systems through password theft versus technical exploits will likely widen further 5 11. Understanding this dynamic is essential for developing effective security strategies that can adapt to the evolving threat landscape 5.

1. https://www.axios.com/2024/03/05/passwords-data-breaches-malware
2. https://www.linkedin.com/pulse/attackers-log-dont-hack-can-we-stop-them-hasmaath-k-parkar-6s1xf
3. https://www.cycognito.com/glossary/path-of-least-resistance.php
4. https://www.eccouncil.org/cybersecurity-exchange/ethical-hacking/gaining-access-techniques-implications-safeguards/
5. https://specopssoft.com/blog/credential-based-attacks-guide/
6. https://www.securityweek.com/path-least-resistance-beats-road-less-travelled/
7. https://www.forbes.com/sites/daveywinder/2025/05/16/millions-of-stolen-passwords-available-to-hackers-for-just-81-a-week/
8. https://www.techmonitor.ai/technology/cybersecurity/valid-user-credentials-ibm
9. https://www.linkedin.com/pulse/cracking-code-weaknesses-traditional-password-based-systems-mwema-lyuzf
10. https://people.cs.vt.edu/gangwang/pass.pdf
11. https://techcrunch.com/2024/04/06/price-of-zero-day-exploits-rises-as-companies-harden-products-against-hackers/
12. https://www.wiz.io/academy/credential-stuffing
13. https://hackread.com/dark-web-15-billion-credentials-100000-data-breaches/
14. https://www.varonis.com/blog/data-breach-statistics
15. https://www.eurecom.fr/en/publication/2910/download/rs-publi-2910_1.pdf
16. https://thrivenextgen.com/social-engineering-the-path-of-least-resistance/
17. https://www.darkreading.com/threat-intelligence/credential-theft-cybercriminals-favorite-target
18. https://elm.umaryland.edu/elm-stories/2025/Unveiling-the-Shadows-How-Cyber-Criminals-Steal-Your-Passwords.php
19. https://www.enzoic.com/blog/hackers-steal-passwords/
20. https://www.onsip.com/voip-resources/voip-fundamentals/cybersecurity-101-why-hackers-want-your-data-what-happens-to-it
21. https://www.paloaltonetworks.com/cyberpedia/what-is-a-credential-based-attack
22. https://www.memcyco.com/attack-vectors-in-2025/
23. https://www.beyondidentity.com/resource/cost-of-passwords-resets-breaches-and-more
24. https://www.beyondtrust.com/blog/entry/the-cyberattackers-path-of-least-resistance-is-shifting-heres-how-you-must-adapt
25. https://www.financierworldwide.com/cyber-crime-and-fs-blocking-the-path-of-least-resistance
26. https://news.sd.gov/news?id=news_kb_article_view&sysparm_article=KB0031629
27. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3514411
28. https://arcticwolf.com/resources/blog/four-ways-to-prevent-credential-theft-and-credential-based-attacks/
29. https://www.darkreading.com/cyber-risk/cybercriminals-swap-phishing-for-credential-abuse-vuln-exploits
30. https://users.ece.cmu.edu/~vsekar/Teaching/Spring25/18731/reading/Credentials.pdf
31. https://www.balbix.com/insights/attack-vectors-and-breach-methods/
32. https://aag-it.com/the-latest-cyber-crime-statistics/
33. https://www.sentinelone.com/cybersecurity-101/cybersecurity/cyber-security-statistics/
34. https://securityboulevard.com/2022/01/how-to-automate-response-to-credential-compromises/
35. https://www.youtube.com/watch?v=vKPGZHoHX8k
36. https://logmeonce.com/resources/password-appearing-in-a-data-leak/
37. https://www.dashlane.com/blog/common-ways-hackers-steal-passwords
38. https://reliaquest.com/blog/the-credential-abuse-cycle-theft-trade-and-exploitation