At least 30,000 Australian banking passwords were exposed between 2021 and 2025 after hackers infected devices with infostealer malware, according to a local cybersecurity company.
Research by Sydney-based firm Dvuln found such malware has been used to target and harvest credentials from devices belonging to customers of major Australian banks, including the so-called Big Four: ANZ, NAB, Westpac, and the Commonwealth Bank.
“The actual number of compromised customer devices is likely substantially higher, as many infections remain undetected or are traded in private channels outside our visibility,” the company said in its latest report, published on Tuesday.
Infostealer malware is malicious software installed on a device which is designed to steal valuable data such as passwords, credit card details, browser history, or cryptocurrency wallet information.
The malware is commonly distributed through SMS messages, emails, and even online ads which may appear legitimate, but contain malicious links.
Data collected by infostealers is commonly sold on the Dark Web, where some distributors even provide free samples of their data logs to promote premium offerings which provide access to specific logs in private chat rooms.
Hackers had overwhelmingly targeted computers running Microsoft’s Windows operating system, but a growing number of mobile devices were also being attacked, Dvuln said.
Calls for ‘coordinated action’
Typical security protections such as multi-factor authentication (MFA) were “not a complete defence against infostealer malware”, Dvuln said, as some infostealers could extract authentication data to bypass MFA systems.
“Addressing this threat requires coordinated action across financial institutions, government, cybersecurity professionals, and the public to close the gap between endpoint compromise and credential abuse,” the company said.
Consumers could help protect themselves by keeping their device software updated, using reputable antivirus or anti-malware software, and being cautious with what they downloaded or accessed online, the firm added.
Australia’s digital intelligence agency, the Australian Signals Directorate (ASD), has previously described infostealers as a “silent heist” which increasingly presented “a threat to the security and wellbeing of Australian organisations”.
“Organisations that facilitate employees, contractors, managed service providers or other entities to access their network remotely, including with Bring Your Own Device (BYOD) hardware, need to be aware of the risks of info stealers and protect themselves from this threat,” it said in September.
An ASD visulisation showing the 'info stealer ecosystem and possible impacts on an organisation'. Image: ASD
Malware on the rise in the Asia-Pacific
American telecommunications giant Verizon said it had witnessed a “significant jump” in malware-driven data breaches in the Asia-Pacific region this year, with the technique present in 83 per cent of breaches compared with 58 per cent in 2024.
Emails were “the key vector for distributing various types of malware”, the company said last week in its latest Data Breach Investigations Report, which analysed more than 1,300 data breaches in the region.
Ransomware — a type of malware which blocks access to a system or its files — accounted for 51 per cent of breaches in the Asia-Pacific, while attacks involving social engineering had fallen to only 20 per cent of breaches so far this year.
Overwhelmingly, 99 per cent of threat actors responsible for breaches in the region were found to be external to the affected entities, with 83 per cent of actors motivated by financial gain.
The report comes after several Australian superannuation funds were recently targeted using leaked passwords, which were used to compromise some customer information and steal members’ funds.
Dvuln said this activity was “consistent with known patterns of infostealer malware activity, where stolen consumer credentials are resold or reused to access financial platforms”.
“These incidents reflect a growing shift by cybercriminals toward credential-based infiltration, rather than direct exploitation of financial infrastructure,” it said.
Infostealer malware can harvest data such as passwords, credit card details, cryptocurency wallet information, and browsing history. Image: Shutterstock
'Significant rise’ in fake financial account compromises
Australian banking customers have also faced a “significant rise” in phishing scams which attempted to scare them into believing their financial accounts had been compromised, according to the National Anti-Scam Centre.
Such scams attempt to create a sense of urgency by falsely claiming an account has been hacked, to trick people into sharing their account credentials or transferring funds.
The National Anti-Scam Centre’s Scamwatch service saw a more than 200 per cent increase in financial losses from phishing scams between 1 January and 23 March 2025 compared with the same period in 2024, according to data released on Tuesday.
Financial losses in the 2025 period totaled $11.1 million — over 75 per cent of which related to cryptocurrency phishing scams.
Potential victims were usually contacted by scammers via text message, phone call, or email, using SMS sender IDs or email addresses which may have initially appeared legitimate.
Catriona Lowe, deputy chair of the Australian Competition and Consumer Commission (ACCC) which oversees the National Anti-Scam Centre, said many Australians were “already on high alert” after being caught up in major data breaches in recent years.
“We urge consumers to stop and check when they receive messages claiming to be from trusted authorities, especially if they relate to a crypto, superannuation or a bank account,” Lowe said.
“It is important consumers never click on links in a text or email message that asks for login or password details and only log into accounts directly through the official website or app.”
