An analysis of information-stealing malware logs published on the dark web has revealed thousands of consumers of child sexual abuse material (CSAM), showcasing how such data can be instrumental in combating serious crimes.
“Approximately 3,300 unique users were found with accounts on known CSAM sources,” Recorded Future reported in a proof-of-concept (PoC) document released last week. “Notably, 4.2% of these users had credentials for multiple sources, indicating a higher likelihood of criminal behavior“.
In recent years, off-the-shelf info-stealer variants have become a widespread threat, targeting various operating systems to siphon sensitive information such as credentials, cryptocurrency wallets, payment card data, and screenshots.
This trend is evident in the emergence of new stealer malware strains like Kematian Stealer, Neptune Stealer, 0bj3ctivity, Poseidon (formerly RodStealer), Satanstealer, and StrelaStealer.
These malware programs are distributed via phishing, spam campaigns, cracked software, fake update websites, SEO poisoning, and malvertising. The harvested data typically ends up on the dark web as stealer logs, which are then purchased by other cybercriminals to further their schemes.
“Employees regularly save corporate credentials on personal devices or access personal resources on organizational devices, increasing the risk of infection,” Flare noted in a report last July.
“A complex ecosystem exists where malware-as-a-service (MaaS) vendors sell info-stealer malware on illicit Telegram channels, threat actors distribute it through fake cracked software or phishing emails, and then sell infected device logs on specialized dark web marketplaces.”
Recorded Future’s Insikt Group identified 3,324 unique credentials used to access known CSAM domains between February 2021 and February 2024, unmasking three individuals who maintained accounts on at least four such websites.
The inclusion of cryptocurrency wallet addresses in stealer logs means they can be used to trace if the addresses have been involved in procuring CSAM and other harmful materials.
Countries like Brazil, India, and the U.S. had the highest counts of users with credentials to known CSAM communities, though Recorded Future noted that this could be due to “overrepresentation due to dataset sourcing.”
“Info-stealer malware and stolen credentials are expected to remain central to the cybercriminal economy due to high demand from threat actors seeking initial access to targets,” the report stated, adding that the findings have been shared with law enforcement.
“Info-stealer logs can assist investigators and law enforcement in tracking child exploitation on the dark web, providing insights into a particularly challenging part of the dark web to trace.”
, showcasing how such data can be instrumental in combating serious crimes.){kind=link}