By Ange Lavoipierre, ABC
Photo: Unsplash / RNZ
More than 31,000 passwords belonging to Australian customers of the Big Four banks are being shared amongst cyber criminals online, often for free, the ABC can reveal.
Despite the anti-fraud protections in place at those banks, cybersecurity experts warn victims could "definitely" lose money as a result.
An investigation by cyber intelligence researchers has shown credentials belonging to at least 14,000 Commbank customers, 7,000 ANZ customers, 5,000 NAB and 4,000 Westpac customers are available on the messaging platform Telegram and the dark web.
It comes in the wake of recent attacks on Australian superannuation funds, where hackers stole from pensioners and used leaked passwords to try to gain access to members' accounts.
The Australian firm Dvuln, which made the discovery, said the passwords were stolen directly from users' personal devices, which had been infected with a type of malware known as an "infostealer".
"This is not a vulnerability in the banks," Dvuln's founder Jamie O'Reilly said.
"These are customer devices that have been infected."
Infostealer malware, as the name suggests, is a type of malicious software tailor-made to infect a device, harvest as much valuable data as possible and deliver it directly to criminals.
It overwhelmingly targets computers running on Windows and as well as passwords, can capture credit card details, cryptocurrency wallets, local files, and browser data including cookies, user history and autofill details.
Dvuln started researching the scale of Australia's infostealer problem after superannuation funds were targeted in early April.
"We've seen a tight correlation between the use of infostealer malware and using those passwords to conduct these types of attacks," he said.
Experts said exposed passwords created a genuine risk of theft for the account holder.
"Threat actors can use the bank account to link to some kind of payment system, to transfer funds, or for money laundering," said Leonid Rozenberg, a specialist in infostealer malware from cybersecurity company Hudson Rock.
He also warned that the threat posed by Inforstealers was much broader than just breached banking credentials.
"We see that the average [infostealer] victim has between 200 [and] 300 account [details] stored inside the browser," Rozenberg said.
"It can be a PayPal account … it can be [an] account that is used [to] transfer money between different countries … it can be, for example, [an] e-commerce account that already has credit card linked."
Some of the 31,000 devices captured in Dvuln's audit were infected as far back as 2021, but would still provide valuable data to attackers, according to O'Reilly.
"As a day job, I work to hack some of the biggest companies in the world," he said.
"We have been able to compromise even some ASX-listed companies, in a controlled scenario, with four- or five-year-old passwords."
In light of Australia's growing infostealer problem, there is a notable lack of theft and fraud that's been publicly linked to it.
However O'Reilly said many instances could be happening under the radar.
"There may be a large number of fraud attacks happening against individuals and businesses… but there's been no public attribution because it's very difficult to trace back to a specific malware infection," he said.
"A lot of this crime, on an individual level, goes unreported."
Infostealers: The 'silent heist' on 3.9 billion passwords
The use of infostealers has exploded in recent years.
Hudson Rock said there were now more than 58,000 infected devices in Australia and more than 31 million infections globally.
The company arrived at the figure by counting all infected devices, rather than just those belonging to banking customers.
Recent analysis from cybersecurity firm KELA found that globally, at least 3.9 billion passwords had been stolen using the technique.
It's been dubbed "the silent heist" by the Australian Signals Directorate.
"Back in 2018 it was only 135,000 infections and today, we're speaking about 31 million," Rozenberg said.
That more than 200-fold increase has contributed to a breathtakingly low price tag on stolen passwords.
O'Reilly monitors about 100 Telegram groups dedicated to trading data siphoned using infostealers, many of which offer a subscription model.
"You can pay $US400 and every month, as this gang continues to steal more passwords and infect more computers… you may get 100,000 to 200,000 new logs from 100,000 to 200,000 infected computers from all around the world, not just Australia," he said.
That's $626 in Australian currency at the current exchange rate, which works out to be less than a cent per infected device.
For those willing to pay between US$3,000 and US$10,000, some Telegram groups promise "lifetime access".
In some cases, data is given away for free.
"The criminals have so many passwords and so much data, that they actually give away thousands and thousands of credentials just to entice new criminal customers to come and buy the private information," he said.
For now, more than 90 per cent of infostealer infections are on computers with Windows operating systems, O'Reilly said.
"There is a growing number of mobile devices being infected with malware, but it's nowhere near as much," he said.
That skew is less to do with any Windows security weakness, and more to do with the fact that attackers have chosen to target that system, Rozenberg said.
"Still, today, in 2025, most of the people, they're using Windows devices," said Rozenberg.
"So [attackers] mostly develop infostealers for Windows," he said.
How to protect yourself from infostealer malware
There are steps people can take to protect themselves from infostealers, but a lot of the usual advice isn't enough on its own.
For example, changing your password won't do much if you're still using an infected device.
"It's the equivalent of changing your locks while the burglars are still in your house," O'Reilly said.
The best option, he said, is to change your password from a separate, secure device.
Even multi-factor authentication (MFA) isn't a total shield, with malware gangs sometimes selling cookies or access tokens alongside the stolen passwords.
"If you do have someone's active access token, a lot of the time you can actually bypass their MFA," he said.
It's still important to rotate passwords and use MFA, O'Reilly said, but he has two more key pieces of advice: firstly, stay on top of software and antivirus updates.
"Research does show that up to 50 percent of devices infected with infostealer malware have antivirus," he said.
"But what a lot of people don't talk about is the fact that either the operating system or the antivirus itself isn't kept up to date."
Therefore, the first line of defence is to update both.
The second piece of advice: beware the family computer.
Infostealer infections are spread in lots of ways, such as phishing, dodgy links, dodgy ads and dodgy downloads; including torrents, pirated software, and gaming mods (a downloadable modification to an existing game, often user-made and unofficial).
"One of the most common ways… [is] Minecraft mods or cracked software, which is software that you would typically have to pay license fees for," he said.
It's often a baited hook, set by malware gangs, according to O'Reilly.
"If you've got banking credentials or highly sensitive information on your computer, keep that separate from the computer your children are using," he said.
Ideally, he said, this research would be a wake-up call.
"Nothing is 100 percent unhackable, but there are definitely strategies that people can use at home to make it much harder for criminals to get their information in the first place," he said.
- ABC
