If you read enough breach disclosures from 2023 onward, a phrase keeps appearing: "initial access via stolen credentials sold on a stealer-log marketplace." It is the cybercrime entry-point that has quietly displaced phishing as the dominant cause of corporate breaches, and yet most security teams still describe it imprecisely. This piece is the foundational explainer.
A "stealer log" is the structured output of an infostealer-malware infection: a single ZIP or directory dropped by the malware after it has finished extracting everything of value from a compromised machine. One log = one infected device. The credential economy now revolves around buying, selling, and exploiting these logs in volume.
What is inside a single log
Open one and you will typically find:
- Browser-saved passwords. Every credential the user ever told Chrome, Edge, Firefox, Brave, or Opera to remember. Malware decrypts the local browser keystore (Windows DPAPI, macOS Keychain) and dumps them as a flat list, typically 30 to 300 entries per device, in a
Passwords.txtor per-browser file. - Browser cookies. Including authenticated session cookies for SaaS, banks, social platforms, corporate VPNs. These are the most valuable part of the log because a stolen session cookie can be replayed without ever needing the password, bypassing multi-factor authentication entirely.
- Autofill data. Names, addresses, phone numbers, partial card data, anything the user told the browser to remember.
- Crypto wallets. MetaMask seed phrases, Phantom keys, Exodus wallets, hardware-wallet companion files.
- System info. Hostname, username, OS version, installed software, screenshot of the desktop at infection time, IP address, geolocation.
- FTP / SSH client configurations. Saved credentials in FileZilla, WinSCP, OpenSSH known_hosts.
- Telegram, Discord, Steam tokens. Session tokens that allow direct account takeover of those platforms without password.
A typical log is 1-5 MB compressed and contains everything an attacker needs to thoroughly compromise the victim’s digital life, and, far more dangerously, every service the victim accessed from that infected machine, including their employer.
Who runs the malware
Infostealer development is now a mature commodity industry. The dominant families through 2024-2025:
- Lumma Stealer (also "LummaC2"). Currently the most active. Russian-language origin; sold on a subscription model ($250-1000/month). Heavy Telegram presence.
- RedLine Stealer. The previous market leader, partially disrupted by Operation Magnus in October 2024 but still operating in fragmented form.
- Vidar. Long-running family with continuous updates.
- Raccoon Stealer v2. Still active despite multiple takedown actions.
- Stealc. Newer entrant, gaining share since 2023.
- MetaStealer, Atomic (macOS), Cthulhu (macOS). Specialised regional or platform-specific variants.
Each has documented detection, IOCs, and YARA rules in the major threat-intel feeds. Microsoft, ESET, Mandiant, Group-IB, Sekoia, and others publish family-level tracking continuously.
How victims get infected
Infection is overwhelmingly commodity. The dominant vectors:
- Cracked-software downloads. Fake KMS activators, "free" Adobe / AutoCAD / IDM downloads pushed via SEO-poisoned blog posts and YouTube tutorial videos. Probably the single largest source.
- Fake game cheats and mods. Unsurprisingly effective against gaming-focused machines that often share networks or accounts with corporate use.
- Malicious PyPI / npm packages. Typosquats and supply-chain attacks targeting developers, a smaller absolute share but extraordinarily high-leverage when the victim has source-code repository or deployment access.
- Phishing with malicious attachments. OneNote, ISO, LNK, MSI loaders dropping the stealer payload.
- Drive-by downloads from compromised ad networks. Less common in 2024-2025 but not extinct.
Crucially: most infections happen on personal devices, not corporate-managed endpoints. The victim is at home using their personal laptop, and the credentials being stolen include their corporate VPN, their Microsoft 365 session, their GitHub PAT.
The market: how logs become money
After exfiltration, the malware operator (or an affiliate paying them) ends up with a directory of fresh logs. The next step is monetisation. The dominant channels:
- Telegram channels. Operators run "auto-shop" channels that drip new logs as soon as they arrive, often with a "free preview" tier and a paid tier that gates the actual credentials. Russianmarket, GenesisMarket-successors, and a long tail of smaller channels.
- Underground forums. XSS, Exploit, Verified host bulk-log marketplaces. Pricing is typically $5-15 per log for indiscriminate ones, $50-500+ for "VIP" logs containing high-value corporate credentials.
- Specialised resellers. Brokers who buy logs in bulk and re-sell filtered subsets, for example "logs from US/EU machines with corporate VPN cookies", to ransomware affiliates and access brokers.
Volume is enormous. Industry estimates put fresh log inflow at several million per week globally. Most are low-value consumer credentials; the small fraction containing corporate access is the engine of modern breaches.
Why this matters for defence
Three structural facts every security team needs to internalise:
Stealer logs bypass MFA. A session cookie stolen from a logged-in browser is already authenticated. Replay it, and you are inside the account without ever touching the login flow. Phishing-resistant MFA still helps for new logins, but not for active sessions a stealer has captured. The defensive answer is short session lifetimes, conditional access on device posture, and continuous re-authentication for sensitive actions.
Personal-device compromise is corporate-device compromise. When an employee uses their home laptop to log into company SaaS, the stealer log includes that company SaaS session. The corporate endpoint security stack never sees it. BYOD policies and unmanaged-device access need to be revisited with this in mind.
Detection lags exploitation by days, not months. From the moment a log enters the marketplace, ransomware affiliates and BEC actors are buying and replaying. The window between theft and active exploitation is now hours to a few days. Defensive monitoring services, Hudson Rock, SpyCloud, IntelX, NordStellar, and our own forthcoming Stealercheck, exist to close that window by alerting organisations when their domains appear in newly published logs.
The credential economy is now the largest single source of corporate breach precursors. Treating it as a peripheral concern, the way phishing was treated for most of the 2010s, is no longer defensible. The next decade of intrusion defence will be built around it.