top of page

Stealer Log Blog

  • Aidan Irving
  • 20 minutes ago
  • 8 min read

Few data sources offer as much insight into a subject's digital footprint as stealer logs. But what are they, where do they come from, and what should we consider?


Information Stealer malware, commonly known as info stealers, is a category of malware used by threat actors to harvest credentials and user information. Unlike attacks targeting a single website or service, info stealers infect a device and extract saved passwords, browser data and other sensitive information. The output is packaged as stealer logs: a snapshot of a victim’s digital footprint that can be traded, sold or leaked. Attackers commonly use stealer logs for:


  • Account takeover enabling fraud by gaining control over banking, or cryptocurrency accounts for financial gain.

  • Identity takeover leading to compromising social media, email, and other communications to conduct further phishing attacks.

  • System compromise and gaining access to corporate or government systems then exfiltrating or encrypting data for extortion.


This blog examines what stealer logs contain, how they differ from traditional breached data, where they appear, and how OSINT practitioners or security teams can use this information.


A note on sourcing: OSINT Combine does not engage in the trade or direct handling of stolen credentials. This blog references stealer logs for educational purposes only.


Practitioner tip: If you find yourself dealing with or researching malware or stolen data, consider the risks to your systems and information. Use virtualised environments to protect host systems, consider your attribution risk and use trusted third-party services when searching for specific records.


What Are Stealer Logs?


A stealer log is a structured data package extracted from an infected device by infostealer malware. Stealer logs capture everything stored in a victim's browser and system. The typical contents include:


  • Names, usernames and passwords

  • Browser information – i.e. type, configurations, extensions, history, stored passwords

  • File transfer protocol (FTP) details

  • Device information such as operating system, anti-virus configuration and versions

  • IP addresses and associated geolocation

  • Screenshots

  • Saved user autofill information

  • Cryptocurrency wallet and recovery phrase/seed phrase information

  • Cookies

  • Chats, and communications


Stealer logs are device-centric rather than account-centric, in that they typically contain credentials for multiple services the victim accessed through the browser, or browsers present on the device.


This results in potentially dozens of accounts, across banking, email, social media, and corporate systems, being captured. Processed logs are often organised by domain or URL, with associated credentials, cookies, and/or metadata grouped together.


This structure makes stealer logs particularly valuable to attackers: one successful infection yields access to a victim's entire digital life, not just one compromised account.


Why does this matter? Because understanding the contents and structure of stealer logs is essential as it determines what information is available, what exposure looks like for a subject, and what investigative leads the data might provide.

Screen displaying JSON code with redacted login details, including URLs and usernames, on a dark background.
Redacted stealer logs as published to BreachForums.

JSON code for cookies from twitch.tv and google.com in Chrome. Details like expirationDate and hostOnly are blacked out. Dark background.
Cookies included in stealer logs, found on BreachedForums (redacted for user privacy).

Stealer Logs vs Breached Data


It can be tempting to treat stealer logs and breached data as interchangeable. They're not. Each reflects a different compromise model, scope of exposure, and investigative value. In OSINT, making the distinction matters.


Stealer Logs

Breached Data

Obtained from

Malware infected devices

Servers, databases, cloud data belonging to a business or organisation

Contains

User credentials, cookies, IP addresses, and system information from a device.


Information limited to the number of persons using an infected device.

Large scale data from an organisation, including business records, business emails, internal memorandum, HR records, banking details, payroll, employee personal information etc.


Client details including:

credit card or payment details, addresses, contact details, emails, customer history, medical records, financial records, documents of identity etc.


Information from potentially tens of thousands of affected individuals.

Format

Text, JSON, and other document/data types

Varies dependent on the nature and size of the compromise or victim, can contain various document types, images, executables, or whole databases.

Published

Sold on dark web forums, and/or published on hacker forums

Published on the dark web ransomware blogs, and other leak sites.

Monetised through

Logs sold on the dark web, and software subscriptions to info stealer malware

Extortion and threat of release of information.

Initial access or compromise

Phishing, malvertising, download of cracked or pirated software

Stolen credentials from stealer logs/phishing, or exploitation of vulnerabilities/misconfigurations within servers.

Victim impact

Unlawful access to personal or work accounts, causing financial loss, or personal information loss.

Businesses/organisations: Significant global reputational damage, loss of customers, mandatory reporting obligations, potential fines and legal action.


Lengthy recovery times and significant financial loss.


Customers: Sensitive information is exposed, leading to further financial loss, further victimisation or personal reputational loss.

How Info Stealers Work


Info stealers are generally offered as Malware as a Service (MaaS) and commonly sold on forums on both the dark and surface web. MaaS providers generally charge a subscription fee for access to their tool.


Understanding how they operate helps assess the reliability and recency of the data, recognise indicators of compromise, and make sense of the findings alongside other known threats.


MaaS offerings are commonly discussed across criminal forums, underground marketplaces, and public code repositories, illustrating the accessibility and maturity of the infostealer ecosystem. Examples identified include dark web forums such as Dread and BreachForums, marketplaces such as Nexus Market (not related to NexusXplore!), and open-source tools on GitHub, marketed for research and educational purposes.


Text promoting a C++ telegram-controlled RAT for Windows, detailing features like microphone capture, data grabbing, keylogger, and pricing.
An info stealer for sale on Dread (dark web) Forum, posted on the 9 Jan 2026. Note that this sale is also combined with a Remote Access Trojan (RAT) with Remote Code Execution (RCE) in the command list.

Dark-themed interface displaying a malware kit for $120. Includes add to cart button, payment icons, and user info. Text explains keystroke capture.
A common variant, Redline Stealer for sale on Nexus (dark web) Market

Software page titled "Venom | Free and open source info-stealer" with caution statement. Shows screenshots of app pages: home, data, build.
Open Source free Infostealer on GitHub, available for research and educational purposes.

Santa in red suit, carrying a sack with icons like Bitcoin and Steam, stands on a black login page with text fields and "Sign In" button.
The login page for Santa Stealer. Users provide a token which will take you to the control panel. Then, users will have options for a malware build, logs, or activity associated with the malware.
Pricing plans image showing Basic, Premium, and Lifetime options with features listed. Prices in red: $200/month, $300/month, $1000/lifetime.
Santa Stealer pricing – local currency is not stated. however, likely to be in USD. Of note, this malware is fully customisable.

Deployment Methods


Once acquired, info stealers are deployed to the target device. There are a number of ways to deploy this malware including but not limited to:


  • Phishing emails

  • Malicious links and downloads

  • Malware disguised in cracked or pirated software

  • Malvertising - injecting harmful or malicious code into advertising


Resources such as the MITRE ATT&CK knowledge base can give a deeper insight, and Indicators of Compromise (IoCs).


Control


Once deployed, stolen data can be retrieved via web-based control panels or messaging applications.  Telegram is often used, with operators controlling the malware with Telegram bots.


The command list below demonstrates the breadth of information an info stealer can potentially pull from an infected system all via the Telegram platform.


A list of remote access commands in a messaging app interface, showing functions like screenshot, webcam photo, and shutdown.
Command list for Millenium RAT and Info Stealer as shown on the Dread Forum.

Chat log of file transfers and commands on a green backdrop. Files: screenshot.jpg, tdata.zip, and Browser data.zip with detailed contents.
Control of the Millenium Rat and Info Stealer via Telegram as shown on the Dread Forum.

Explainer: How Cookies Enable Access


When a user logs into a website and completes their multi-factor authentication (MFA), the site creates a session cookie, a small piece of data saved on a computer which is used for subsequent authentication on the service until logged out or timed out.


A cookie collected by an infostealer may be used in a ‘pass-the-cookie’ style attack, in which the attacker presents the stolen cookie in their own browser to trick the service into believing they are the legitimate authenticated user. This works without the credentials or completing MFA.


Cookies typically have expiry periods, ranging from minutes to months, potentially giving the attacker a window of access even if the victim changes their password.


How Stealer Logs Become Publicly Available


Stealer logs surface through several channels.  Knowing these pathways helps assess data timelines, identify where to look, and understand the ecosystem in which this intelligence circulates. The logs may become available through:


  • Private sale, for example, initial access brokers may sell specific log sets of value to attackers.


  • Marketplace listing, usually sold on the dark web, often as bundle, with the promise of exclusivity and ‘one off’ sales.


  • Log dumps, which are published freely to a forum, or paste site, as part of doxing activities or to gain notoriety in the hacker community.


  • On Telegram via a paid subscription to a channel where sellers publish to a limited audience. Older logs are freely published to public channels as a sample to advertise their services.


  • Aggregator indexing including services collecting from the above, and other sources compiling them into a searchable database accessible via legitimate threat intelligence platforms, and public portals. These services may include paid services.


Worth noting: The time from infection to public availability can be remarkably short. The expiration times of cookies may dramatically reduce the usefulness of stealer log data which increases the sense of urgency in their sales and publication.


Where Are They Published?


Navigating the dark web is often challenging given the clandestine nature of its services. Markets, vendors and forums can be identified via various dark web link aggregation sites, dark web search engines, and searches across encrypted chat applications (e.g. Telegram) for new or updated onion addresses.


Access to the dark web requires the Tor browser, ideally run in a virtualised Linux environment to protect the host and data.


Direct access to criminal marketplaces is not always necessary, or advisable – depending on the investigation end state. But several legitimate options exist:


  • Breach notification services - Have I Been Pwned provides a free and safe search functionality and exposure checking without handling raw credentials


  • Commercial threat intelligence platforms — Services that aggregate stealer log data within legal frameworks, allowing organisations to monitor exposure without accessing criminal sources directly


  • Specialist OSINT tools — Some OSINT platforms, such as NexusXplore, include stealer log search functionality, enabling investigators to query aggregated data for exposure monitoring and person-of-interest research. NexusXplore also makes combing the dark web easier through built-in searching of millions of different dark markets, forums and vendors.


  • Law enforcement coordination — For investigations with appropriate authority, law enforcement partnerships may provide access to seized datasets.


These services allow practitioners to gain actionable intelligence while maintaining clear legal and ethical boundaries. Yes, this data comes from criminal activity but accessing it through reputable intermediaries shifts the legal and ethical burden appropriately.


However, policy and legality differ by jurisdiction. What is permissible for security researchers in one country may constitute an offence in another. Organisational policy may also restrict access even when legally appropriate.


Always verify your authority before accessing any stealer log intelligence. When in doubt, consult legal counsel and use established commercial services that operate within appropriate legal frameworks.


Forum page titled "Stealer Logs" with threads on data leaks, each showing replies and views. Dark-themed interface with colored text labels.
Stealer logs offered on BreachForums hacker forum (surface and dark web)
Dark web marketplace listing for "5000 Worldwide Logs," priced at $10. Features include autofills and passwords. Site under DDoS warning.
Stealer logs for sale on Nexus Market (dark web).

OSINT Applications


Stealer logs have several legitimate applications for OSINT practitioners. For example, stealer logs may reveal account credentials, device information, and behavioural patterns that assist in identifying offenders or locating victims of child exploitation. The same data that enables criminal account takeover can, in the right hands and through appropriate legal process, help protect the vulnerable.


Further, stealer logs may provide exculpatory information, and identifying potential compromised credentials may assist in excluding an individual from enquiries or mitigating a claim of compromise.


Organisations can protect staff and limit data exposure through rapid identification and containment of compromised credentials.


As stealer logs continue to play a role in modern compromise, the responsible use of this data, through lawful and ethical frameworks can help protect individuals, organisations, and critical assets. NexusXplore enables this by providing exposure data through trusted aggregation services. Contact us to learn more.

bottom of page