The 2easy dark web marketplace has gained notoriety for its role in selling and exchanging stolen data. Site operators harvest the stolen data via 600,000 devices tainted with information-stealing malware.

What is 2easy?

The 2easy platform first appeared in 2018 and has since shown rapid growth. Last year, the platform sold data from 28,000 infected devices. 2easy was considered a minor player in this particular dark web and info-stealing space.

Since then, analyses indicate that ‘high-quality’ offerings on the site amped up interested among cyber criminals. Hackers want to see whose network they can access next.

How it works

The data logs are archives of stolen data from malware-compromised web browsers or systems. Logs commonly contain account credentials, cookies, and saved credit card information.

The 2easy platform is fully automated, allowing individuals to create accounts, add money to wallets and engage in purchases without directly interacting with sellers. Hackers can purchase logs for as low a price as $5.00 per item. This is roughly 5X less than what a common competitor offers and three times less the average cost of bot logs in another underground marketplace.

The 2easy logs consistently provide valid credentials that offer network access to many organizations. In addition to the cost benefits for hackers, they can also explore a variety of functional details around purchases that other services cannot provide. The only downside for hackers is the inability to preview certain items.

Why 2easy matters

Logs packed with credentials represent keys to doors and those doors can lead straight into your online accounts, giving hackers access to financial information or corporate networks. While logs are sold for as little as $5.00 per item, the harm inflicted on your organization could cost millions of dollars.

In June of 2021, the Electronic Arts attack occurred due to hackers who purchased stolen cookies online and then weaponized them to gain access to an EA Slack channel. Upon accessing the Slack channel, attackers tricked an EA employee into providing a multi-factor authentication token. The rest is history.

Further details

Items purchased on the 2easy platform are packaged as archive files that contain stolen logs from selected bots. Exact content type depends on the info-stealing malware previously deployed and corollary capabilities. Each strain of malware focuses on something slightly different.

In 50% of cases, sellers rely on RedLine as the malware of choice. RedLine can pinch passwords, cookies, credit cards, FTP credentials and additional details. Of the 18 sellers active on the site, five use RedLine exclusively. Four others use RedLine in tandem with other malware strains.


2easy supports an ecosystem that exploits logs in order to help hackers get into privately-owned and otherwise inaccessible locations. These types of intrusions can lead to ransomware attacks and other types of malware disturbances. Measures for preventing access-based attacks include use of multi-factor authentication, frequent password rotation, and use of zero trust principles.

For the latest information about ransomware prevention, read our e-book.

Lastly, to learn more about managing cyber risk in a changing world, please join us at the premiere cyber security event of the year – CPX 360 2022. Register here.