10,000 Individuals a Day: Information Thief Orchard of Easily Available Targets

AndyC 16 July 2024

Envision a scenario where you could infiltrate any of the top 100 companies for $10 or less, or possibly even for no cost. It’s a chilling notion, isn’t it? Or exhilarating, based on which side of the cybersecurity fortification you stand.

10,000 Victims a Day: Infostealer Garden of Low-Hanging Fruit
10,000 Victims a Day: Infostealer Garden of Low-Hanging Fruit

Envision a scenario where you could infiltrate any of the top 100 companies for $10 or less, or possibly even for no cost. It’s a chilling notion, isn’t it? Or exhilarating, based on which side of the cybersecurity fortification you stand. Essentially, that’s the current situation. Welcome to the information thief orchard of easily available targets.

During recent years, the issue has expanded substantially, and only now are we gradually comprehending its complete potential for destruction. In this piece, we shall elucidate how the entire network of cybercriminals functions, the strategies various perpetrators employ with data pilfered from it, and most importantly, what actions you can take in response.

Let’s commence with the explanation of what information thief malware precisely entails. As the moniker implies, it’s malware that… pilfers data.

Based on the specific variant, the particulars it siphons may vary slightly, yet most seek to obtain the following:

  • Digital currency wallets
  • Financial institution account particulars and stored credit card information
  • Saved access credentials from diverse applications
  • Web browsing history
  • Cookies from the web browser
  • Record of downloaded files
  • Details about the employed operating system
  • An image capture of your monitor screen
  • Documents seized from the file system
  • Access credentials for Telegram and VPN applications
Information Thief
Exemplar log package of an information thief

And numerous other items, as the developers of the malware integrate supplementary functionalities over time. As you can appreciate, you wouldn’t desire such data to be exposed on the web for all to view. Nor would you want your enterprise’s internal system access credentials to be jeopardized in this manner. Nevertheless, that’s precisely what befalls numerous users each day.

You don’t need to possess intricate technical skills to proliferate information thief malware, nor do you require vast resources to procure valuable data looted by other malevolent entities. Let’s delve into the workings of the entire network.

You, also, have the potential to be a cybercriminal!

A prevalent trend in the murky domain of the internet is specialization. Whereas previously, it was more common for an individual or cadre to handle the entire process, presently the trail to your company’s assets is paved by numerous distinct competing malevolent entities. These entities specialize solely in one facet of the “industry” and are content to offer their services to any willing buyer, in line with genuine free-market principles.

An illustration of the “traditional approach” could be the renowned Zeus banking malware. It was conceived and disseminated by the same group of individuals. The purloined data was also exploited by them, and all proceeds from this criminal venture circled back to them. There existed no means for you, a mere cybercriminal, to profit from their outcomes or even acquire the malware itself to disseminate autonomously.

However, the market has evolved. While standalone actors still operate independently, the threshold for entering the realm of absconding with other individuals’ data is substantially lower. You, even as an individual, can become part of the cybercrime startup sector. The following roles are now available:

Information Thief
Snapshot of desktop included in the abovementioned package

Deployment Implementer / Seller of Installations

You will be tasked with creating a diminutive yet crucial piece of software on which the rest of the “industry” often relies: the malware dropper, or loader if you prefer.

While the information thief software file itself tends to be relatively extensive due to its diverse capabilities, the malware dropper has a solitary objective: evade detection by antivirus software and establish a channel for other malevolent entities to download their own malevolent code to the device.

An instance of such a dropper could be Smoke Loader, functioning since 2011 and continuously integrating new functionalities to date. Dropper/loader creators either capitalize on access acquired with their software themselves or market it through diverse darknet forums to others, or a combination of both. In the parlance of the darknet, an infected computer is termed an “install,” and there exist numerous “install services” claiming to furnish you with a means to proliferate your own malware (be it information thieves, cryptominers, or other malevolent code) through them. Typically, they will pledge that they exclusively vend the “install” to you, but from our encounters, this often isn’t the case, as the operators of the “install services” aim to maximize monetization.

Infostealer Engages in the service of installing key droppers

A service such as InstallsKey offers the opportunity to purchase compromised (with their unique dropper) machines for a price ranging from under a dollar to $10, depending on the location. It may not be extremely inexpensive, but for those skilled in the trade, the initial capital can be recuperated swiftly.

Developer of Infostealer Malware

The core of this sector. It requires multiple years of programming experience and a solid understanding of the inner workings of the Windows operating system. Infostealer malware, typically distributed via some form of dropper similar to the one mentioned above, scavenges various potentially valuable data and transmits this data to the attacker using a communication conduit.

Some of the commercially available infostealer malware include:

  • RedLine (now outdated but still in use by certain individuals)
  • META Stealer (an updated version of RedLine)
  • LummaC2
  • Rhadamanthys
  • Vidar
  • Raccoon Stealer (originating author apprehended, but still in operation)
  • RisePro
  • StealC
  • Monster Stealer

There are numerous others as well. The subscription fees can range from a few tens to a couple of hundred dollars per month.

Infostealer
LummaC2 infostealer promoting their service on a darknet forum where Russian is spoken

Typically, you will be provided with a “builder” tool that enables you to generate a customized .exe file, often evading the detection of most common antivirus software (thereby partially duplicating the features provided by droppers). Depending on the type, the victim’s data can be accessed through a web interface (either hosted by you or provided) or via Telegram.

Infostealer
Cracked edition of META stealer accessible at no cost

Developer of Crypters

Need to evade antivirus detection for the cost of a few drinks? No problem. Crypter developers can assist you in achieving just that, allowing you to concentrate on… whatever your intentions may be.

Infostealer
An instance of an automated crypter service

A crypter is a software implementation that can pack your malicious .exe file in a manner that makes it difficult for most common antivirus solutions to flag. While droppers and infostealers may already encompass some level of AV evasion, a crypter introduces an additional layer of defense, enabling you to achieve more nefarious outcomes.

Teams of Traffers

Concurrently disseminating infostealers on a large scale is a challenging task for a solo hacker, making it more advantageous to collaborate with other like-minded individuals! That’s where traffer teams (or трафферы) come in. Coordinating through forums and (partially automated) Telegram channels/bots, they equip you with a ready-made solution to infect unsuspecting internet users seeking an Adobe crack or free Fortnite skins. In exchange for a cut of the cryptocurrency you manage to pilfer, they provide everything from an undetectable stealer to a guide on producing spurious YouTube tutorials, which are frequently utilized for propagation.

Manager of Traffers Teams

If you excel at interpersonal communication, you might contemplate a career as a traffer team manager. All you need to do is assemble a crypter/infostealer malware of your choosing and develop an amicable Telegram bot to recruit new participants. Given the competitive landscape, it’s advisable to enhance your public relations and potentially offer your collaborators a more substantial share of the profits than they would receive elsewhere. Yet, if you manage to persuade enough individuals to join your cause, it can prove to be a lucrative venture.

Infostealer
Traffer team operator elucidating their terms on a darknet forum where Russian is spoken

TrafferSpreader Crew

If you are open to acquiring new knowledge and have no ethical constraints, this is the ideal starting position for you.

Select the squad with the most favorable conditions, get on board through the Telegram bot, and you’re prepared to commence. Your primary tasks will involve fabricating counterfeit YouTube tutorials or deceptive web pages that will persuade your targets to download the provided infostealer malware kit from your squad.

Infostealer
Telegram bot of the squad, providing the “staff” with ready-to-use malevolent files for disseminating the infostealer

Depending on your chosen squad, you could earn up to 90% of the cryptocurrency you manage to pilfer. Additionally, on occasion, you might even receive the logs themselves (after they have been processed by your supervisors for common monetization techniques). You can choose to explore other, less conventional monetization methods, or sell them further, or distribute them for free to gain respect within your malicious community.

Log Cloud Handler

Retrieve logs from public sources and present them as exclusive, private, and self-owned. Profit. This is the typical modus operandi. Log Cloud is a service that supplies you with a continual flow of relatively recent logs daily (for a charge, naturally), usually in the format of a Telegram channel or an continuously updated MEGA.nz storage.

Infostealer
Telegram log cloud channel, offering millions of collected stealer logs from various semi-public sources

These logs have often changed hands multiple times and are honed for popular inquiries, but there might still be a hidden gem for you to discover (often referred to as a “unique request”).

HackedList.io automatically scans numerous Telegram channels, and the rate of redundancies observed is quite substantial:

Infostealer

In this scenario, quantity takes precedence over quality. However, there is strength in numbers. Certain log clouds have amassed terabytes of data over time.

URL:Log:Password Merchant

With terabytes of compressed logs come even more terabytes of raw data. If all you require is a set of usernames and passwords for a specific site you wish to access, you don’t need the complete log bundle. Hence, a distinct segment of the “market” has emerged: sellers of .txt files in the URL:login:password format, derived from standard log packages. Instead of dealing with terabytes, it’s now just gigabytes, making searching through it a breeze with common tools like grep.

Infostealer
An advertisement for the url:log:pass service

The operations of URL:Log:Password resellers are akin to those of log cloud operators, albeit with lesser data to manage. Various services, in the form of websites and Telegram bots, exist for your ease of search, eliminating the need to familiarize yourself with grep or the origin of such logs.

Infostealer
Automated Telegram bot for URL:Log:Pass reselling

Automated Market Specialist

Seeking genuinely unique and confidential logs? Visit an automated log market platform! Although it may be more costly (yes, those log cloud offers seem too good to be true), you have the opportunity to be among the first (even if not the absolute first) to acquire that specific log.

Infostealer
The largest automated darknet marketplace currently is the Russian Market, where one can procure infostealer logs

For less than $10, threat performers can acquire various accesses on such platforms, with the additional advantage that such a log will be exclusively theirs, at least temporarily. Historically, three prominent marketplaces were functioning concurrently. Upon the dismantling of Genesis.Market in a multinational law enforcement operation and the cessation of 2Easy marketplace development, only one major player remains: the notorious Russian Market. As of today (13-07-2024), it boasts 7,266,780 records available for purchase, with an undisclosed but certainly substantial number of logs already sold on the platform.

Initial Access Broker

Scouring the terabytes of data accessible through log clouds or automated marketplaces for valid and valuable information is akin to searching for a needle in a haystack. However, if you succeed, it can earn you a significant sum of money. This is where initial access brokers come into play. They hunt for (still) valid credentials acquired through infostealer infections and utilize them to establish footholds in compromised networks. Subsequently, they vend these to anyone willing to pay, frequently to threat performers like ransomware gangs.

Here’s an illustration from a well-known darknet forum:

Infostealer

An expedited check on HackedList.io indicates that the OWA access most likely originates from an infostealer breach:

Opportunistic Script-Kiddie

Among ransomware gangs, APTs, adept initial access brokers, and naturally, script-kiddies, we find the idle youth searching for swift earnings or ways to cause chaos on the internet.

Easily available data from infostealer infections provides them with a potent tool to wreak havoc with minimal expertise. No programming know-how is necessary because someone else has already crafted the stealer. Dispersion methods need not be understood because someone else has already done so. Even the task of testing the acquired credentials manually for verification is unnecessary because, indeed, someone else has devised a tool to do it for you. Therefore, one only needs to pluck the low-hanging fruit and cause disruption.

An example of tool used to check validity of credentials included in infostealer logs

And no, we are not dealing with overtaking Minecraft or Discord servers. LAPSUS$, a teenage hacker group aged 16 to 21, successfully absconded with 780 gigabytes of data from the video game publishing behemoth Electronic Arts. The group also orchestrated the Uber breach, leveraging a compromised account of an external contractor. In both instances, the root cause was an infostealer infection.

Summary

To encapsulate, here’s a stylish diagram:

HackedList.io concentrates on various log vendors and darknet marketplaces and can notify you before the malefactors categorized as assailants in the illustrations above exploit the situation.

How extensive the issue actually is and what steps can you take?

Below are some figures:

  • in total, we have detected 45,758,943 infected devices, with 15,801,893 possessing at least one set of credentials disclosed in the breach, over the past 4 years
  • in total, we have identified 553,066,255 URL/username/password combinations
  • we have uncovered infected devices across 183 countries
  • on average, we identify over 10000 new victims daily
(increase in February caused by discovering a substantial leak of older data)

Regrettably, given the elevated infection rate, it is highly likely that your corporation has already been breached – the larger your corporation, the higher the likelihood.

The encouraging news is, you can verify for free if this has occurred – just input your domain at HackedList.io. Additionally, if you desire to ensure protection, we offer a solution for this.

Discovered this piece intriguing? This piece is a contributed article from one of our esteemed associates. Connect with us on Twitter and LinkedIn for access to more exclusive content we publish.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

AndyC 20 December 2025
Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

AndyC 20 December 2025
WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

AndyC 20 December 2025
Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

AndyC 20 December 2025
New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

AndyC 20 December 2025
China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

AndyC 19 December 2025

You may have missed

Surge of OAuth Device Code Phishing Attacks Targets M365 Accounts

Russia was behind a destructive cyber attack on a water utility in 2024, Denmark says

AndyC 20 December 2025
Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

AndyC 20 December 2025

Microsoft 365 accounts targeted in wave of OAuth phishing attacks

AndyC 20 December 2025
State-linked and criminal hackers use device code phishing against M365 users

State-linked and criminal hackers use device code phishing against M365 users

AndyC 20 December 2025
Three ways teams can tackle Iran’s tangled web of state-sponsored espionage

Three ways teams can tackle Iran’s tangled web of state-sponsored espionage

AndyC 20 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.