Lumma now leads the infostealer ecosystem in 2026, after Operation Magnus took out RedLine and META in late 2024. RedLine’s legacy footprint still surfaces in older logs, Vidar remains stubbornly durable, StealC has gained share, Atomic dominates the macOS side, and ACR Stealer and Meduza are the rising Russian-language contenders. The top six families together produce the overwhelming majority of all stealer logs traded in 2026. Here is who is in your stealer log and why each one matters. Ransomnews Research Team. Window: post-Operation Magnus through May 2026.
Ransomnews Research Team
A stealer log is the data dump that an infostealer malware produces after it compromises a device. It typically contains every saved browser password, every active session cookie, autofill data, system details, and in some families, screenshots and clipboard history. Stealer logs feed account takeover, ransomware initial access, and corporate breach pipelines. This explainer covers what a 2026 stealer log actually holds, how devices end up in one, how the logs are sold, and how anyone can check whether their data is in the ecosystem. Ransomnews Research Team. Updated June 2026.
We analysed 16,699 ransomware leak-site posts from 200 groups over 24 months. The data shows ransomware now runs on a workweek calendar: 84% of leaks land Monday to Friday, half of all activity happens in 8 UTC hours, October is open season, and the ecosystem is growing not consolidating. Here is the full timing picture.
Lithuania’s Centre of Registers (Registrų centras) disclosed a May 2026 breach exposing roughly 600,000 records. Attackers reused credentials of authorised institutions, queried from abroad. Alerts.bar data shows 117 stealer-log accounts tied to the agency and 60+ live infected staff endpoints across the wider Lithuanian institutional ecosystem.
A 5-year census of 65,907 exposed databases found 30,515 carry a ransom or wipe marker. Of 512 attacker wallets we traced on-chain, 318 received nothing. The 9.78 BTC ($753K) that did move concentrates into the top 10 wallets, which captured 43% of receipts. Mass database extortion is industrial, automated, and mostly failing.
Inside the May 2026 pivot to encryption-less extortion. The ShinyHunters–Instructure breach, Nitrogen’s hit on Foxconn, EDR killers as standard tooling, and what a 28% payment rate means for defenders.
A practical OSINT walkthrough for investigating ransomware leak sites — workflow, sources, pitfalls, and how to verify victim claims without breaking operational security.
Multi-factor authentication was supposed to end the credential-theft era. In 2026, it hasn’t — because adversaries skip the credential entirely and steal the session cookie that the authentication produced. Here’s how the attack works, why MFA doesn’t stop it, and the four controls that do.
Alerts.bar is a continuously-updated dark-web monitoring and stealer-log intelligence platform. We’ve used it in production to power Ransomnews’s free Stealercheck tool. Here’s our independent review — features, pricing, real-world testing, and how it stacks up against HIBP, SpyCloud, Constella, and Hudson Rock.
A 2026 retrospective on Item 1.05 of Form 8-K — the SEC’s four-day cyber-incident disclosure rule. How filings have actually played out, what the enforcement signals look like, and the practical playbook the better-prepared CISOs now run.