The stolen login

There is a new scam in town.

And unlike the social engineering tricks that have kept most Filipino consumers wary for years: that SMS with the suspicious link, the fake alert, the email disguised as your bank… this one doesn’t need you to click anything at all.

It already has your password.

We told people not to click, not to share OTPs, not to trust unknown senders. And for a time, that worked. But cybercrime, like finance itself, evolves.

Welcome to the era of infostealer malware and credential theft at scale: a quieter, more patient form of financial cybercrime that is now reshaping the threat landscape from Southeast Asia all the way to the dark web marketplaces where stolen Filipino data is bought and sold like any other commodity.

According to a 2025 report by Kaspersky, more than one million online banking accounts globally were compromised last year, not primarily through traditional hacking, but through stolen login credentials. These are harvested through increasingly sophisticated social engineering schemes and then traded or reused across platforms via dark web marketplaces, sometimes months or years later, long after the victim had any reason to think they were exposed.

Bank-specific phishing has declined, suggesting that digital banking platforms are getting harder to convincingly impersonate. Instead, cybercriminals are migrating to softer targets: e-commerce sites, payment platforms and digital wallets.

Mobile financial malware grew by approximately 1.5 times year-on-year. As more of our financial lives move to smartphones, so do the threats.

The infostealer attack chain is elegant in its simplicity. A user often unknowingly downloads malicious software bundled with a pirated app, a fake browser extension or a phishing email attachment. The malware then silently harvests saved passwords, browser cookies, bank card details and cryptocurrency wallet keys from the device. This data is packaged into what the underground calls a “stealer log” and sold on dark web marketplaces, sometimes for as little as a few hundred pesos equivalent.

Global data from SpyCloud found that in 2024 alone, over 17 billion browser session cookies were circulating on the dark web. Session cookies allow an attacker to bypass passwords and multi-factor authentication entirely; they simply replay an active session token and walk straight into an account. The padlock on your banking app, in other words, may already be unlocked.

Globally, infostealer malware stole an estimated 1.8 billion credentials in 2025, affecting 5.8 million devices, representing an approximately 800 percent surge over recent years, according to DeepStrike analysis. The Asia-Pacific region, per Kaspersky’s findings, has seen a particularly sharp rise in infostealer activity, with credentials from accounts at major global banks actively circulating on dark web markets.

The threat is not abstract. In June 2025, Interpol’s Asia and South Pacific Joint Operations Against Cybercrime (ASPJOC) coordinated what became known as Operation Secure: a multi-country law enforcement action involving 26 nations across Asia, including the Philippines.

The operation resulted in 32 arrests, the seizure of 41 servers and the dismantling of over 20,000 malicious IP addresses and domains linked to infostealer infrastructure.

Vietnamese authorities alone arrested 18 suspects, including the ringleaders of a South Asian infostealer network operating malware-as-a-service, selling stolen browser credentials, cookies, credit card data and cryptocurrency wallet information through Telegram and dark web channels.

The stakes in the Philippines could not be higher. The Philippines digital wallet market reached an estimated $13.7 billion in value in 2025, with projections pointing toward $62.7 billion by 2034. Many users are first-time participants in the formal financial system, accessing digital banking not through a branch, but through their phones.

That is our achievement. But it is also our exposure surface.

For an ordinary Filipino relying on a digital wallet as their primary financial tool, they can mean a wiped savings balance, a ruined credit record, or worse, a stolen identity used to open fraudulent loan accounts they will spend years paying off.

We have always believed that the promise of digital finance can only be sustained if it is trusted. And trust, in this environment, must be earned and defended every single day.

In March, the FinTech Alliance PH and CIBI launched the Fraud Intelligence Data Sharing or FIDS Network: a secure, centralized platform that allows banks, fintech companies, e-wallet providers and financial institutions to contribute verified fraud signals and check incoming applicants or account openings against a shared database of confirmed fraud data.

Fraud schemes are adaptive precisely because they move across platforms. A fraudster flagged by one institution can simply walk across the “digital street” and attempt the same attack on another. FIDS disrupts that logic. When participating institutions share intelligence, the system begins to see patterns that no single organization could detect alone.

We also have the fraud bureau, which will leverage real-time data sharing and advanced analytics in collaboration with the Bangko Sentral ng Pilipinas (BSP) and the Cybercrime Investigation and Coordinating Center, with the explicit goal of securing digital finance for over 110 million Filipinos.

We have also introduced a shared e-KYC registry to simplify and secure onboarding, and we are launching the AI Circle of Excellence in partnership with the Analytics and AI Association of the Philippines to foster responsible AI innovation within the financial sector. We have also deepened our information security partnerships and are collaborating with the BSP on cyber education for consumers and institutions alike.

Infostealer malware thrives on inattention and outdated habits. There are practical steps every user can take: avoid downloading software from unverified sources; use unique, strong passwords for every financial account; enable app-level biometric authentication rather than relying solely on SMS OTPs and periodically review active sessions on your banking and e-wallet apps.

But individual vigilance alone is not enough. The industry has a responsibility, and increasingly, the infrastructure, to meet the threat at scale.

We are building systems that can see what no single institution can see alone. And as long as Filipinos continue to place their trust in the digital economy, that work will never be finished, and we will never stop doing it.

Lito Villanueva is the Philippines’ leading thought leader in inclusive digital finance. As EVP and Chief Innovation and Inclusion Officer of RCBC, he has driven large-scale digital initiatives that advanced financial inclusion. He is the founding chairman of FinTech Alliance PH, representing 95 percent of the country’s digital retail financial transactions with an aggregate user base in excess of 100 million, and the first global chairman of the Alliance of Digital Finance Associations. Recognized as a People Asia Men Who Matter 2025, Asia Trailblazer and AGORA Awardee, he continues to shape the fintech landscape in the Philippines and beyond.