Locked doors, stolen keys: how infostealers are robbing igaming operators

Imagine this: your back-office admin account, the keys to your igaming kingdom, sold for a mere £10 on a dark web forum. The buyer? A cybercriminal who didn’t need to breach your network – they simply purchased your credentials from an infostealer log leaked weeks ago. This isn’t a hypothetical scenario but a growing reality in today’s digital landscape. According to Check Point’s The State of Cyber Security 2025 report, 90% of breached companies had previous corporate credentials leaked in a stealer log – a stark reminder that once login details fall into the wrong hands, attackers gain an easy foothold.

Infostealers explained: the silent threat on every device

Infostealers are stealthy malware programs designed to exfiltrate sensitive data from infected endpoints. Unlike ransomware, which often announces itself with file encryption and demands for payment, infostealers operate discreetly. They focus on:

• Privileged credentials: usernames, passwords and cryptocurrency wallet data
• Browser artifacts and session cookies: saved logins, authentication tokens and session cookies
• Local files and configuration data: screenshots, system logs and confidential documents.

Once harvested, these ‘digital keys’ are often sold on dark web marketplaces or used immediately to breach corporate networks, posing a significant threat to igaming operators that rely on continuous uptime and uncompromised trust.

An automated alert from a dark web monitoring platform, revealing stolen corporate credentials attributed to an infostealer breach

Why igaming operators are prime targets

Cybersecurity efforts in igaming have traditionally focused on safeguarding player information. However, modern infostealer campaigns now target core back-office infrastructure. A single compromised device can lead to:

• Unauthorised privileged access: attackers manipulate odds, siphon funds or disrupt live games
• Operational downtime and ransomware threats: stolen credentials allow attackers to deploy malware and demand ransom
• Exploiting crypto payment integrations: criminals gain access to crypto payout modules, enabling untraceable fund transfers
• Damage to trust: even brief intrusions erode player confidence and invite regulatory scrutiny

Information extracted by the infostealer, encompassing all stored logins/passwords, session cookies, system details and even desktop screenshots from the infected device

High-stakes incidents: infostealers in action

Because infostealers frequently harvest credentials from personal devices – well beyond an operator’s internal security controls – the direct link between a ‘breach’ and the actual malware can remain unclear. If the operator itself wasn’t initially infected, investigators may see only a ‘credential-stuffing’ attempt, even though logs from infostealer-infected endpoints are the real source. Below are two illustrative cases from the near past, showing how these stealthy attacks can escalate into major compromises.

1.    Crypto sector: Binance infostealer attack (May 2023)

In May 2023, Binance, one of the world’s largest cryptocurrency exchanges, detected an infostealer malware campaign aimed at its internal employee endpoints. Attackers tried to leverage stolen credentials to infiltrate corporate systems. While Binance successfully contained the threat, this incident proved that even major industry players can fall prey to stealthy credential-harvesting malware.

2.    Igaming sector – DraftKings compromise via infostealer logs (November 2022)

In November 2022, American sports betting and igaming operator DraftKings revealed that attackers accessed around 68,000 customer accounts, leading to unauthorised withdrawals of roughly $300,000. Initially framed as ‘credential stuffing’, subsequent investigations (and BleepingComputer coverage) unearthed infostealer ‘logs’ commonly sold on dark web marketplaces. The compromised credentials originated from users’ infected personal devices, highlighting how infostealers can wreak havoc even if the operator’s core systems remain unbreached.

SIEM event triggered by an HIBP alert about a corporate account detected in an aggregated database of leaked credentials

The SOFTSWISS playbook: infostealer defence strategies

At SOFTSWISS, we view infostealers as a stealthy persistent threat, demanding proactive defences across the entire igaming infrastructure. Drawing on both our hands-on experience and leading cybersecurity research, we’ve developed a comprehensive approach to intercept credential-harvesting malware before it can cause major disruptions. Below are our key recommendations, all on a single level, for effectively battling infostealers:

1. Restrict high-level access
   Limit entry to core casino back-offices, payment gateways and other critical corporate infrastructure strictly to essential personnel. Require connections to sensitive resources to pass through secure network controls – such as a VPN or Zero Trust framework – ensuring that only verified users and endpoints gain access. Regularly audit permissions, rotate passwords and deactivate dormant accounts to shrink your attack surface.

2. Combine MFA with endpoint and network checks
   Multi-factor authentication (MFA) is vital but not a panacea: if a device is already compromised, attackers may intercept tokens or one-time passcodes. Complement MFA with robust endpoint security (antivirus, disk encryption, patch management) and network-level policies, such as Network Access Control (NAC). This ensures all corporate or personal devices pass compliance checks (eg, updated malware definitions, recent security patches) before connecting to privileged resources.

3. Mandate secure devices for admin tasks
   Preference corporate-owned, security-hardened laptops and mobile devices for administrative operations. If personal endpoints must be used, enforce strict requirements: full-disk encryption, active malware protection and routine scans.

4. Enable real-time XDR monitoring
   Deploy an extended detection and response (XDR) solution that correlates endpoint activity, network traffic and user behaviour. By analysing data from multiple sources in real time, XDR can detect subtle signs of infostealer infiltration, blocking attackers from moving laterally across your environment.

5. Deploy dark web monitoring
   Leverage professional services, such as Flare, Cyble or SOCRadar, to scan for leaked credentials tied to your domain. Proactive dark web checks provide near-real-time alerts when corporate logins surface on underground marketplaces.

6. Adopt SOAR for 24/7 incident response
   Integrate security orchestration, automation, and response (SOAR) system with your SIEM feeds to automatically isolate infected endpoints, reset compromised accounts and alert relevant staff.

7. Promote safe software and device practices
   Train employees to avoid downloading untrusted apps, browser extensions and software from unofficial sources. Emphasise the dangers of blending personal and corporate usage on a single device, given how swiftly infostealers can spread.

8. Conduct infostealer-focused training
   Schedule regular sessions highlighting how stealthy these campaigns can be – demonstrating real attack logs. Encourage staff to report unusual system behaviours (slow performance, unexpected pop-ups) that might indicate hidden malware.

9. Engage in industry-wide collaboration
   At SOFTSWISS, we actively share anonymised metrics, threat analyses and defensive measures with our igaming peers. By uniting against infostealers, we strengthen the entire sector’s resilience.

By adopting these strategies, igaming operators can substantially minimise the risk of infostealer-driven breaches. At SOFTSWISS, we focus on safeguarding our clients’ operations by continuously refining our approach, adding new layers of defence and unique solutions against stealthy credential-harvesting attempts.

Evgeny Zaretskov is group chief information security officer at SOFTSWISS. He is a seasoned cybersecurity executive with over 15 years of experience leading and developing security strategies for organisations spanning diverse industries, including high-risk sectors like igaming/gambling and betting, fintech and crypto. His track record spans working with companies of various scales, from dynamic startups to Fortune Global 500 enterprises.