Threat Actors With Stealer Malwares Processing Millions of Credentials a Day

The stealer malware ecosystem has evolved into a sophisticated criminal enterprise capable of processing hundreds of millions of credentials daily.

Over the past several years, threat actors have transformed the landscape of credential theft through specialized malware families and underground distribution platforms.

These information-stealing operations now represent one of the most significant threats to digital security, with criminal networks establishing complex hierarchies to manage the harvest and distribution of stolen authentication data.

Recent investigations into the stealer log ecosystem have revealed an alarming scale of operations. A single Telegram account monitored by security researchers was observed ingesting as many as 50 million credentials within a 24-hour period.

The infrastructure supporting these operations has grown increasingly sophisticated, with threat actors utilizing messaging platforms, particularly Telegram, as their primary distribution channel.

These platforms serve as marketplaces where stolen data is bought, sold, and freely shared among criminal communities.

The criminal ecosystem operates through a tiered structure consisting of three primary groups. Primary sellers manage key operations and maintain both public channels where stealer logs are shared and paid private channels offering premium access to clients.

Aggregators collect stealer logs from multiple sources and redistribute them through their channels, often providing search capabilities for victims across specific sites.

Traffers work in cooperation with primary sellers to spread malware, occasionally operating their own channels to demonstrate their effectiveness.

Synthient analysts identified this hierarchical structure while monitoring the platforms and building systems to ingest shared data in hopes of helping victims.

The motivations driving these operations vary across groups. While primary sellers focus on monetizing stolen credentials through subscription models, aggregators often leak data publicly to gain attention and reputation within criminal communities.

This creates a complex web where the same stolen credentials may appear across multiple channels in various formats.

Some channels advertise access to billions of credential lines, with pricing models ranging from weekly subscriptions at 60 dollars to lifetime access for 600 dollars, demonstrating the commercialization of cybercrime.

The volume of credentials flowing through these channels has reached staggering proportions. Analysis of one major operation revealed that over the course of monitoring, researchers indexed approximately 30 billion Telegram messages and parsed 80 billion credentials.

During peak activity periods, the system processed 600 million credentials in a single day and indexed 1.2 billion messages within the same timeframe.

Technical Infrastructure and Data Formats

The technical implementation of stealer log distribution presents unique challenges for both criminals and researchers.

Threat actors employ multiple credential formats depending on the malware family and distribution method. The most common formats include simple combolist structures using delimiters such as colons, semicolons, or pipes to separate email addresses and passwords.

More sophisticated formats follow URL-Login-Password conventions, while stealer logs from actual malware infections contain structured data with labeled fields.

# ComboList
email: password
email; password
email|password

# ULP
url:login:password
url|login|password

# Stealer
URL:
Login:
Password:

The inconsistency in data formats creates operational challenges for aggregators attempting to consolidate stolen credentials.

Synthient researchers noted that aggregators often merge multiple files from different resellers, creating what they described as “pseudo-unique abominations” that combine various credential formats.

This complexity is further compounded when primary sellers password-protect their archives with links to their channels, preventing aggregators from easily claiming credit for the data.

The technical hurdles require sophisticated parsing systems capable of identifying and processing credentials regardless of their original format or packaging method.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.