Stealer Logs on the Dark Web: What You Need to Know

In recent years, a surge in “stealer logs” has emerged, making it easier than ever for anyone, even those with minimal technical expertise, to become a cybercriminal. These logs, often readily available on dark web marketplaces, Telegram channels, and even underground forums, contain stolen credentials for virtually any online service imaginable.

The consequences of this readily available arsenal are severe. In September 2022, Uber experienced a data breach, likely facilitated by stolen credentials purchased on the dark web. This incident, like countless others, highlights the significant vulnerability corporations face due to the proliferation of stealer logs.

With the barrier to entry for cybercrime effectively lowered, organizations and individuals alike must remain vigilant. This is why we’ve decided to take a closer look at stealer logs on the deep and dark web.

What are stealer logs?

Stealer logs are a serious threat to individuals and organizations alike. These logs, compiled by malicious software like Redline and Raccoon, contain sensitive data stolen from compromised devices. This data can include browser history, cookies, visited websites, installed software, and even user information.

Stealer Logs present a significant risk because they can be exploited or sold by Initial Access Brokers (IABs) to orchestrate various attacks, including ransomware, social engineering, and Remote Access Trojans (RATs).

We featured stealer logs among the top 3 dark web trends to keep an eye on in 2024 – watch the video now [3 min].

MaaS infostealers and automated stealer logs on on the deep and dark web

Threat actors are increasingly leveraging Malware-as-a-Service (MaaS) models to distribute infostealers. This, coupled with automated operations that collect and distribute stolen data logs from infected devices across Telegram channels and dark web marketplaces, has fueled the growth of a readily accessible market for stealer logs.

These logs, frequently aggregated by bots, are readily available on Telegram, either for free or through subscription services, significantly simplifying the access for cybercriminals.

We used Lunar, Webz.io’s dark web monitoring tool, to track the distribution of stealer logs on Telegram.  The following chart, taken from Lunar, shows a surge in the number of posts which mention stealer logs onTelegram, since the start of 2024: 

Where can you find stealer logs on the deep and dark web?

Stealer logs appear on different sources across the deep and dark web. Some of the primary sources include:

Telegram

Telegram is notable for being a widely-used platform that facilitates the dissemination of stealer logs via channels that host data from various bots. These channels often present users with the option to access logs either for free or through subscription-based models, granting private log access. Channels purporting to offer premium-quality logs typically impose a monthly fee ranging from several hundred dollars to $1000.

Marketplaces

The surging demand for stealer logs has spurred a rise in their accessibility across dark web marketplaces like Russian Market and 2easy. These platforms are dedicated to vending stealer logs, offered at diverse prices ranging from $5 to $100, based on factors such as the volume of authentication data, associated accounts, and more.

Underground forums

Initial Access Brokers (IAB) are likely targeting corporate logs containing valuable data, facilitating easier access and subsequent sale on dark web forums such as XSS and Exploit. 

The next image shows a post that was published on the XSS forum where an IAB is selling access to various government domains in different locations. We believe that this is facilitated by corporate stealer logs that they have acquired and used.

How to search for stealer log accounts?

Finding stealer logs in the deep and dark web is a complex task. We at Webz.io continuously scan dark web marketplaces, datastores, and chat applications, to expand our scope of stealer logs. 

The simplest way to search for them is by using search tool, such as Lunar, which you can see in the image below.

To illustrate it, we used the Microsoft and searched for stealer logs associated with its domain (Microsoft.com) . We used Lunar’s enriched.category:stealer_logs tag to retrieve results that were classified as stealer logs.  We further narrowed our search to logs associated with the Microsoft.com domain, enriched.domain.value:microsoft.com.

The next image shows the results retrieved on Lunar relating to stealer log associated with the domain: 

The log in this example was published on Russian Market and contains a compromised Microsoft account. We classify it as a high risk log due to the nature of the site and the fact that it contains various details associated with the Microsoft domain, including cookies, passwords, etc.

Monitoring stealer logs in 2024

As the landscape of online security continuously evolves, the ever-growing presence of stealer logs serves as a stark reminder of the need for constant vigilance. While the ease with which cybercriminals can acquire and use this information poses a significant threat, proactive monitoring by cybersecurity professionals can help mitigate such risks. 

By actively tracking stealer logs on the dark web, with dark web monitoring tools like Lunar, Managed Security Service Providers (MSSPs) and Cyber Threat Intelligence (CTI) teams can stay ahead of emerging threats, safeguard client data, and mitigate future cyberattacks.