Inside the Credential Stuffing Ecosystem: Key Players and Their Roles
Over the last two years, we’ve built a team that has successfully infiltrated the credential stuffing ecosystem — a multi-headed serpent made up of intertwined roles, each contributing to a larger attack infrastructure. This operation has given us rare insights into this complex web, allowing us to profile the key players and understand their motivations.
Credential stuffing isn’t the work of a single actor, but a coordinated effort involving multiple participants, all working within a sophisticated supply chain.
These are the four distinct groups involved in every credential stuffing attack:
- Tool Developers
- Config Builders
- Crackers
- Fraudsters
Let's break down the roles of each group.
1. Tool Developers
Who they are: Tool developers are software engineers who are responsible for creating tools that automate a credential stuffing attack. These tools are crucial for attackers, functioning as a Swiss Army knife for credential stuffing operations.
Toolkit: The community has evolved around common open source projects, including OpenBullet, SilverBullet, and several other variants.
More recently, developers have forked these projects, launching professional subscription services with enhanced features.
Risk profile: Low. It's easy to remain anonymous, and their open source software is always created for "educational purposes."
Income: Tool developers typically make very low income from the software itself.

