Criminals Pay $10 to Hack You: Identity-Based Threats Hit Record High

The eSentire research team warns that cheap phishing kits, combined with info-stealers, enable cybercriminals to conduct identity-based attacks to record highs.

The number of cyberattacks focusing on user identities increased by 156% during the previous year because hackers now primarily target login credentials. Security researchers at eSentire indicate that identity-driven threats makeup 59% of all incidents they investigate.

The primary factors driving this increase? PhaaS (Phishing as a Service) platforms like Tycoon 2FA, together with info-stealing malware, operate as the main causes of this rise. The tools enable criminals to take control of user accounts and create substantial recovery expenses for businesses.

“Tycoon 2FA has emerged as the dominant phishing tool since hitting the shelves in 2023,” eSentire explained, as reported by The Record. For just $200-300 per month, criminals get realistic phishing pages for Microsoft 365 and Google Workspace, plus tools to bypass multi-factor authentication (MFA). “The technical sophistication of these services rivals that of legitimate security tools,” eSentire added in the report.

The main security threat in the business world stems from Business Email Compromise (BEC) schemes. The attackers use Tycoon 2FA to create fake login pages, which they use to deceive finance staff. The attackers steal login credentials to track email communications before locating important financial documents and redirecting payment transfers to their criminal bank accounts.

BEC attacks and email takeovers increased by 60% between the previous year and Q1 2025, to become the leading attack type at 41% of total incidents. The less well-known BEC attacks result in financial losses that reach into the billions for businesses.

The purchase of logs from info-stealers costs criminal operators between $10 and $100. The stolen credentials from infected devices amount to dozens of entries, which can be used for basic identity attacks.

“The ROI for identity-based attacks far exceeds that of traditional malware,” eSentire warned, urging companies to adopt phishing-resistant tools like passkeys and invest in monitoring and rapid response.

“Organizations can either proactively transform their security architectures to address identity-centric threats, or they can continue operating with obsolete security programs until a successful attack forces reactive changes under crisis conditions,” the security report concluded.