What Infostealer Victims Have in Common: 2 Behavioral Patterns That Should Reshape Cybersecurity Training

By Andréanne Bergeron, Security Researcher

Cyberattacks are not purely technological events. They are social interactions in which attackers exploit predictable cognitive biases, emotional triggers, and behavioral tendencies.

Traditional cybersecurity training often misses this reality. Standardized modules, annual compliance courses, and generic policy acknowledgments are widely implemented, but their effectiveness in changing real-world behavior remains limited. The problem is not the quality of the content. It is a fundamental misalignment between how training is delivered and how users actually behave in digital environments.

To reduce risk, awareness programs need to meet users where they are: in the digital environments they actually use. By understanding behavioral patterns, we can craft prevention strategies that are practical, targeted, and relevant.

We studied victims of infostealer malware to compare them with the rest of the general internet population to better understand behavioral and environmental factors that distinguish infostealer victims from typical users. These findings inform us on creating more targeted, effective prevention strategies. 

Key Takeaways About Infostealer Malware Victims

• Victims spend significantly more time in entertainment, gaming, and social media environments and significantly less time on professional/technical sites, compared to the general internet population. This is the core empirical finding from analyzing 10,198 stealer logs against the Tranco web traffic baseline.
• Gaming platforms, entertainment sites, and social media host the exact distribution channels malware operators rely on (ad networks, modding communities, unofficial download portals, bundled software). More time in these environments = more contact with malicious infrastructure.
• Victims exhibit browsing patterns consistent with impulsive digital behavior: the overrepresentation of leisure-oriented and less mainstream sites suggests a tendency toward quick, low-consideration actions (clicking unfamiliar links, downloading unofficial software), which threat actors actively exploit through emotional triggers like urgency, curiosity, and excitement.
• Structural exposure and behavioral predisposition creates a compounding effect: neither factor alone fully explains victimization. It’s the combination of spending time in high-risk environments and exhibiting impulsive browsing patterns that dramatically increases compromise probability, and that generic training programs fail to address.
• Prevention must target the actual ecosystems victims use: Training scenarios should incorporate game mods, unofficial downloads, ad-based malware, and social platform scams rather than focusing exclusively on corporate phishing. Generic, one-size-fits-all awareness programs don’t reach the users most at risk.

Why Generic Cybersecurity Training Falls Short

As highlighted by the National Institute of Standards and Technology, the human component of cybersecurity must be actively engaged, continuously evaluated, and integrated into broader defensive strategies. In practice, this means moving beyond passive awareness toward adaptive and behaviorally informed training models that emphasize contextual learning, real-time feedback, and situational engagement.

This perspective is closely aligned with the concept of victim profiling from the field of victimology. Early theoretical foundations were developed by scholars such as Hans von Hentig and Benjamin Mendelsohn, who emphasized that victimization cannot be understood solely through the actions of offenders. Instead, it emerges from the interaction between offender behavior, environmental context, and the characteristics or routines of potential victims. 

Victim profiling does not assign blame to victims; rather, it aims to identify patterns and conditions that increase vulnerability, so prevention strategies can be designed to reduce exposure to risk and strengthen protective behaviors. 

From a preventive standpoint, cybersecurity victim profiling offers organizations a powerful tool to move beyond treating incidents as isolated events. By analyzing broader behavioral and structural trends among victims, organizations can identify recurring risk patterns, anticipate threat vectors, and design targeted interventions. 

A recent overview in the Journal of Risk Research situates human behavior as a central, under‑explored factor in cybersecurity risk research, reinforcing the need for integrative and behaviorally informed approaches to prevention. 

Awareness programs and defensive tools are most effective when tailored to the actual characteristics and behaviors of at-risk populations, rather than relying on generic warnings.

To contribute to this growing body of knowledge, our research focuses on better understanding the characteristics of individuals compromised by infostealer malware. The objective is to identify behavioral and environmental factors that distinguish these victims from typical internet users. By clarifying these differences, the study aims to support the development of cybersecurity tools and prevention campaigns that are more precisely aligned with the realities of the users most exposed to this form of cybercrime.

Are Infostealer Victims Representative of the General Population?

Studying Infostealer Victims: Methodology

To better understand the behavioral characteristics associated with infostealer malware victimization, we conducted an empirical analysis of victims. The study relied on a random sample of approximately thirty stealer logs per day collected throughout the year 2025, resulting in a dataset of 10,198 compromised users. These logs contain information extracted by infostealer malware, including browsing artifacts and credentials associated with compromised devices.

As shown in the graph below, stealer logs contain valuable information about a victim’s behavioral profile. Based on one victim browser history, they provide insight into the digital environments visited prior to compromise. To analyze these patterns, we classified the visited websites into behavioral categories to capture victims’ overall browsing behavior.

Browser history analysis of one victim as an example of information on behavior

To evaluate whether victims exhibit distinct browsing behaviors, we compared the categories of websites visited by compromised users with the distribution of popular websites on the broader internet. 

For the baseline comparison, we relied on the Tranco List, a research-oriented ranking of the most popular domains on the web. Unlike traditional popularity rankings, the Tranco list aggregates multiple sources and applies filtering methods designed to mitigate manipulation and measurement bias. It’s a widely used reference dataset in academic research for approximating the distribution of general web traffic.

Each website in both datasets was classified into activity categories such as professional, social media, gaming, entertainment, finance, and others. Comparing the two distributions revealed several statistically significant differences between infostealer victims and the general web population. The results are below:

Comparison in internet behavior between infostealer victims and general population

Key Findings: How Victim Browsing Behavior Differs

We have two key findings about what sites are underrepresented and overrepresented for infostealer victims:

1. Professional and technical sites are dramatically underrepresented among infostealer victims.

The most striking result concerns professional or business-related websites. These platforms appear far less frequently in victim browsing histories than their prevalence in the broader internet ecosystem would predict. This suggests that compromised users spend considerably less time interacting with professional or productivity-oriented platforms than would be expected from general browsing patterns.

Other categories associated with more technical or security-conscious user communities (such as anonymity services, finance platforms, cryptocurrency resources, hacking forums, and discussion forums) are also visited less frequently by victims than their overall web popularity would suggest.

2. Entertainment, gaming, and social media credentials are significantly overrepresented in stealer logs.

In contrast, categories associated with leisure and interactive online environments are significantly overrepresented. Social media platforms, entertainment websites, and gaming ecosystems appear far more frequently in the browsing histories of victims than in the general web baseline. Also, websites categorized as suspicious for their connection to criminal behavior are slightly overrepresented among the victims as well.

Why These Browsing Patterns Increase Risk

These findings suggest that the browsing habits of infostealer victims differ significantly from those of the general internet population. Victims appear to spend more time in highly interactive digital ecosystems oriented around entertainment, gaming, and social interaction, while spending comparatively less time in professional or technical environments. These have direct cybersecurity implications.

Structural Exposure: Spending More Time in Higher-Risk Environments

The digital ecosystems where victims spend the most time (gaming platforms, entertainment sites, and social media) frequently host the distribution channels that malware operators rely on. These environments contain advertising networks, download portals, modding communities, and unofficial software repositories. These surfaces can expose users to malicious advertisements, compromised downloads, phishing attempts, or bundled malware packages. Spending time in these environments increases structural exposure to cyber threats simply by placing users in environments where malicious infrastructure is more prevalent.

Behavioral Predisposition: Patterns Consistent with Impulsive Digital Behavior

Exposure alone does not fully explain victimization. The slight overrepresentation of visits to less mainstream websites, combined with the prevalence of gaming and entertainment ecosystems, suggests a pattern consistent with impulsive or risk-oriented digital behavior. Psychological research has long linked impulsiveness with a greater tendency to engage in activities without fully considering potential consequences. In online environments, this can translate into behaviors such as quickly downloading files, clicking on unfamiliar links, installing unofficial software, or interacting with persuasive content.

Threat actors actively exploit these tendencies. Many cyberattack techniques rely on emotional manipulation, leveraging curiosity, urgency, excitement, fear, or greed to trigger rapid decision-making. Phishing campaigns, fake software downloads, and malicious advertisements often rely on these psychological triggers to bypass rational evaluation. When users interact within environments where such stimuli are common, the probability of compromise increases.

Compounding Effect of Structural Exposures and Behavioral Predispositions

When these two mechanisms operate simultaneously, the probability of compromise increases substantially. Users who spend time in high-risk digital environments and exhibit impulsive browsing patterns face compounding risk that generic training programs are not fully equipped to address.

What This Means for Prevention

These findings reinforce a central conclusion from the broader cybersecurity literature: awareness strategies must be adapted to the behavioral realities of the users they aim to protect. Generic security training that assumes uniform browsing habits and motivations fails to address the specific risk environments in which many users operate. If victims are disproportionately active in gaming, entertainment, and social ecosystems, then awareness messaging should directly address the risks associated with those environments. This approach aligns with decades of criminological research demonstrating that prevention is most effective when it addresses the concrete context in which risks occur. Training scenarios or awareness campaigns should incorporate examples involving: 

• game modifications
• unofficial downloads
• advertising-based malware
• social platform scams

Rather than focusing exclusively on traditional corporate phishing scenarios, these examples can expand and strengthen training programs. Learn more about victim profiling in this blog. 

These examples should supplement (not replace) traditional corporate phishing scenarios, and be present in the training to reach the users who need it most. 

Cybersecurity awareness should not simply inform users about threats. It should reflect the behavioral ecosystems in which those users actually operate. When prevention strategies are grounded in empirical observations of victim behavior, they move beyond generic warnings and become tools capable of meaningfully reducing risk.

Personalized Prevention with Foretrace

Helping users recognize and understand their own digital behaviors is a central focus of prevention efforts at Flare. In line with this objective, we launched Foretrace, a tool designed to analyze user activity and identify behavioral patterns associated with increased cyber risk. By examining elements of the user’s digital profile, Foretrace highlights potential weaknesses and provides tailored recommendations aimed at reducing exposure to threats. Rather than relying on generic awareness messages, the approach emphasizes personalized feedback, allowing users to better understand how their everyday online habits may influence their cybersecurity posture.