Data Breach Threats

Stealer Logs on the Dark Web: What You Need to Know

Stealer Logs on the Dark Web: What You Need to Know
Dan Tsabari
Dan Tsabari

Threat Intelligence Analyst

In recent years, a surge in “stealer logs” has emerged, making it easier than ever for anyone, even those with minimal technical expertise, to become a cybercriminal. These logs, often readily available on dark web marketplaces, Telegram channels, and even underground forums, contain stolen credentials for virtually any online service imaginable.

The consequences of this readily available arsenal are severe. In September 2022, Uber experienced a data breach, likely facilitated by stolen credentials purchased on the dark web. This incident, like countless others, highlights the significant vulnerability corporations face due to the proliferation of stealer logs.

With the barrier to entry for cybercrime effectively lowered, organizations and individuals alike must remain vigilant. This is why we’ve decided to take a closer look at stealer logs on the deep and dark web.

What are stealer logs?

Stealer logs are a serious threat to individuals and organizations alike. These logs, compiled by malicious software like Redline and Raccoon, contain sensitive data stolen from compromised devices. This data can include browser history, cookies, visited websites, installed software, and even user information.

Stealer Logs present a significant risk because they can be exploited or sold by Initial Access Brokers (IABs) to orchestrate various attacks, including ransomware, social engineering, and Remote Access Trojans (RATs).

We featured stealer logs among the top 3 dark web trends to keep an eye on in 2024 – watch the video now [3 min].

MaaS infostealers and automated stealer logs on on the deep and dark web

Threat actors are increasingly leveraging Malware-as-a-Service (MaaS) models to distribute infostealers. This, coupled with automated operations that collect and distribute stolen data logs from infected devices across Telegram channels and dark web marketplaces, has fueled the growth of a readily accessible market for stealer logs.

These logs, frequently aggregated by bots, are readily available on Telegram, either for free or through subscription services, significantly simplifying the access for cybercriminals.

We used Lunar, Webz.io’s dark web monitoring tool, to track the distribution of stealer logs on Telegram.  The following chart, taken from Lunar, shows a surge in the number of posts which mention stealer logs onTelegram, since the start of 2024: 

We tracked a significant rise in the number of discussions related to stealer logs on Telegram in 2024, the image is taken from Lunar
We tracked a significant rise in the number of discussions related to stealer logs on Telegram in 2024, the image is taken from Lunar

Where can you find stealer logs on the deep and dark web?

Stealer logs appear on different sources across the deep and dark web. Some of the primary sources include:

Telegram

Telegram is notable for being a widely-used platform that facilitates the dissemination of stealer logs via channels that host data from various bots. These channels often present users with the option to access logs either for free or through subscription-based models, granting private log access. Channels purporting to offer premium-quality logs typically impose a monthly fee ranging from several hundred dollars to $1000.

Marketplaces

The surging demand for stealer logs has spurred a rise in their accessibility across dark web marketplaces like Russian Market and 2easy. These platforms are dedicated to vending stealer logs, offered at diverse prices ranging from $5 to $100, based on factors such as the volume of authentication data, associated accounts, and more.

Underground forums

Initial Access Brokers (IAB) are likely targeting corporate logs containing valuable data, facilitating easier access and subsequent sale on dark web forums such as XSS and Exploit

The next image shows a post that was published on the XSS forum where an IAB is selling access to various government domains in different locations. We believe that this is facilitated by corporate stealer logs that they have acquired and used.

A post showing an Initial Access Broker selling RDP access to various GOV domains on XSS forum, the image was taken from Lunar
A post showing an Initial Access Broker selling RDP access to various GOV domains on XSS forum, the image was taken from Lunar

How to search for stealer log accounts?

Finding stealer logs in the deep and dark web is a complex task. We at Webz.io continuously scan dark web marketplaces, datastores, and chat applications, to expand our scope of stealer logs. 

The simplest way to search for them is by using search tool, such as Lunar, which you can see in the image below.

To illustrate it, we used the Microsoft and searched for stealer logs associated with its domain (Microsoft.com) . We used Lunar’s enriched.category:stealer_logs tag to retrieve results that were classified as stealer logs.  We further narrowed our search to logs associated with the Microsoft.com domain, enriched.domain.value:microsoft.com.

The query we used to search for stealer logs associated with Microsoft on Lunar
The query we used to search for stealer logs associated with Microsoft on Lunar

The next image shows the results retrieved on Lunar relating to stealer log associated with the domain: 

An example of a stealer log published on Russian Market which includes a compromised Microsoft account, the image was taken from Lunar
An example of a stealer log published on Russian Market which includes a compromised Microsoft account, the image was taken from Lunar

The log in this example was published on Russian Market and contains a compromised Microsoft account. We classify it as a high risk log due to the nature of the site and the fact that it contains various details associated with the Microsoft domain, including cookies, passwords, etc.

Monitoring stealer logs in 2024

As the landscape of online security continuously evolves, the ever-growing presence of stealer logs serves as a stark reminder of the need for constant vigilance. While the ease with which cybercriminals can acquire and use this information poses a significant threat, proactive monitoring by cybersecurity professionals can help mitigate such risks. 

By actively tracking stealer logs on the dark web, with dark web monitoring tools like Lunar, Managed Security Service Providers (MSSPs) and Cyber Threat Intelligence (CTI) teams can stay ahead of emerging threats, safeguard client data, and mitigate future cyberattacks.

Spread the News

Not subscribed to our Dark Web Pulse updates?

By submitting you agree to Webz.io's Privacy Policy and further marketing communications.

Feed Your Machines the Data They Need

Feed Your Machines the Data They Need

GET STARTED

Don't be the last one to know!

Chances are your compromised data is already traded on the dark web.
Ready to discover them and protect your business?

Subscribe to our newsletter for more news and updates!

Ready to Explore Web Data at Scale?

Speak with a data expert to learn more about Webz.io’s solutions
Create your API account and get instant access to millions of web sources