The stealer-log market in 2026 isn’t sold as raw files anymore. The mature operators sell access to “clouds”, searchable subscription portals where buyers query against fresh log inventory, filter for what they want, and download the matched records. Spending a few weeks observing the model from a research persona, here’s how it actually works.
The subscription tiers
The major Telegram-hosted log clouds run roughly the same tier structure. Public free tier, sample logs posted publicly, mostly older or redacted, used as a marketing channel. Standard subscription, $300-$500 per month for queryable access to the recent log corpus, with maybe 100 download credits per month. Premium subscription, $1,000-$3,000 per month for unlimited queries, real-time alerts when fresh logs match a query, and bulk-download tools.
Specific operations sell category-specific tiers, corporate-only logs, crypto-only logs, geographic-only logs, at varying premium pricing.
What buyers query for
The query patterns cluster. “Logs from corporate users (filtered by domain) that contain credentials for Citrix, VPN, or Active Directory”, that’s a ransomware affiliate buying initial access. “Logs containing crypto exchange or wallet credentials”, that’s a crypto thief. “Logs containing OnlyFans, Pornhub, or romance-platform credentials”, that’s a sextortion crew. “Logs from a specific region or industry”, that’s targeted reconnaissance for a specific operation.
The cloud’s value-add over raw logs is the search. Affiliates pay the premium because filtering 50 million raw logs for the 200 corporate Citrix credentials is a job in itself, and the cloud operator has already done it.
The operational stack
The cloud operator’s stack is unromantic but professional. Telegram bot for subscription management. A Postgres or Elasticsearch backend indexing the logs. A scraping pipeline that ingests fresh stealer output from upstream malware-as-a-service providers, deduplicates it, indexes it, and makes it searchable within hours of the original infection.
Some clouds run their own malware distribution operations to feed their indexes; others purchase logs in bulk from independent operators. The supply chain is its own market.
The implication for defenders
If your domain shows up in any major log-cloud index, your employees’ credentials are queryable and purchasable by every affiliate paying $500/month. Knowing whether your domain is indexed (which is what services like Stealercheck, IntelX, and the underground-monitoring tier of the major threat-intel vendors do) is the first step.
The second step is forced credential rotation for every infected account. The cloud index goes back months, a credential exposed in November is still on sale in May unless rotated. Most organisations don’t have a process for this; the ones who do see materially fewer downstream account-takeover incidents.
The unfortunate market reality
The log-cloud model has commoditised what used to be specialist work. An attacker with no malware skills, no network presence, and a thousand dollars of budget can buy themselves a queryable view into millions of fresh credentials. The barrier to entry has effectively disappeared. Defending against the threat is a defender problem, the supply side isn’t going away as long as the demand pays.