How to use stealer logs for OSINT investigations

Would you like to increase the success rate of your digital investigations? If yes, then you should be flexible and use various sources. One of those sources is stealer logs – information obtained by malicious software that records the activity of the infected computer.

Wait, isn't it illegal? It is a grey area for investigators, but you can legally obtain this data. Companies providing such information usually verify their customers to ensure such sensitive data goes in the right hands.

Done in the right way, the use of stealer logs can open the avenues you didn't have before and help to solve your investigation.

What are stealer logs?

Stealer log data refers to the information collected by “stealer malware” installed on an infected computer. These logs capture the device’s activity to exfiltrate sensitive information. The specific data recorded depends on the infostealer family. Below is a comprehensive list of what they might capture.

Because stealers record various types of data and package it into a structured folder, you can review the activity of the computer over time and connect various digital identifiers found in these logs. Therefore, stealer logs can provide direct links between email addresses, usernames, and other selectors. By leveraging these connections, you can pivot to other platforms and build a more complete picture of your investigation.

The structure of the folder and data it contains depends on the stealer log family. Here is a typical structure:

Handling raw data from a stealer is typically a task for advanced professionals. The folders need to be organized into a searchable database and properly indexed. That process requires technical skills. However, some services already host stealer logs in structured, searchable web interfaces.

Who uses stealer logs?

• Investigators – use stealer logs to enrich breach data with extra details like machine names, IPs, geolocation, and autofill records, helping them connect multiple accounts or identities to the same person.
• Law Enforcement – use stealer logs to pivot on this information and unmask aliases, trace financial activity, and link victims or suspects across different breaches and criminal cases.
• Offensive Security teams – use stealer logs to simulate how real attackers operate. This helps reveal weaknesses that may otherwise remain hidden.
• Defensive Security teams – analyze stealer logs to detect compromised accounts, strengthen defenses, and respond to active infections.
• Threat Hunters – use stealer logs to trace malware distribution methods, map threat actor infrastructure, and build timelines of compromise.

Where to get stealer logs?

Directly obtaining stealer logs from underground markets or criminal forums is illegal because they contain stolen personal data (credentials, cookies, payment information). Commercial vendors, by contrast, redact stealer logs, comply with regulations, and vet their customers — making them a more lawful route to obtain such data. Below are companies that provide these services:

• Darkside – a constantly growing repository with tens of billions of compromised records and other person of interest data collected from the Deep and Dark Web.
• Infostealers.info – is an intelligence platform by Alerts Bar Inc. and Farnsworth Intelligence. The platform has indexed millions of darknet-exposed infostealer logs and made them searchable.
• Hudson Rock – a cutting-edge infostealer log platform that allows investigators not only to view raw stealer data but also to analyse it using AI. The platform visually represents how the victim was infected and includes a chatbot that helps research raw stealer log data.

Infostealers.info is a more affordable, pay-as-you-go option without subscriptions. This solution is likely more suitable for solo investigators and small businesses. Here is what the interface of this platform looks like:

You can also perform a free check to see if you were compromised by infostealers using Hudson Rock tools. For a more comprehensive analysis you have to access Cavalier by Hudson Rock. Here is what its dashboard looks like:

They have an AI integration that builds a visual timeline of infection and produces an automated report:

On top of the AI report, they offer a chatbot that allows users to ask questions about raw stealer log data through a conversational interface:

Darkside complies with U.S. DOJ standards and has been helpful in many high-profile cases. It excels at indexing complex data and returning results through various search parameters. This is a higher-end, premium-priced solution. Here is how their interface looks like:

You can open each search result to view more details:

You can also view details about a specific stealer family. The image below shows total logins, hosts, email addresses, and other data collected by the Redline stealer.

District 4 Labs goes the extra mile, extracting all possible personally identifiable information (PII) from every stealer log. I don't usually recommend product demos, as they are often salesy, but Matteo Tomasini did a great job explaining what stealer logs are, how to use them, and the capabilities of his tool. I recommend watching "Leveraging Compromised Credentials in OSINT and DarkINT Investigations".

How to use stealer logs?

Using commercial providers, it’s fairly easy to navigate through stealer logs. All you need to do is enter a search query and review the results in the table. The interfaces of these providers are generally similar. It’s the analysis and validation of the data that require the most time and effort.

When working with infostealer data, you might come across false positives —matches for your search queries that are unrelated to the subject. For example, common usernames can return many results, since different people may use the same username across various online services.

Also, if you find unique selectors (such as emails or phone numbers) in a stealer log, it doesn’t necessarily mean the infected machine belongs to your subject. It’s possible that your subject used their credentials on a guest machine, or that another person used those same credentials on their own infected device. Always verify and cross-reference your findings.

Once you have obtained selectors (emails, phone numbers, usernames, etc.) from stealer logs – you have to enrich them. This means uncovering who is behind those anonymized digital breadcrumbs. A great tool for the job is OSINT Industries. You can apply for a free enterprise trial to streamline your investigations with 100% accurate search results.

Stealer logs cases

Data breach solved

A friend of MJ Banias asked for help investigating the login attempts on his company’s admin panel. Using stealer logs, MJ managed to track down the breached credentials for the admin panel. He also uncovered where the breach happened, with a plot twist, of course. Read a Free OSINT Lesson: How Your "Friend with Benefits" Became an Insider Threat to find out more.

From email to address

A client scammed out of $5,000 in Europe asked Farnsworth Intelligence to help track down the fraudster. They ran the subject’s email through their own infostealer data and found a stealer log linked to the email. That log revealed the subject’s current residential address and full digital footprint, tying them to the fraud. What had been a cold case was suddenly cracked wide open, as Aidan describes in his LinkedIn post.

CSAM consumers exposed

Insikt Group analyzed infostealer malware data and identified 3,324 users with accounts on known CSAM sources, 4.2% of whom were tied to multiple sites. The study shows how infostealer logs can help law enforcement uncover CSAM activity. This is especially relevant on the dark web — a challenging area to investigate. Check the Recorded Future report for more insights.

Looking for CSAM consumers

Aaron Roberts demonstrated how stealer logs can be leveraged to trace CSAM consumers. By pivoting from partial URLs linked to CSAM domains, he enriched the data with email addresses and social media profiles to surface potential suspects. I recommend reading To Catch a Predator: Using Stealer Logs to Identify Abusers, where he explains the investigative methodology step by step.

Conclusion

As I mentioned before, there is a legal question surrounding this approach. Even if law enforcement cannot fully rely on stealer logs, they can still use them as leads to uncover new data that may be admissible in court.

The main advantage of stealer logs is that they provide device-level insights that go far beyond traditional hacked databases. Individuals exposed in such breaches likely never anticipated this information becoming public, which can reveal more shady activities of the subject under investigation. However, because this data is extremely sensitive, it is important to handle it with professional integrity.

Don’t use stolen passwords or 2FA tokens to log in to personal accounts. Extract only what’s necessary and analyze the data in a controlled environment. Use a hardened environment (a VM or an air-gapped device) to store and process stealer logs. Stealers may contain malware or sensitive data, so be careful not to expose yourself or accidentally leak information.

Now that I have covered the main topic of the newsletter, let's move on to the recent developments in the OSINT community.

Insightful articles

• $1000 Bounty: From 403 to Source Code – discover how subdomain and directory enumeration (along with other OSINT techniques) helped uncover exposed subdirectories in Snapchat’s Bitmoji rendering service.
• How We Used Open Source Data to Investigate Massive Soil Dump – learn how to estimate massive terrain changes using only public elevation models, a free GIS tool, and a bit of methodical curiosity.
• OSINT vs. PAI | Confessions of a Private Investigator – read how Jess went from zero to expert, and discover her story rich with personal takes on Open Source Intelligence.

Our Medium publication is going to reach 15,000 followers soon, as we continue to educate investigators on a global scale. Not only do our authors create insightful articles, but they also make a real-world impact. They uncover regimes avoiding sanctions and unmask most wanted cybercriminals.

I'm thankful to every author for sharing valuable skills and helping make the world a safer place. You are awesome!

Videos worth watching

Sometimes it's good to revisit the basics. This video answers the most frequently asked questions about OSINT in a way even a 5-year-old could understand.

I like videos packed with insights. One of them recently surfaced in the OSINT subreddit, and I wonder why I didn’t watch it sooner. The value Craig Pedersen delivers in just 30 minutes of his talk is incredible.

Discover essential OSINT tools for TikTok investigations. Nathaniel Fried demonstrates how to track activity, gather evidence, and analyze video content.

OSINT trends

Creators are rising

We’re seeing a wave of content creators stepping into the OSINT space.

Gary Rudell has recorded educational content for a while, and recently started a vlog. The intelligence world has traditionally felt very closed off. Now, creators are opening up and sharing not just their skills but also parts of their daily lives. This shift highlights an important point: building a strong brand isn’t only about expertise. It’s also about personality and authenticity.

Want to build a strong brand? Read my in-depth guide:

How to build a profitable brand? Secrets of personal and corporate branding.

What is a brand, and how do you build one? Learn in-depth corporate and personal branding strategies that go beyond social media. Use this blueprint to grow your audience and increase revenue.

OSINT Team - Learn OSINT from expertsPetro Cherkasets

Many well-known companies have started podcasts and newsletters. Instead of the usual sales talk, they now focus on sharing insights.

Jake Creps has relaunched his podcast, bringing his expert voice to the growing mix of OSINT conversations.

Online platforms are getting unstable

Facebook temporarily removed the post search, which triggered a strong negative reaction, as many investigators relied on it. Fortunately, some time ago Henk van Ess developed Who Posted What. It can serve as an alternative to Facebook’s native search. The Facebook post search was unavailable for a couple of days but has been restored.

That reminds me of a Google filetype operator not working in February 2024. Users who heavily relied on the operator for work, research, or personal use were unable to perform precise file searches. Similar to the Facebook case, it was a short-term bug that was eventually fixed.

Established platforms are starting to malfunction more frequently. We’ve always seen platforms restrict API calls, block scraping, and use similar tightening tactics. If you’re a tool developer, you know how frustrating that can be. What looks relatively new, though, are the random issues that last for two or three days and then disappear. Therefore, my advice:

Don’t rely too much on tools. Understand the methodology behind the process to reproduce results.

OSINT meme

Interested in learning "Elvish"? Watch a YouTube tutorial. It can be useful when working with raw stealer logs or other cases involving unstructured data.

OSINT Team updates

Currently, I'm working on a platform that will allow users to search for and compare OSINT tools easily. Are you tired of unstructured OSINT lists, broken links, and outdated resources? I'm on a mission to create a platform where you can find the right tool in just a few clicks.

As an early prototype, I’ve created OSINT Tools comparison matrix. Investigators already use it to store and compare OSINT tools, while tool developers add theirs to increase visibility and expand their user base.

Email at hi@m.osintteam.com with your tool suggestions.

Get more insights on our socials

I publish this newsletter once every three months. If you’d like to receive OSINT insights more frequently, follow us on our socials. We’re more active there and share bite-sized OSINT tips.

LinkedIn: linkedin.com/company/osintteam/

X: x.com/OsintTeamBlog

Best regards,

Petro.