Infostealer Logs: What Happens to Stolen Credentials After Infection
Inhaltsübersicht
KELA’s State of Cybercrime 2026 report tracked 2.86 billion compromised credentials circulating across criminal markets in 2025, spanning infostealer malware, breach databases and underground marketplaces. That number is abstract until you understand what it represents at the device level: one infected laptop, one employee’s personal machine, one contractor’s home computer produces a structured data package called a log that contains every password the browser had saved, every active session token, every autofill entry, every crypto wallet file, and the precise URL where each credential was used. The log is packaged, sold and weaponised within 48 hours of the infection completing.
Most security teams know what infostealers are. Fewer understand what happens to the data once it leaves the device, how it moves through the criminal economy, and at what point the window for detecting and containing the exposure closes.
This article covers the full lifecycle from infection to exploitation, including the specific stages where early detection changes the outcome.
What an infostealer log actually contains
An infostealer log is a structured archive, typically a compressed folder, produced by the malware after it completes its data collection run on an infected device. The contents are standardised across the major infostealer families because criminal buyers expect a consistent format. Similarly, Constella’s 2026 Identity Breach Report processed 51.7 million infostealer packages in 2025, a 72% year-over-year increase, and found that 98.6% contained active passwords and 99.54% included the specific URLs where those credentials were used, providing attackers a direct, automated map to each account.
A typical log contains browser-saved passwords extracted from Chrome, Firefox, Edge and Brave using decryption keys pulled from the device’s operating system, active session cookies including the authenticated tokens that allow access to services without re-entering credentials, autofill records including addresses, payment card data and personally identifying information, cryptocurrency wallet files and seed phrases, system metadata including hardware fingerprints, installed software, screen resolution and timezone, and screenshots taken at intervals during the infection to confirm what the user was doing and what platforms were active. The session cookie component is the most dangerous single element. When an employee logs into a corporate application and selects “stay signed in,” the browser stores a session token that remains valid for hours or days. An attacker who holds that token accesses the account without a password and without triggering MFA. The authentication already happened. The token is proof of it.
The 48-hour window: from infection to dark web listing
The timeline from a successful infostealer infection to a listed dark web sale is well documented in 2025 and 2026 threat intelligence research, and it is shorter than most security teams assume.
In the first hour, the malware completes its collection run, packages the log and exfiltrates it to the attacker’s infrastructure. Modern infostealers transmit via HTTP POST to a command-and-control server, via Telegram bot, or directly to a cloud storage endpoint. Many are designed to self-delete after transmission, removing forensic traces before endpoint security or EDR tools identify the infection. By hours 12 to 24, the stolen data has been tested. Credential pairs are run against live services using automated checkers to verify which are still active before listing. Verified pairs command higher prices because buyers are paying for confirmed access, not potential access.
By hours 24 to 48, the log is listed on a marketplace. Russischer Markt and 2easy dominate credential sales in 2026, with logs appearing within hours of theft and buyers able to search by company domain, software type or credential category. The listing is structured so a buyer can filter for corporate email domains, specific SaaS platforms, banking credentials or cryptocurrency exchanges. An attacker targeting your organisation searches for your domain. If any employee’s device was infected in the previous 48 hours and your domain appears in the log, the attacker buys access for between $5 and $200 depending on what the log contains.
How logs are priced and who buys them
The pricing model for infostealer logs on criminal marketplaces reflects the value of what each log contains. A basic log with consumer credentials and no verified corporate access sells for $5 to $15. A log containing verified corporate email access sells for $25 to $75. A log with confirmed access to a corporate VPN, cloud platform or identity provider commands $100 to $500. A log containing administrator credentials or privileged access to financial systems can exceed $1,000 on private channels.
The buyers are not exclusively sophisticated ransomware groups. The market is stratified. Entry-level threat actors buy consumer credential logs for account takeover fraud. Mid-tier operators buy corporate credential logs for business email compromise and financial fraud. Ransomware affiliates buy verified corporate access logs as initial access, bypassing the most technically demanding phase of an intrusion by purchasing a foothold that someone else created. Infostealers delivered via phishing rose 84% year-over-year between 2023 and 2024, with early 2025 data showing a 180% surge compared with 2023, driven partly by the growing market of buyers who want ready-made access rather than conducting their own initial access operations. Lumma Stealer, the fastest-growing infostealer in 2026, operates specifically to serve this buyer market, with subscriptions starting at $250 monthly and logs designed for immediate resale on Russian Market and 2easy.
Verizon’s 2025 Data Breach Investigations Report found that 54% of ransomware victims had domain credentials present in stealer log marketplaces before the ransomware attack. The credential exposure was detectable. The breach was the consequence of not detecting it.
Why enterprise environments are specifically targeted
Infostealers increasingly target personal and contractor devices precisely because those devices are outside the perimeter of corporate security controls.
| Device type | Security controls present | Infostealer risk |
|---|---|---|
| Managed corporate laptop | EDR agent, restricted browser policies, enforced disk encryption | Lower — harder to infect and exfiltrate from |
| Personal laptop accessing corporate SaaS | Saved passwords, active session tokens, no corporate monitoring | High — primary attack surface |
| Contractor device | Varies, often unmanaged, outside corporate MDM | High — frequently outside visibility entirely |
Analysis of 18.7 million infostealer logs from 2025 found that more than one in ten infections already contained enterprise Single Sign-On or Identity Provider credentials, with that rate climbing to 16% by late 2025 and projected to reach one in five by Q3 2026, according to SecurityBrief’s February 2026 reporting on enterprise identity exposure. Microsoft Entra ID appeared in 79% of enterprise identity logs in the dataset, reflecting how deeply centralised authentication has concentrated risk into a single credential type.
| What an SSO credential unlocks | Examples |
|---|---|
| Cloud infrastructure | AWS, Azure, GCP consoles |
| Code repositories | GitHub, GitLab, Bitbucket |
| HR and payroll systems | Workday, BambooHR, ADP |
| Customer data platforms | Salesforce, HubSpot |
| Financial applications | NetSuite, SAP, Coupa |
| Collaboration tools | Slack, Teams, Notion |
AI has accelerated the exploitation pipeline on the buyer side. Automated tools now parse, filter and prioritise credentials within large log files in seconds, replacing hours of manual analyst work and identifying high-value targets such as admin accounts, financial platforms and cloud services with high accuracy. The window between purchase and exploitation is narrowing as a result.
The detection window and what closes it
The detection window is the period between when credentials appear on a dark web marketplace and when an attacker uses them. That window runs between 24 hours and several weeks depending on the value of the credentials and the sophistication of the buyer. It is the only practical opportunity to contain the exposure before it becomes an intrusion.
Conventional enterprise security does not cover this window. EDR monitors managed devices for malicious behaviour. The infected device may be unmanaged. SIEM and SOC tools monitor internal network traffic. The dark web marketplace is external. MFA protects the moment of login. A stolen session cookie bypasses MFA entirely because the authentication already happened before the token was stolen, meaning the token it produces is the vulnerability, not the authentication event itself. The only controls that close the detection window are external: dark web monitoring that surfaces credential listings before attackers act on them, credential intelligence that covers the marketplaces where logs are sold, and session management controls that limit how long tokens remain valid and bind them to device posture.
CybelAngel’s credential intelligence monitors Russian Market, 2easy and the closed Telegram channels where infostealer logs circulate, alerting security teams when employee credentials appear in criminal infrastructure before they are used in an active intrusion. The alert is specific: which credential, which platform, which marketplace, and when it appeared.
When a credential alert fires on a dark web marketplace listing, the triage sequence is what determines whether this stays a credential incident or becomes a breach.
Credential alert response checklist:
- Force an immediate password reset on the affected account via your IdP — confirm propagation across all federated services before closing this step
- Revoke all active sessions and OAuth tokens in parallel with the password reset — OIDC session tokens and SAML assertions issued before the reset remain valid until explicitly invalidated or they expire naturally, which can be hours
- Pull authentication logs for the affected account across all integrated platforms for the 48 hours preceding the alert — the infection timestamp precedes the marketplace listing, so your window for anomalous access is wider than the alert suggests
- Check for credential reuse against your SSO, VPN and privileged access management stack — infostealer logs frequently surface the same password across multiple services and the log buyer will test all of them
- If the log contains IdP credentials (Entra ID, Okta, AWS IAM), escalate to a potential lateral movement investigation — review conditional access policies, MFA registration events and any new device registrations in the hours following the estimated infection timestamp
- Identify and triage the source device — if unmanaged, initiate an out-of-band containment workflow, since your EDR has no visibility into what else may have been exfiltrated and whether the device is still beaconing
FAQs
An infostealer log is a structured data archive produced by infostealer malware after it completes a collection run on an infected device. It typically contains browser-saved passwords, active session cookies, autofill data including payment card information, cryptocurrency wallet files, system metadata and screenshots. Constella’s 2026 report found that 98.6% of the 51.7 million packages processed contained active passwords and 99.54% included the specific URLs where credentials were used, giving buyers a direct map to each compromised account.
Within 24 to 48 hours of a successful infection in most documented cases. The malware exfiltrates the log within the first hour of infection, the attacker tests credential pairs against live services in the following hours, and the verified log is listed on marketplaces like Russian Market or 2easy within the same day. The window between a device being infected and the credentials being available for purchase is shorter than most security teams assume and shorter than most detection processes can respond to.
A stolen password triggers MFA at the point of login. A stolen session cookie bypasses MFA entirely because it represents an authentication that already completed legitimately. When a user logs into a corporate application and selects “stay signed in,” the browser stores a session token that proves the authentication happened. An attacker who holds that token accesses the account as if they were the authenticated user, without entering a password and without triggering any additional authentication challenge. Forcing a password reset after a credential alert does not invalidate existing session tokens unless sessions are explicitly terminated.
Pricing reflects the value of access contained in the log. Basic consumer logs with unverified credentials sell for $5 to $15. Logs with verified corporate email access sell for $25 to $75. Logs containing confirmed VPN, cloud platform or identity provider access command $100 to $500. Logs with administrator or privileged financial system credentials exceed $1,000 on private channels. Prices are set by automated checkers that verify credential validity before listing, so buyers pay for confirmed access rather than potential access.
SSO and identity provider credentials are the highest-value target in 2026 because a single credential gates access to every application the platform covers. Analysis of 18.7 million logs published in February 2026 found that one in ten infostealer infections in 2025 contained enterprise SSO credentials, with that rate climbing to 16% by late 2025. Corporate VPN credentials, cloud infrastructure console access, code repository credentials and financial platform access are the other primary targets because each provides either persistent access or high direct financial value.
A stealer log comes from a single device infected by infostealer malware and contains the credentials, session tokens and files that were present on that device at the time of infection. A breach database comes from a compromised server or application and contains the data that service stored, typically hashed or plaintext passwords for all registered users. Stealer logs are more immediately dangerous because they contain active session tokens and verified credentials from a specific user’s active accounts, whereas breach databases may contain old or inactive credentials that require cracking before use.
Über den Autor
