Radware report highlights evolving strategies in credential stuffing attacks.

94% contain four or more business logic attack elements; 83% use API-targeting techniques.

Radware® (NASDAQ: RDWR), a provider of applications security and delivery solutions for multi-cloud environments, released a report titled The Invisible Breach: Business Logic Manipulation and Application Programming Interface (API) Exploitation in Credential Stuffing Attacks. The report details a shift from volume-based credential stuffing attacks to more complex, multi-stage infiltration techniques.

According to Arik Atar, senior Cyber Threat Intelligence (CTI) researcher at Radware, “To bypass traditional defenses, modern credential stuffing attacks are shifting away from traditional password-spraying techniques in favor of business logic manipulation, cross-platform device spoofing, and strategic API exploitation.” He emphasized that organizations must enhance security measures beyond credential-focused controls to validate entire user journeys and identify suspicious patterns in business logic flows.

The research examined 100 advanced credential stuffing configurations employing the SilverBullet account takeover tool.

Advanced attack methodologies

Business logic attacks: 94% of configurations implement four or more business logic attack elements, with 54% demonstrating orchestration using 13 or more distinct techniques.
API exploitation: 83% of configurations involve explicit API-targeting techniques.
Multi-device spoofing: 24% of attack scripts alternate between two device types during execution, with 71% employing transitions between platforms, primarily iOS and Windows.

Primary targets

Industries: Technology/SaaS was the primary target sector (27%), followed by financial services/government (16%) and travel/airline (13%) sectors.
Online tools: There is a noted shift toward high-value Artificial Intelligence (AI) tools (44% of technology targets), which may be exploited by spammers for phishing content. Corporate tools (30%), including Microsoft 365, OneDrive, and Outlook, are also likely targets for ransomware groups.

Centralized threat landscape

Concentration: 51% of analyzed configurations originated from three advanced threat actors.
Specialization: Each actor had over two years of operational experience in areas such as AI platform authentication bypass and mobile API exploitation.

The report methodology involved analyzing 100 credential stuffing attack scripts sourced from threat actor channels over six months. This report provides insights into emerging trends in account takeover campaigns.

Daily Intelligence Brief: AI Adoption and Security Developments - September 26, 2025

Netskope addresses Lumma Stealer resurgence with AI detection methods.

Daily Intelligence Brief: Collaboration and security developments in tech sectors - September 25, 2025