In an increasingly cloud-dependent business landscape, a disturbing trend has emerged that threatens the very foundation of cloud security: credential theft. Recent incidents and reports indicate a dramatic surge in credential theft attacks and subsequent abuse. This indicates potentially devastating implications for cloud environments where a single compromised credential can provide access to vast troves of sensitive data and critical infrastructure.
The Alarming Rise in Credential Theft
According to the Red Report 2025, credential theft incidents have spiked by an unprecedented 300% compared to previous years. This dramatic increase positions credential theft as the preferred attack vector for cybercriminals in 2025 so far, surpassing other traditional methods like ransomware and DDoS attacks in both frequency and effectiveness (it is important to note, that stolen credential also facilitate Ransomware attacks, as highlighted in the Coalition threat report).
The surge is largely driven by the widespread use of infostealer malware, automated tools that are designed specifically to harvest credentials and authentication tokens from compromised systems. Flashpoint’s research indicates that infostealers saw significant growth throughout 2024, and their use continued to grow into 2025.
How Criminals Are Stealing Cloud Credentials
ESecurity Planet reports that infostealer malware has evolved dramatically in 2025, with new variants specifically engineered to target cloud service tokens and credentials. Modern infostealers can extract credentials from:
- Browser storage
- Configuration files
- Environment variables
- Cloud CLI tools
- Authentication cookies
- Password managers
Social Engineering Tactics
Dark Reading highlights that cybercriminals continue to rely heavily on social engineering tactics to obtain cloud credentials:
- Phishing campaigns mimicking cloud service providers
- Business email compromise focusing on cloud service administrators
- Vishing (voice phishing) attacks targeting help desk personnel
- Social media reconnaissance to craft targeted impersonation attempts
Spotlight: The Daisy Cloud Hacker Group
One of the most sophisticated threat actors specializing in cloud credential theft is the Daisy Cloud hacker group, which has exposed over 30,000 login credentials across various cloud platforms. The group has developed a highly structured approach to credential theft that specifically targets cloud environments, and is conducting extremely efficient and rapid operations at scale (aided by automation tools) that gain initial target multi-cloud environments, mainly via sophisticated phishing. Then, upon obtaining valid credentials, the group employs automated scripts that:
-
- Test credential validity across multiple cloud services (exploiting password reuse)
- Establish persistence mechanisms such as creating secondary accounts or API keys
- Implement obfuscation techniques to avoid detection by security monitoring systems
Afterwards, they use these credentials to attack organization. They shy away from “noisy” Ransomware attack, but focus instead on covert exfiltration of valuable data, which is then monetized through:
-
- Direct sale on specialized dark web marketplaces
- Targeted extortion of affected organizations
- Licensing access to compromised environments to other criminal groups
The group’s activity demonstrates that cloud environments are an attractive target for credential theft attacks. The results? Stolen credentials have been linked to 67% of major cloud data breaches in early 2025.
Mitigation
As credential theft techniques continue to evolve, cloud security strategies must adapt accordingly. As noted abov, credential theft and abuse is quickly becoming the most notable threat to cloud environments. On one hand, organizations are required to prioritize credential protection. On the other, they must also strengthen their cloud security defenses. By implementing robust access controls, using multi-factor authentication, educating staff, and regularly monitoring cloud environments, businesses can reduce the risk of credential theft and ensure the ongoing safety of their data and infrastructure.
Skyhawk Security’s Continuous Proactive Protection helps organizations identify their crown jewel assets and then the GenAI-based red team and blue team see how defenses hold up against an cloud attacks- especially ones that involves stolen credentials.
