Revealing 3,300 Users Associated with Child Abuse Sites in Dark Web Malware Records
A review of info-stealing malware logs released on the shadowy internet has unveiled thousands of individuals connected to child sexual exploitation websites, showcasing how such data could aid in combating severe offenses.
“Around 3,300 distinct users were identified with accounts on established CSAM platforms,” Recorded Future stated in a proof-of-concept (PoC) report released last week. “A noteworthy 4.2% possessed credentials for multiple platforms, indicating a heightened probability of unlawful actions.”
In recent years, readily available info-stealer variations have emerged as a widespread and prevalent threat targeting different systems with the intention of siphoning crucial data such as logins, crypto wallets, credit card details, and screen captures.
This trend is reflected in the emergence of new info-stealing malware variants like Kematian Stealer, Neptune Stealer, 0bj3ctivity, Poseidon (previously RodStealer), Satanstealer, and StrelaStealer.
Delivered through phishing, spam operations, pirated software, bogus update portals, SEO manipulation, and malicious advertising, data collected through such tools typically ends up on the dark web as stealer logs which are then bought by other malefactors to advance their agendas.
“Employees frequently store company logins on personal gadgets or access personal resources on work devices, increasing the risk of infiltration,” Flare pointed out in a report last July.
“A complex environment exists where malware-as-a-service (MaaS) providers peddle info-stealer malware on illicit Telegram channels, threat actors distribute it through counterfeit cracked software or phishing messages, and subsequently retail infected device logs on specialized dark web markets.”
Insikt Group from Recorded Future mentioned that they were able to spot 3,324 distinct credentials utilized to gain entry to established CSAM websites from February 2021 to February 2024, leveraging them to reveal three individuals with accounts on at least four platforms.
The inclusion of cryptocurrency wallet addresses in the stealer logs opens the avenue to verify if these addresses have been used to acquire CSAM and other harmful content.
Moreover, nations like Brazil, India, and the U.S. registered the highest amounts of users with access to established CSAM communities, although the firm noted that this may be an “overrepresentation due to dataset sourcing.”
“Info-stealer malware and pilfered logins are anticipated to remain integral to the cybercriminal ecosystem due to the high demand from threat actors seeking initial entry into targets,” they remarked, disclosing they have communicated their discoveries to law enforcement.
“Stealer logs can be utilized by investigators and law enforcement partners to trace child exploitation activities on the dark web, shedding light on an elusive aspect of the dark web that is particularly challenging to follow.”
About Author
