DEEP DIVE

Inside the stealer log economy

From RedLine to Lumma —how harvested credentials are packaged, traded, and weaponized within hours.

Published 2026-03-22 9 min read Research Team

What is a stealer log?

A stealer log is the structured output of an info-stealer infection on a single device. It typically contains saved browser credentials, autofill data, cookies, crypto wallet files, machine fingerprints, and screenshots. A single log can represent dozens of corporate identities —VPN, email, code hosting, cloud consoles, internal SSO —all in one bundle.

The economically important property is that one log usually grants access to many systems, because most users reuse browsers across personal and work contexts.

Families & ecosystem

We track six dominant stealer families this quarter, with the top three (RedLine, Lumma, and Vidar) accounting for the majority of new logs we observe. Operators rent infrastructure as a service: a flat monthly fee unlocks builder access, exfiltration servers, and a control panel for triaging logs.

  • RedLine —long-running family with mature panels.
  • Lumma —fast feature iteration; popular with affiliates in 2025–2026.
  • Vidar —broad telemetry collection, common in malspam.
  • StealC, Meta, Aurora —smaller share but active.

Lifecycle of a log

  1. Infection —typically via cracked software, fake installers, or malvertising.
  2. Exfil —log uploaded to operator panel within seconds to minutes.
  3. Triage —operator (or buyer) skims for high-value targets.
  4. Resale —fresh logs auctioned in private channels; bulk goes to combo-list resellers.
  5. Use —buyer attempts session takeover, account compromise, or token replay.

The whole pipeline routinely closes within hours. We've measured infection-to-resale times under 2 hours for premium "fresh" logs and under 24 hours for bulk channels.

Packaging & pricing

Logs are sold in three rough tiers. Fresh single logs from "high-value geos" can clear $10–$50. Curated bundles (e.g., "100 fresh US logs, banking included") trade for a few hundred dollars. Bulk dumps (10k–1M logs) sell for cents per log and are typically the source of mass credential stuffing.

Pricing is set by recency, geography, presence of cookies/sessions, and whether a target is on the buyer's "want list" (e.g., banking, FAANG corporate domains, cloud consoles).

Weaponization paths

  • Session hijack —replay valid cookies to bypass MFA.
  • Account takeover —direct credential reuse on other services.
  • Initial access —VPN/SSO logins resold to ransomware affiliates.
  • Crypto theft —wallet files + browser extension data drained.
  • BEC pivot —corporate mailbox access used for payment fraud.

Defensive controls that work

  1. Token-bound sessions —neutralize cookie replay attacks.
  2. Phishing-resistant MFA —passkeys and FIDO2 instead of OTP.
  3. Continuous identity exposure monitoring —detect logs with your domains within hours, not weeks.
  4. Browser hygiene policy —disable saved passwords on managed devices; enforce credential vaulting.
  5. Auto-rotation on detection —wire your exposure feed into an SSO that can force resets at scale.

See exposure for your domain

Run a free scoped exposure check against the domains and brands you care about. We'll show you live signal in a 30-minute call.

Book a check
Keep reading
PLAYBOOK
Identity exposure playbook
A SOC-ready playbook for triaging exposed credentials.
Read playbook
REPORT
Telegram cybercrime 2026
How underground markets shifted to encrypted channels.
Read report
GLOSSARY
Underground glossary
Plain-English definitions of the terms used in this article.
Open glossary