> Blog_

Q1 2026 Was the Infostealer Wake-Up Call UK Businesses Couldn't Afford to Miss

DarkStrata Security Team

43% of UK businesses were breached last year. 18.7 million infostealer logs were traded in 2025. And in the first three months of 2026, the curve has only got steeper. Here's what the numbers, the NCSC, and the UK's security community are saying — and why your credentials are almost certainly already on a list somewhere.

Let's start with a number that ought to ruin your morning coffee.

18.7 million. That's how many infostealer logs — neat little bundles of someone's stolen passwords, cookies, crypto wallets and browser history — were analysed across a single year of independent threat intelligence research. Of those, 2.05 million contained enterprise identity credentials: the username and password combos that get attackers directly into someone's Microsoft 365, Okta or corporate VPN. In early 2024, roughly 6% of infostealer logs contained enterprise credentials. By late 2025, that figure was 14%. Industry researchers now project it will hit one in five by Q3 2026.

If you run a UK business and you don't have a knot in your stomach yet, read that paragraph again.

The first quarter of 2026 has, in a quiet but unmistakable way, been the quarter infostealers stopped being a niche problem for banks and crypto exchanges and became the single most boring, effective, industrialised way to break into almost any organisation in Britain.

The UK-Specific Numbers Are Worse Than You Think

The Department for Science, Innovation and Technology's Cyber Security Breaches Survey 2025 — which remains the most authoritative UK dataset going into Q1 2026 — found that 43% of UK businesses identified a cyber breach or attack in the previous 12 months. That's roughly 612,000 businesses. Of those hit, 85% experienced phishing — by far the leading delivery mechanism for infostealer malware.

Then there's the NCSC. The NCSC Annual Review 2025 reported that the agency handled 204 nationally significant cyber incidents in the year to September 2025 — up from 89 the year before. Highly significant incidents rose by 50% for the third year running. NCSC CEO Richard Horne put it bluntly at the Annual Review launch: this is the moment for "a sense of urgency." Four nationally significant attacks, every single week.

And this is before we talk about the retail sector.

M&S and the Co-op: A £300 Million Lesson in What Comes Next

You'll remember 2025's twin attacks on Marks & Spencer and the Co-op, widely attributed to the Scattered Spider cybercrime collective working with DragonForce ransomware affiliates. M&S lost an estimated £300 million in profit. The Co-op had the data of 6.5 million members stolen.

The initial access mechanism isn't guesswork. M&S chairman Archie Norman told the UK Parliament's Business and Trade Sub-Committee in July 2025 that the breach stemmed from "what people now call social engineering... a euphemism for impersonation," and confirmed the entry point involved a third-party provider being manipulated into resetting an internal user's password. The NCSC has separately acknowledged that the M&S, Co-op and Harrods intrusions share commonalities in initial access — specifically, social engineering techniques aimed at IT help desks, where attackers impersonate employees to get credentials reset and MFA disabled.

That's the bit that's confirmed. What isn't publicly confirmed is exactly where the attackers got the personal details they used to make those impersonation calls convincing. But Scattered Spider's documented playbook includes scraping LinkedIn, breach dumps and — yes — infostealer logs to build dossiers on the people they intend to impersonate. Which is the pattern UK security professionals keep trying to drill into boardrooms:

The breach that ends up on the front page of the Financial Times rarely starts with a zero-day. It starts with a laptop at home, a pirated plugin, and a credential that was sitting in a stealer log for three months before anyone bothered to use it.

What Security Researchers Are Saying Right Now

Q1 2026 hasn't been quiet. A quick tour of what the infosec community has actually published between January and April:

  • Whiteintel's Intelligence Division (March 2026) mapped the full infostealer lifecycle and found the window between a device being infected and the stolen credentials appearing on a dark web marketplace is now 48 hours or less. Two days. That's your detection budget.
  • Constella Intelligence reported processing 51.7 million infostealer packages in 2025 — a 72% year-on-year increase — identifying 24.8 million unique infected devices and 2.3 billion stolen passwords.
  • Varonis researchers disclosed a new strain dubbed Storm in early 2026, notable for remotely decrypting stolen credentials server-side to evade endpoint detection.
  • Group-IB tracked a sustained phishing campaign delivering Phantom Stealer to European logistics, manufacturing and technology firms between November 2025 and January 2026.
  • Trend Micro and Bitsight both confirmed that the LummaC2 takedown in May 2025 — despite Microsoft seizing 2,300 domains — proved temporary. Lumma is back at scale, and Vidar 2.0 and StealC have quietly grown to fill the gaps.

The consistent message from UK and European security researchers through Q1 has been remarkably uniform: centralised identity is now the control plane of the modern enterprise, and attackers have adapted faster than defenders have. Once criminals hold one Entra ID password with a valid session cookie, they don't need to hack anything else. They walk in, sign in, and look exactly like your employee to every downstream system.

Why This Hits UK Businesses Harder

A few things conspire to make British organisations particularly exposed heading into the rest of 2026:

  1. Hybrid working is now default. Personal devices, home networks, and that one family member who installs anything they find on Reddit. Your corporate MDM doesn't cover the laptop your finance director's teenager uses to torrent films.
  2. SSO has been a quiet triumph and a quiet disaster. Roughly 79% of enterprise identity logs analysed in 2025 featured Microsoft Entra ID. The more you consolidate, the bigger the prize when one credential falls.
  3. The ICO isn't sympathetic. GDPR fines can still reach 4% of global annual turnover, and the ICO has made it clear — repeatedly — that "the infection was on a personal device" is not a defence.
  4. Supply chains are the back door. Vendor email compromise, driven almost entirely by stealer-harvested credentials, is costing UK firms millions per incident. Your security is only as good as your smallest supplier's least-careful employee.

The Uncomfortable Questions You Should Be Able to Answer by Friday

  • Do you know, right now, whether any @yourcompany.co.uk credentials are for sale on a Russian-language forum?
  • If an employee's session cookie was stolen yesterday, would you notice when it was replayed from a Moscow IP in 48 hours' time?
  • When was the last time anyone in your organisation checked an infostealer log database for your own domain?

If the honest answer is "we don't know" or "never," you are — to use the technical term — operating on vibes.

How DarkStrata Helps Close the 48-Hour Window

The reason that 48-hour infection-to-marketplace figure matters is that it also defines the window in which you can actually do something. Rotate the password. Invalidate the session. Quarantine the device. Call the employee before the criminal does.

That's the problem DarkStrata was built to solve. We continuously ingest and index stealer log dumps, underground marketplace data, and breach corpora, and we watch them for your domains, your employees, your customers. When a credential ending in your company domain appears, you get an alert — often within hours of it being posted — with enough context to act: which machine was infected, which browser profile, which applications were compromised, whether session cookies were included.

It is, genuinely, the most boring and most important security control most UK businesses still don't have.

You can start a free 7-day trial and see whether your organisation is already exposed in about the time it takes to finish this coffee. Most new customers find something on day one. Many find something alarming.

The Bottom Line for Q2 and Beyond

Q1 2026 didn't bring a single cinematic, front-page cyberattack on a UK household name. What it brought was worse: confirmation that the machinery of credential theft has industrialised, recovered from law enforcement action within weeks, and is now producing enterprise-grade access at a scale that should terrify any board that still thinks cyber is "an IT problem."

The NCSC is telling you. The DSIT is telling you. The threat intel community is telling you. And the criminals certainly aren't hiding.

The only remaining question is whether you'll find your credentials on a dark web list before or after someone else does.

Sign up now

Free 7-day trial. See if your organisation is already exposed.

Sources

Reading Progress
0% complete
Tags
infostealersstealer logsUK businesscredential theftNCSCcybersecurityQ1 2026
Recent Posts
What Are Stealer Logs and Keyloggers? The Silent Threat Draining UK Businesses2026-01-30
The Gift That Keeps on Giving: Why Stolen Credentials Don't Take a Holiday2025-12-09
Share This Post

We value your privacy

We use cookies to analyse site traffic and improve your experience. No personal data is sold or shared with third parties for advertising.