VPN Credential Theft: Why Stolen Logins Have Become the Preferred Entry Point Into Enterprise Networks

Attackers no longer need to find a vulnerability in your VPN. They can simply log in.

That shift has been underway for several years, but the data from 2024 and 2025 makes it undeniable. Credential theft has become the dominant initial access method for ransomware and data theft operations targeting enterprise networks. The VPN, originally designed to extend secure access to remote workers, has become the most reliable front door into corporate infrastructure for attackers who know where to shop.

This post explains how VPN credentials are stolen, how they are packaged and sold, how attackers use them once purchased, and why the standard remediation advice falls short of solving the underlying problem.

What VPN credentials are

VPN credentials are the authentication factors that grant a user access to a private network from outside it. Depending on the platform, they include:

• Username and password
• MFA factors (push notifications, OTP codes)
• Certificates or device identities
• Session tokens issued after authentication
• Local accounts on the VPN appliance itself, which are often privileged

When an attacker obtains any of these, the VPN becomes a direct entry point into the internal network, often with fewer controls than the organization's core identity provider. The critical point: the VPN cannot distinguish a legitimate user from an attacker who has the right credentials. It authenticates, then it connects.

How VPN credentials are stolen

Credential theft is not a single technique. It is an ecosystem with several distinct supply chains operating in parallel.

Infostealers on endpoints

Infostealer malware harvests saved browser passwords, autofill data, session cookies, and application credentials from infected devices. Mandiant's 2024 M-Trends investigations found that stolen credentials accounted for 16% of initial infection vectors, up from prior years. In December 2025, analysis of a newly marketed stealer family called Arkanix (promoted on Discord) showed premium tiers explicitly targeting VPN account data as a configurable collection category.

Phishing and login-flow interception

Modern phishing kits do not just capture passwords. They intercept the full authentication session, including MFA prompts and weaker fallback factors. An attacker who captures a one-time code in real time can replay it before it expires, bypassing MFA entirely. Rogue and fake VPN clients operate on the same principle, substituting a lookalike portal that harvests credentials before passing the session through.

Infrastructure-level leaks

Sometimes credentials are not stolen from the user at all. In January 2025, researchers disclosed a leak of Fortinet FortiGate configuration data that included plaintext VPN user credentials for more than 15,000 devices. The credentials were already valid and required no further exploitation to use.

How stolen credentials are packaged and sold

After theft, credentials rarely go directly into use by the same actor who stole them. The underground market has developed a specialised supply chain.

Stolen credential sets are validated, packaged by target type (VPN access, RDP, SSO), and listed on closed forums and invite-only channels. Buyers range from ransomware affiliates looking for quick entry to more sophisticated actors who want access to a specific industry or organisation.

A middle layer of Initial Access Brokers (IABs) sits between theft and deployment. IABs acquire or steal credentials, quietly confirm that the access is live, map the environment, and build a package with documented network access before selling it at a premium. The resulting listing is not just a username and password. It is a confirmed, mapped entry point into a named organisation.

Even unverified bulk credential sets retain value. Credential stuffing at scale (trying large lists of known username and password pairs across VPN portals) consistently finds organisations where password reuse or delayed rotation has left old credentials active.

How purchased access is used

Once inside, attacker activity follows a consistent pattern: reconnaissance of internal systems, lateral movement to higher-value targets, data staging and exfiltration, and in many cases ransomware deployment. The session looks like a legitimate remote access session because it is one, authenticated by real credentials.

One detail that compounds the risk: credential sets are often reused and resold across multiple buyers. An organisation that does not rotate credentials after a suspected breach, or does not know a breach occurred, may face multiple separate intrusions from the same stolen set over months. The VPN breach post-mortem examines how this pattern played out in the major enterprise VPN incidents of recent years.

The scale of the problem

The data from 2024 and early 2025 is consistent across sources.

At-Bay reported that in 2024, 80% of ransomware attacks in its insured population had a remote access tool as the entry vector, with 83% of those cases involving a VPN device specifically.

Beazley's Q1 2025 threat report found that compromised VPN credentials led to 56% of observed ransomware deployments in its client base.

In mid-December 2025, a coordinated credential-based campaign targeted enterprise VPN authentication portals at Palo Alto Networks GlobalProtect and Cisco SSL VPN. The activity was described as scripted login attempts, not vulnerability exploitation. Attackers were not looking for a flaw in the software. They were trying credentials. Nation-state actors have run the same playbook: Zeroport's Iranian cyber threat landscape analysis documents how IRGC-affiliated groups used credential-based access as a primary intrusion method across multiple campaigns.

Why MFA and credential hygiene do not solve this

The standard response to VPN credential theft follows a familiar script: enforce MFA, rotate credentials regularly, deploy UEBA to detect anomalous sessions, monitor for impossible travel.

All of it is worth doing. None of it addresses the structural problem.

MFA can be intercepted in real time by phishing kits designed for that purpose. Credential rotation helps, but only if the organisation knows a theft occurred and rotates quickly enough. UEBA detects anomalies statistically, but a sophisticated attacker who moves slowly and mimics normal behaviour can stay under the threshold. Detection is not prevention.

The reason these measures are insufficient is not that they are poorly implemented. It is that they all operate at the policy layer while the underlying architecture remains the same: a software service that accepts credentials from any machine on the internet and, if satisfied, opens a network connection.

Removing the credential attack surface entirely

The architectural question is whether stolen credentials should be able to open a network connection at all.

Zeroport's answer is that they should not. Rather than authenticating a user to a software portal, Zeroport's Fantom appliance creates a hardware boundary at the network edge. Authentication is tied to a specific physical device installed at the organisation's perimeter, not a cloud service or software application. A stolen username, password, and MFA token cannot be replayed from an attacker's machine, because the hardware device is part of the authentication chain and cannot be accessed remotely.

Beyond authentication, the session itself carries no IP traffic. Only pixels leave the network. Only keyboard and mouse commands enter. Even if access were somehow obtained, there is no packet path available for malware delivery or data exfiltration. For a deeper look at what this architecture removes from the attacker's toolkit, see how air-gapped remote access works.

The credential theft economy exists because stolen credentials unlock network connections. Zeroport closes that pathway at the architecture layer, not the policy layer.

Schedule a demo to see how Zeroport eliminates the VPN credential attack surface.

‍