Infostealer malware logs used to identify child abuse website members

Share:

Thousands of pedophiles who download and share child sexual abuse material (CSAM) were identified through information-stealing malware logs leaked on the dark web, highlighting a new dimension of using stolen credentials in law enforcement investigations.

The novel use of the dataset was conducted by Recorded Future’s Insikt Group, who shared a report explaining how they identified 3,324 unique accounts that accessed illegal portals known for distributing CSAM.

By leveraging other data stolen from the target, Insikt analysts could track those accounts to usernames on various platforms, derive their IP addresses, and even system information.

This information gathered by the Insikt Group has been shared with law enforcement to unmask the identities of these individuals and proceed to arrests.

Using stealer logs for good

A stealer log is a collection of data stolen from a particular individual by information-stealing malware, such as Redline, Raccoon, and Vidar, from infected systems.

When these types of malware are executed on a device, they collect credentials, browser history, browser cookies, autofill data, cryptocurrency wallet information, screenshots, and system information.

The information is then packaged into an archive called a “log,” which is then transmitted back to the threat actor’s servers.

Threat actors can then use these stolen credentials to breach further accounts, conduct corporate attacks, or sell them to other cybercriminals on the dark web, Telegram, and other platforms. Due to their size and number, these logs are rarely scrutinized and categorized but rather sold in bulk.

Previous analysis has shown that information-stealer logs can contain crucial business account data or credentials to accounts that can expose proprietary information.

As this type of malware is commonly distributed via pirated software, malvertising, and fake updates, they can siphon data from infected systems for extended periods without the victim realizing it.

This includes CSAM users who, without their knowledge, expose all of the credentials for their online banking, email, and other legitimate accounts, as well as the account credentials used for accessing CSAM sites that require registration.

Identifying CSAM consumers

Insikt analysts used infostealer logs captured between February 2021 and February 2024 to identify CSAM consumers by cross-referencing stolen credentials with twenty known CSAM domains.

They then removed duplicates to narrow the results to 3,324 unique username-password pairs.

As information-stealing malware steals all credentials saved in a browser, the researchers were able to link CSAM account holders to their legal online accounts, such as email, banking, online shopping, mobile carriers, and social media.

They then used open-source intelligence (OSINT) and digital artifacts to gather more revealing information about those users. These clues include:

  • Cryptocurrency wallet addresses and transaction histories.
  • Non-CSAM web accounts and browsing history.
  • Physical addresses, full names, phone numbers, and email addresses extracted from browser autofill data.
  • Associations with various online services, such as social media accounts, government websites, and job application portals.

Recorded Future’s report highlights three cases of identified individuals, summarized as follows:

  1. d****” – Cleveland, Ohio resident previously convicted for child exploitation and registered as a sex offender. Maintains accounts on at least four CSAM sites.
  2. docto” – Illinois resident who volunteers at children’s hospitals and has a record for retail theft. Maintains accounts on nine CSAM websites.
  3. Bertty” – Likely a Venezuelan student who maintains accounts on at least five CSAM sites. Cryptocurrency transaction history implicates the user with the potential purchase and distribution of CSAM content.

Insinkt’s analysis highlights the potential of infostealer data in aiding law enforcement to track child abuse tracking and prosecute individuals.

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
11:32 am, Jul 11, 2025
weather icon 29°C
L: 26° | H: 30°
few clouds
Humidity: 45 %
Pressure: 1021 mb
Wind: 3 mph SE
Wind Gust: 6 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 13%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:56 am
Sunset: 9:15 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
26° | 30°°C 0 mm 0% 8 mph 47 % 1021 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
18° | 30°°C 0 mm 0% 9 mph 65 % 1018 mb 0 mm/h
Sun Jul 13 10:00 pm
weather icon
17° | 27°°C 0 mm 0% 7 mph 73 % 1014 mb 0 mm/h
Mon Jul 14 10:00 pm
weather icon
20° | 29°°C 0 mm 0% 14 mph 71 % 1017 mb 0 mm/h
Tue Jul 15 10:00 pm
weather icon
15° | 27°°C 0 mm 0% 13 mph 71 % 1021 mb 0 mm/h
Today 1:00 pm
weather icon
29° | 29°°C 0 mm 0% 3 mph 42 % 1021 mb 0 mm/h
Today 4:00 pm
weather icon
30° | 31°°C 0 mm 0% 5 mph 34 % 1019 mb 0 mm/h
Today 7:00 pm
weather icon
28° | 28°°C 0 mm 0% 5 mph 28 % 1017 mb 0 mm/h
Today 10:00 pm
weather icon
22° | 22°°C 0 mm 0% 8 mph 47 % 1019 mb 0 mm/h
Tomorrow 1:00 am
weather icon
18° | 18°°C 0 mm 0% 4 mph 55 % 1018 mb 0 mm/h
Tomorrow 4:00 am
weather icon
19° | 19°°C 0 mm 0% 4 mph 65 % 1018 mb 0 mm/h
Tomorrow 7:00 am
weather icon
19° | 19°°C 0 mm 0% 6 mph 64 % 1018 mb 0 mm/h
Tomorrow 10:00 am
weather icon
24° | 24°°C 0 mm 0% 6 mph 45 % 1017 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€100,985.21
6.43%
Ethereum(ETH)
€2,570.28
8.35%
Tether(USDT)
€0.85
0.01%
XRP(XRP)
€2.24
7.83%
Solana(SOL)
€140.56
4.40%
USDC(USDC)
€0.85
0.00%
Dogecoin(DOGE)
€0.170378
10.33%
Shiba Inu(SHIB)
€0.000012
7.86%
Pepe(PEPE)
€0.000011
15.53%
Peanut the Squirrel(PNUT)
€0.246894
20.17%
Scroll to Top