5 days ago

How Hackers Bypass MFA: The Rise of Infostealers with Tom Leijte, Founder of Passguard

In this episode of Cyber Security District, we speak with Tom Leijte, founder of Passguard, one of the most exciting emerging cybersecurity companies in the Netherlands. Passguard helps organizations detect when infected devices, stolen credentials, and active sessions show up on criminal marketplaces, giving security teams early visibility before exposure turns into a breach.

Tom shares how his journey started outside of “traditional” cybersecurity, working in private investigations where dark web intelligence was already part of high-stakes screening work. Together with his technical co-founder, he built the capabilities to infiltrate closed criminal forums and surface the kind of forensic-level logs most companies never see until it’s too late.

In this episode, we cover:

Using dark web intelligence for sensitive employee screening
Why “classic” dark web monitoring often gets deprioritized by security teams
The infostealer shift: stolen session tokens, not just leaked passwords
How session theft can bypass MFA and why that changes the game
How criminal marketplaces work (and how trust is built among criminals)
How Passguard infiltrates closed forums using reputation, escrow, and long-term access
Building a European-first solution and partnering with MSSPs / security platforms
Scaling after investment: team growth, ICP clarity, and market expansion

Timestamps:
00:00 – Intro
00:15 – Meet Tom Leijte and Passguard’s mission
00:37 – Early visibility: exposure before it becomes a breach
01:22 – Tom’s background in private investigations
02:13 – Screening sensitive roles using open-source + dark web sources
03:47 – Why dark web intelligence matters for organizations
04:39 – How Passguard started (and the co-founder story)
05:53 – What surprised Tom most about the dark web
06:20 – Data breaches vs data brokers: what ends up for sale
07:20 – Discovering infostealers and why they’re different
08:17 – Session tokens, MFA bypass, and the “unmanaged endpoint” problem
10:01 – What infostealers capture (sessions, access, and more)
11:10 – Why SaaS + remote work + BYOD changed attacker economics
12:27 – Supplier and branch-office risk: the blind spot organizations miss
14:31 – Why classic “dark web monitoring” wasn’t landing in the market
15:38 – The Mom Test and learning to run real customer conversations
18:08 – Reframing the problem: focusing on infostealer exposure
20:38 – How the dark web works (no “bookmark”, reputation, escrow)
23:11 – Passguard’s approach: bots, reputation, and long-term infiltration
25:55 – Real-world example: infostealers and large-scale government breaches
27:37 – What stolen access is worth and how it gets packaged for sale
29:19 – Screenshots, persistence, and “always up-to-date” stolen sessions
30:05 – Educating customers and turning awareness into action
31:03 – What Passguard delivers: evidence, context, and early alerts
33:08 – The Snowflake case: old credentials, massive impact
36:06 – Scaling after investment: pressure, growth, and coping
37:18 – Why Tom chose experienced cyber investors and operators
39:43 – Passguard as intelligence inside MSP/MSSP security workflows
41:45 – Team expansion and what roles matter most next
43:27 – ICP clarity and European market expansion
45:27 – Signal message to CISOs: give startups a chance early
46:50 – Outro