According to Check Point Software, 2024 saw a significant increase in infection attempts by Infostealer logs, up by 58% from the previous year. Infostealers pose a growing threat to organizations across all industries, as leaked employee credentials could provide threat actors with opportunities to cause serious harm, enabling them to illegally access both internal resources and SaaS services. Since we’ve recently added leaked credentials from Infostealer logs to IntelFinder’s intelligence coverage, we thought we’d share some insights on how this criminal ecosystem works.
But before we dive in, let’s address a more basic question first:
What exactly are infostealers?
When fraudsters began utilizing trojan horses for stealing credentials, circa 2007, their original focus was financial institutions. Known as “Banking Malware”, their purpose was to steal banking credentials to enable account takeover and financial fraud. Banking malware contained features that supported the fraudsters’ specific goals, such as HTML Injection (which allows the insertion of additional fields into a login page, such as a Social Security Number or Mother’s Maiden Name, depending on the fraudster’s needs), as well as Man-In-The-Browser capabilities (the malware detects when the infected user logs into their banking account, then automatically initiates a fraudulent transfer while hiding it from the user after they log in).
As banks significantly improved their anti-fraud controls and made fraud through their services harder, threat actors began to look for other channels and vectors where they can easily profit. The criminals realized that access credentials held value not only for banks but also for various organizations and use cases, such as:
- Crypto – Since cryptocurrency accounts typically lack the same level of anti-fraud controls as traditional financial institutions, compromised credentials often lead to swift and effortless account takeovers. Threat actors can quickly drain funds, transfer assets to untraceable wallets, or exploit compromised accounts for money laundering and other illicit activities.
- Webmail – Access credentials to employee webmail accounts allow threat actors to infiltrate corporate email systems. Once inside, they can intercept sensitive communications, impersonate employees to launch phishing attacks, or exfiltrate confidential data. In some cases, attackers use compromised webmail accounts to facilitate business email compromise (BEC) scams, tricking colleagues or external partners into transferring funds or divulging further sensitive information.
- Gaming Accounts (e.g., Steam, Epic Games, Roblox) – Compromised gaming account credentials grant attackers access to in-game purchases, virtual currencies, and rare digital assets, which can be sold or transferred for profit. Fraudsters may also exploit stolen accounts for scams, trading schemes, or to launder money through in-game economies.
Hence, a new threat was born – the Infostealer. Similar to banking malware, these are types of trojan horses designed to steal credentials. However, while banking malware had the theft of banking credentials in mind, with specific features that were designed to enable account takeover and fraud, Infostealers are much more generic. They are designed to capture credentials en-masse, from any form filled by infected victims. In many aspects, they are a lesser version of banking malware, but that isn’t necessarily a downside. Because their developers do not have to struggle to find inventive ways to overcome sophisticated anti-fraud measures, it means that they are easier to develop. Their massive threat doesn’t come from their sophistication, but from their availability. Infostealers are so widespread that they steal more credentials than threat actors can handle. So what do threat actors do with them? They sell them, of course. And the primary platform for selling them is Telegram.
The Telegram Scene
Most threat actors selling infostealer logs on Telegram operate in the same way – they open two channels, a public one and a private one. On the public one they regularly post free samples of their stolen credentials, often on a daily basis. The idea is that as these findings are shared with anyone who follows their channel, there is a competition to use the stolen credentials on the files. If a threat actor is late to the party, they may find that all the credentials no longer work as they have been used. To avoid this, a threat actor can reach out to the channel operator or a bot acting on their behalf and purchase access to the private channel (usually called “private clouds”). The credentials in the private channels are supposed to be much more “fresh”, valid and have less competition on them – making it an enticing offer.
Prices for each “private cloud” vary depending on the channel, the amount of credentials it offers, and its reputation. Most of them provide several subscriptions – for one week, two weeks, a month, or lifetime access. Prices vary but start at around a few dozen dollars for one-week access and several hundred dollars for lifetime access. For some channels, prices can go as high as several thousand dollars for a lifetime access.
Credentials in these channels are shared in two formats – “ULP” and “logs”. “ULP” stands for “URL Login Password” and accurately describes this credential format. Files of this format are provided as text files, with each line containing a stolen credential. Each credential consists of three elements: the URL where the victim entered their credentials, their username or email, and their password. For example:
https://intelfinder.io:not_real@intelfinder.io:MyPassword12@
“Logs”, on the other hand, are archives that contain a lot more information on each victim. Each archive includes hundreds or thousands of directories, each representing an infected machine. Each directory includes text files that contain the victim’s passwords, cookies, running processes, etc. This gives the threat actor much more information to exploit. Not only can they attempt an account takeover using the usernames and passwords provided in these files, but they can also attempt cookie hijacking and more.
The business model of sharing free samples to entice users into purchasing access to a larger, private database isn’t new. It is something that credit card vendors have been doing in dark web forums since the establishment of the dark web in 2004. However, as was the case with credit card vendors, while the “free samples” model sounds good on paper, the reality is much messier. The files posted in public channels in many (if not most) cases are of a very poor quality – often containing outdated information (some of it many years old) and a large portion of credentials that are simply reposts from previous samples shared by more serious channels.
This issue is well known even among the threat actors who follow these channels. The number of infostealer channels on Telegram (which are in the dozens) makes it even harder for fraudsters to keep up with everything that is available. As a result, there are several other types of Telegram infostealer channels – channels that aggregate free samples from a variety of channels. These channels may also have their own version of a “private cloud”, which aggregates data from other private channels that the operator has paid to access. Some channels are even dedicated to leaking credential files from private clouds, while private chats post links to file-sharing services where members upload files from multiple private channels.
Threat actors have also developed tools that go over infostealer logs and automatically check their validity. This allows them not only to quickly assess the quality of a published file, but to also identify the few nuggets of relevant credentials that still work and exploit them. Unfortunately, security researchers do not have the luxury of using such illegal tools. This means that intelligence from infostealer logs can be quite “noisy”, with most findings being old and invalid. However, finding valid credentials still makes going over the invalid ones worth the effort.