If you want to understand where the credentials behind the next wave of ransomware attacks are coming from, the answer is overwhelmingly Telegram. The platform’s combination of channel broadcasting, encrypted-by-default messaging, lax moderation on cybercrime content, and willingness to host bots has made it the central distribution layer for the stealer-log economy. Researchers describe the situation as "the Telegram problem"; pragmatically, it is the criminal market that has displaced the dark-web forums of the 2010s.
Why Telegram, specifically
Several Telegram affordances align with the stealer-log distribution problem:
- Channels broadcast to large audiences. A channel with 200,000 subscribers can drop a new log link to all of them instantly. No forum thread, no marketplace listing, no friction.
- Bots automate sales. Custom bots handle payment, delivery, and rate-limiting without human involvement. Buy access, get a token, query the bot, receive logs.
- End-to-end encryption (in Secret Chats) and at-rest encryption. Messages are not casually accessible to law enforcement without significant legal effort.
- Limited platform moderation. Telegram’s stance on illegal channels has historically been reactive at best. Channels reappear within days of takedowns.
- Russian-language ecosystem alignment. The dominant infostealer developers are Russian-speaking; Telegram has the deepest Russian-language presence of any major platform.
The combination has produced a stealer-log distribution layer that is more accessible than the dark-web forums it displaced.
Channel structure
A typical mature stealer-log channel runs in three tiers:
The free / preview tier. Public channel with hundreds of thousands of subscribers. Drops "free" logs at irregular intervals, typically older or low-value ones. Acts as advertising and proof of inventory. Browse the channel and you see a continuous stream of "Free Cloud Logs," "Daily Free Drop," "VIP Sample." Each post links to a ZIP hosted on a file-sharing service.
The standard tier. Paid subscription channel, typically $50-300/month. Access via crypto payment to a wallet, then a unique invite link. Drops fresh logs daily, with a several-hours embargo before they appear in the free channel (if they ever do). Most volume sits here.
The VIP / exclusive tier. Private group, $500-2000+/month, sometimes with vetting. Logs filtered for high-value characteristics, corporate VPN cookies, cloud admin sessions, MSP platform access. Buyers in this tier are typically Initial Access Brokers and ransomware affiliates rather than opportunistic carders.
Some channels run all three; others specialise in one tier. Aggregate channel population, including the long tail of small operators, runs into the thousands.
What gets posted
A typical free-tier post looks like:
๐ฅ Daily Cloud Logs Drop, 1,247 fresh logs
Countries: US, DE, UK, FR, NL, CA
Browsers: Chrome, Edge, Firefox
Crypto wallets included: Yes
Banking cookies: Yes
Download: [shortened-URL]
Password: cloud2026
The shortened URL points to a file-sharing service (MEGA, GoFile, ZippyShare in earlier years, increasingly direct Telegram cloud uploads now). The ZIP password is given inline. No payment required for the free preview.
Standard-tier posts have similar structure with larger volumes, fresher data, and gated access. VIP-tier posts are often single-log "high-value lots" listed individually with summaries of what is inside.
Pricing structure
Approximate market rates as of late 2025:
- Bulk indiscriminate logs: $0.05-0.25 per log when bought in batches of 10,000+.
- Curated / fresh logs: $1-5 per log.
- Subscription channels (standard tier): $50-300/month for unlimited downloads.
- VIP individual high-value logs: $50-1,000+ per log, depending on demonstrated content.
- "Corporate" filtered logs: $200-2,000 per log if it contains active session cookies for a Fortune 1000 company.
Payment is overwhelmingly Bitcoin or USDT (Tether) via Telegram-bot-driven invoicing. A small but growing fraction uses Monero.
The volume
Industry monitoring estimates put total stealer-log volume at 5-10 million fresh logs per week globally across all channels. Total cumulative log inventory in the underground is in the hundreds of millions. The implication: at any given moment, credentials for tens of millions of devices are sitting in the buy-able underground market.
Public research summaries that have measured this:
- KELA Cyber’s quarterly reports, available at kelacyber.com, give running estimates of channel populations and log volumes.
- Hudson Rock’s Cavalier Insights, periodic threat-intelligence posts on the channel ecosystem.
- Recorded Future, Sekoia, and Group-IB all publish stealer-log economy research several times per year.
The numbers are large enough that "your domain probably appears" is the safe default assumption for any organisation of meaningful size.
Channel takedowns and resilience
Periodic enforcement pressure has produced takedowns of major channels:
- 2023-2024: Telegram suspended several large stealer-log channels under pressure from Microsoft, the FBI, and Europol. Most reappeared with new names and migrated subscribers via cross-promotion within days.
- 2024 Operation Magnus: alongside the RedLine takedown, several associated Telegram channels were seized or disrupted. New ones emerged within a week.
- Pavel Durov arrest (August 2024): the arrest of Telegram’s founder in France, tied to platform-level cooperation issues with multiple national authorities, has reportedly produced a slow tightening of moderation. Anecdotally researchers report more channel takedowns through 2025, though aggregate volume has not meaningfully decreased.
The channel ecosystem is structurally resilient. Operators maintain backup channels announced in advance, and subscribers migrate quickly when a primary channel is suspended. Defensive monitoring has to track multiple channels per family and follow migrations actively.
How defensive services use this data
Hudson Rock, NordStellar, IntelX, SpyCloud, KELA, Flashpoint, and Recorded Future all maintain Telegram-channel monitoring as a core data source. Their pipelines:
- Subscribe to or scrape every relevant channel (publicly accessible ones; some require paying for VIP tier infiltrating).
- Download log drops as they appear.
- Parse credentials, normalise into structured records, and de-duplicate.
- Match against customer-domain lists and surface alerts.
The defensive industry is, in operational terms, parasitic on the criminal industry, they need the criminal market to keep functioning to have anything to monitor. This produces an uncomfortable but stable equilibrium where the existence of large public criminal channels is, paradoxically, useful to the defenders.
What organisations should do
Three steps with clear ROI:
1. Subscribe to credential-monitoring services. Whether Hudson Rock, SpyCloud, the forthcoming Stealercheck, or others, the cost (typically $5-25 per monitored employee per year) is dramatically less than the cost of a single ransomware incident enabled by an unmonitored stolen credential.
2. Treat stealer-log appearance as a P1 incident. When monitoring surfaces a credential match, the response should be fast: rotate the password, kill all active sessions for that account, force MFA re-enrollment, audit recent activity. Same severity tier as a confirmed phishing-credential capture.
3. Educate users about the personal-device vector. The infections producing stealer logs almost always happen on personal devices. User training that covers cracked-software risk, malicious-download awareness, and the practical advice to maintain separation between personal and corporate accounts is more effective per dollar than most other awareness-program content.
The stealer-log market is bigger than most security teams realise, more accessible than most assume, and continues to be the dominant supply chain for credential theft globally. Watching it is now a core competence, not a niche capability.