In the digital underground, the era of the "hacker" breaking down firewalls is largely a myth of the past. Today's cybercriminals don't break in — they log in.
The explosive rise of Account Takeover (ATO) is driven by two converging market forces: the massive availability of stolen credentials via "infostealer" malware, and the ability to use residential proxies to mimic the digital footprint of the legitimate account holder.
For security teams, distinguishing a fraudster from a loyal customer has never been harder. When an attacker has the correct username, the correct password, the correct session cookie, and logs in from an IP address located in the victim's own neighborhood, traditional defenses crumble.
The Fuel: Infostealers and "Clouds of Logs"
Before a proxy is ever deployed, the attacker needs ammunition. This comes in the form of "logs" — comprehensive data packets harvested from infected computers by malware like RedLine, Vidar, and Raccoon.
Unlike old-school data breaches that just dumped lists of username:password, modern infostealers exfiltrate the victim's entire digital identity:
- System Information — OS version, screen resolution, hardware specs
- Network Data — IP address, ISP, and geolocation
- Browser Data — saved passwords, autofill data, and crucially, active session cookies
This data is aggregated into massive repositories known as "Clouds of Logs" or sold on automated Telegram marketplaces. Monitoring for breached credentials is now a critical first line of defense.
Over 2 billion unique credentials were aggregated from dark web sources in recent years. Underground "Clouds of Logs" services allow criminals to subscribe for as little as $150/month, giving them searchable access to millions of infected devices globally.
The Engine: Residential Proxy Networks
Once a criminal buys a "log" for a victim in, say, Dallas, Texas, they face a hurdle: if they try to log in from a server in Russia or Nigeria, the bank's security system will trigger an "Impossible Travel" alert and block the attempt.
This is where residential proxies become the essential engine of fraud. By routing traffic through a legitimate consumer device physically located near the victim, the attacker aligns their network signal with the victim's physical address.
Bypassing Velocity Checks
The second function of residential proxies is volume. In credential stuffing attacks, where bots test thousands of stolen passwords against a target site, sending all requests from a single IP would result in an instant ban.
Residential proxy networks offer "rotating" pools of millions of IPs. The bot switches IP addresses after every single login attempt — Comcast in Chicago, then AT&T in Chicago, then Verizon mobile in Chicago. To the target's firewall, this doesn't look like one attacker making 10,000 guesses; it looks like 10,000 distinct, legitimate users logging in once. Effective velocity controls must look beyond IP to detect these patterns.
The ATO Attack Chain
Here is how a modern account takeover unfolds end to end:
The Infection
User downloads a cracked game containing infostealer malware. Cookies and passwords are silently exfiltrated.
The Purchase
Criminal buys the "log" for $10 on a Telegram market. They see the victim lives in London.
The Masquerade
Criminal rents a residential proxy located in London to match the victim's profile and loads a spoofed device fingerprint.
The Takeover
Using an anti-detect browser and the stolen cookies, the criminal bypasses MFA and drains the account.
The "Cyborg" Attack: Merging Man and Machine
As defenses have improved — specifically CAPTCHAs and behavioral biometrics — criminals have evolved. The "cyborg" attack is a hybrid of human and automated interaction:
- Human Phase — a human operator uses the residential proxy to navigate the target website, browsing products and scrolling naturally to build a "trust profile"
- Handover — once the session is established and trusted, the browser session is handed over to a high-speed bot
- Bot Phase — the bot executes the final fraud at superhuman speed: initiating wire transfers, changing shipping addresses, or checking out with electronics
This method defeats defenses that look for "robotic" navigation patterns during the initial connection phase. Detecting the handover moment requires device intelligence that tracks behavioral continuity across the entire session.
The Fraudster's Toolkit
Bypassing Multi-Factor Authentication
You might ask: doesn't 2FA stop this? Not always.
- Session Hijacking — if the infostealer grabs a valid, active session cookie, the attacker can import it into their browser. The website believes the user is already logged in and authenticated, bypassing the need for a password or 2FA code entirely
- MFA Fatigue and Phishing — if a code is required, attackers use automated "OTP Bots" that trigger the SMS code to the victim's phone and immediately call the victim, impersonating the bank's fraud department, asking them to "read back the code"
Phishing-resistant MFA like hardware keys (FIDO2) and passkeys cannot be intercepted by OTP bots or phishing pages — making them the strongest defense against session-based ATO.
The Financial Impact
The cost of ATO extends beyond direct theft. It destroys brand loyalty — a customer whose account is drained rarely trusts that platform again. The operational costs of investigating thousands of false-positive flags generated by proxy traffic can cripple a fraud team. A risk analytics dashboard helps teams prioritize high-confidence alerts over noise.
Key Takeaways
- Infostealers harvest entire digital identities — not just passwords — giving attackers the data to perfectly impersonate victims
- Residential proxies eliminate "Impossible Travel" alerts by routing fraud through IPs in the victim's own city
- Rotating proxy pools make credential stuffing look like thousands of legitimate individual logins
- "Cyborg" attacks combine human browsing with bot execution to defeat behavioral biometrics
- Session cookie theft can bypass MFA entirely without needing a password or OTP code
- Defense requires layered detection: network fingerprinting, behavioral analysis, and phishing-resistant MFA
The convergence of residential proxies, deep-web data logs, and automation has industrialized account takeover. To fight back, businesses must move beyond simple IP blocklisting toward identity-centric security powered by a real-time risk engine that correlates device, network, and behavioral signals.