Colombia. The country ranks 13th out of 253 countries in volume of filtered cookies, with nearly 2 billion cookies exposed, of which 158 million remain active and linked to actual user activity, according to NordVPN's most recent research.
Cookies, small text files that store information about users' online activity, have been targeted by cybercriminals who use them to access personal data and protected systems.
"Cookies may seem harmless, but in the wrong hands, they are digital keys to our most private information," explained Adrianus Warmenhoven, cybersecurity expert at NordVPN. "Something that was designed for convenience has become a vulnerability that is increasingly exploited by cybercriminals around the world."
NordVPN's report highlights that cybercriminals employed 38 different types of malware — more than triple the 12 types identified last year — to steal a total of 94 billion cookies.
Among the most active threats are Redline, with 41,600 million cookies stolen; Vidar, with 10 billion; and LummaC2, with 9 billion. These malware families are characterized by extracting saved passwords, cookies, and autofill data. In addition, Vidar downloads additional malware, and LummaC2 uses evasion techniques to spread undetected.
The researchers also identified 26 new malware variants, including RisePro, Stealc, Nexus, and Rhadamanthys. These new threats have the ability to steal browser credentials, session data, and in some cases, banking information.
According to the study, 20.55% of stolen cookies are still active, posing an ongoing risk to online privacy. Although Colombia ranks 13th in the global ranking, 7.55% of cookies linked to Colombian users are still active, which is equivalent to approximately 221 million cookies.
"Even a small percentage of such a large dataset is huge," Warmenhoven said. "That means hundreds of millions of people could be exposed to cybercrime."
The study warns that the stolen cookies contained full names, emails, cities, passwords, and physical addresses. This data can be used for identity theft, fraud, and unauthorized account access.
Warmenhoven explained that "most people don't realize that a stolen cookie can be just as dangerous as an exposed password" and added that "once intercepted, a cookie can give hackers direct access to sensitive accounts and data, without the need to log in."
To mitigate these risks, NordVPN recommends using strong and different passwords for each account, turning on multi-factor authentication, updating devices, and frequently erasing data stored in the browser. Warmenhoven reminded that "if you never delete that data, the session will remain active for as long as the owner of the website considers it safe."
"Taking basic precautions, such as using strong passwords, enabling multi-factor authentication, and staying vigilant online, can significantly reduce the risk of falling victim to cyberattacks. It's a minimal effort that can protect you from greater threats," he added.
The investigation was carried out between April 23 and 30, 2025, using data from Telegram channels where cybercriminals offer stolen information. NordVPN analyzed a dataset that included information on more than 94 billion cookies, their activity status, the malware involved, and where they are geographed. According to the company, they did not purchase stolen cookies or access their content; they only analyzed the types of data they contained.
