Caught in the Net: Using Infostealer Logs to Unmask CSAM Consumers

Summary

In this proof-of-concept report, Recorded Future’s Identity Intelligence analyzed information-stealing malware data to identify consumers of child sexual abuse material (CSAM). Approximately 3,300 unique users were identified with accounts on known CSAM sources. A notable 4.2% of these had credentials for multiple sources, suggesting a higher likelihood of criminal behavior. The study reveals how information-stealing logs can help investigators track CSAM activity on the dark web. The data has been forwarded to law enforcement for further action.

Caught in the Net: Using Infostealer Logs to Unmask CSAM Consumers

Background

Infostealer malware steals sensitive user information, such as login credentials, cryptocurrency wallets, payment card data, operating system information, browser cookies, screenshots, and autofill data. Common distribution methods include phishing, spam campaigns, fake update websites, SEO poisoning, and malvertising. A popular infection vector is “cracked” software marketed to users looking to illegally obtain licensed software. The stolen data, called “infostealer logs,” often ends up on dark web sources where cybercriminals can purchase it, potentially giving them access to networks or systems.

The anonymity offered by Tor-based websites with .onion domains facilitates the production and consumption of child sexual abuse content. Studies show that while only a small percentage of .onion websites host child sexual abuse content, the majority of browsing activity on the dark web targets these sites.

Methodology

In this proof-of-concept report, Recorded Future’s Identity Intelligence leveraged information stealing malware data to identify consumers of child sexual abuse material (CSAM), surface additional sources, and uncover geographic and behavioral trends. Our high-confidence assessments stem from the nature of the information stealer log data and subsequent research.

Surveys of three individuals with accounts on multiple sources of child sexual abuse material suggest that having multiple child sexual abuse material accounts may indicate a higher likelihood of committing crimes against children. This study demonstrates that information thief logs can help law enforcement track child exploitation on the dark web, a difficult area to track. All relevant findings were reported to law enforcement.

Our research involved creating a list of known, high-fidelity CSAM domains and querying data from Recorded Future Identity Intelligence to identify users with credentials for those domains. Insikt Group, working with nonprofits like the World Childhood Foundation and the Anti-Human Trafficking Intelligence Initiative (ATII), expanded this list by querying the Recorded Future Intelligence Cloud. This iterative process identified additional sources of CSAM.

Insikt Group then queried Recorded Future’s Identity Intelligence, which provides real-time access to information stealer logs, for authentication records linked to known CSAM sources from February 2021 to February 2024. Deduplication was performed by comparing operating system usernames and PC names.

Results

Insikt Group identified 3,324 unique identifiers used to access known child sexual abuse content websites. This data allowed us to gather statistics about individual sources and users, including their usernames, IP addresses, and system information. This detailed data helps law enforcement understand the infrastructure of child sexual abuse content websites, uncover techniques used by consumers of child sexual abuse content to mask their identities, and identify potential consumers and producers of child sexual abuse content.

In three case studies, Insikt Group used data from information thieves’ logs and open-source intelligence (OSINT) to identify two individuals and found additional digital artifacts, including cryptocurrency addresses, belonging to a third individual.

The PoC study shows that information thief logs can be used to identify CSAM consumers and new sources and trends in CSAM communities.

As cybercriminal demand for information theft logs and malware-as-a-service (MaaS) ecosystems continues to grow, Insikt Group anticipates that information theft log datasets will continue to provide current and evolving insights into CSAM consumers.

To read the full analysis, click here to download the report in PDF format.