A stealer log is the complete bundle of data an infostealer malware pulls from one infected device: saved passwords, live session cookies, authentication tokens, autofill records and a full system fingerprint, packaged for sale on criminal markets. Flashpoint tied 1.8 billion stolen credentials to infostealers in the first half of 2025 alone.
- Russian Market offered more than 180,000 infostealer logs for sale in H1 2025, at roughly $10 per infected device (Rapid7 Labs).
- Flashpoint counted 1.8 billion credentials stolen by infostealers in H1 2025, an 800% jump over the prior six months.
- One stealer log bundles passwords, session cookies, tokens, autofill and a device fingerprint from a single machine in one sweep (Flashpoint).
- At least 79.7% of the Snowflake accounts abused in the UNC5537 campaign had prior infostealer credential exposure (Mandiant).
- SpyCloud recaptured 17.3 billion stolen session cookies in 2024, the cookies that let a log's buyer skip the MFA prompt.
What are stealer logs?
Flashpoint tracked 11.1 million infostealer-infected devices in 2025, each spilling one of these files (Flashpoint). A stealer log is the output file an infostealer malware produces after it ransacks a device, a single archive holding everything of value it found. It isn't one leaked password; it's the contents of a person's browser and system, captured in seconds and shipped to an operator. Flashpoint describes a log as credentials, cookies, browser data, application information and host metadata collected together (Flashpoint).
The volume is what makes logs a category of their own. Flashpoint counted 1.8 billion credentials stolen from 5.8 million infected hosts in the first half of 2025, an 800% rise over the previous six months (Infosecurity Magazine). That is a live feed of fresh corporate access, refilled every day.
For a security team, the log matters more than the malware that made it. RedLine, Lumma, Vidar and StealC come and go, but each one produces the same deliverable: a ready-to-use set of your users' corporate logins. KELA logged 2.67 million infected machines in H1 2025, after 4.3 million across all of 2024 (KELA).
What's inside a stealer log?
SpyCloud recaptured 17.3 billion stolen session cookies in 2024, just one of the field types a log carries (SpyCloud). A stealer log contains far more than passwords. Unpack a typical one and you find saved logins, active sessions and enough system detail to impersonate the victim's machine. Flashpoint notes a log may carry credentials, cookies, browser data, application information, host metadata and other artifacts (Flashpoint). On a work device, that set includes SSO, VPN and cloud-console access.
- Saved browser passwords from Chrome, Edge and Firefox, paired with their exact login URLs
- Active session cookies and refresh tokens for email, SSO and cloud consoles
- Autofill records, including names, addresses and payment fields
- A system fingerprint: hostname, operating system, installed software and local IP
- Cryptocurrency wallets and, on developer machines, API keys and .env secrets
The session cookies are the dangerous part. SpyCloud recaptured 17.3 billion stolen cookies from infected devices in 2024 (SpyCloud). A live cookie represents an already-authenticated session, so a buyer can replay it and skip both the password and the MFA prompt.
Where are stealer logs bought and sold?
Stealer logs are traded on dedicated criminal marketplaces and Telegram channels, sold per device for a few dollars. Russian Market offered more than 180,000 infostealer logs for sale in the first half of 2025, listing around 30,000 fresh infected devices a month at roughly $10 each (Rapid7 Labs).
Some markets rise as others fall. Genesis Market accumulated about 135 million bot listings before an international operation seized it in April 2023 (The Record). Russian Market absorbed much of that trade, and ReliaQuest found Lumma-sourced logs made up nearly 92% of its credential-log alerts in Q4 2024, with some logs selling for as little as $2 (ReliaQuest).
The economics favor the buyer. For the price of a coffee, an attacker gets a validated corporate login and the live session to go with it, no exploit required. That is why credential-based intrusion keeps outpacing patched vulnerabilities.
How are stealer logs different from data breaches and combolists?
A stealer log comes from a live malware infection on one device, a data breach dump comes from a single compromised service holding many accounts, and a combolist is a recycled set of email-and-password pairs. Flashpoint counted 1.8 billion credentials from infostealers against 9.5 billion records from 3,104 conventional breaches in the same six months of 2025 (Infosecurity Magazine).
- Stealer log: everything from one infected device, including live cookies and tokens, freshly harvested and tied to a real person.
- Breach dump: records exfiltrated from one hacked service, often hashed passwords, frequently stale by the time they circulate.
- Combolist: an aggregated, deduplicated set of email and password pairs from older leaks, used mostly for credential stuffing.
The distinction is operational. A breach dump tells you a service was hacked; a stealer log tells you a specific employee's device is compromised right now, cookies included. That's why a log can bypass controls a breach dump can't touch.
What does a stealer-log breach look like? The Snowflake case
The 2024 Snowflake customer attacks are the clearest example. Mandiant attributed the campaign to UNC5537 and, with Snowflake, notified roughly 165 potentially exposed customer organizations (Mandiant). The attackers didn't breach Snowflake itself; they signed in with credentials pulled from infostealer logs.
The exposure had been building for years. At least 79.7% of the abused accounts had prior infostealer credential exposure, and some stolen credentials dated back to November 2020, left unrotated for as long as four years (Mandiant). The logins came from six stealer families, including Vidar, RedLine and Lumma.
How should security teams respond to stealer logs?
Treat a stealer log as an active identity compromise, not a password problem. Because the log carries live sessions, containment means revoking cookies and tokens, not just resetting passwords. Mandiant found the abused Snowflake accounts lacked enforced MFA, which is exactly the gap a stolen session sidesteps (Mandiant).
The workflow has three moves: find every exposed identity across the workforce, confirm which credentials and sessions are still valid, and revoke each one with an auditable trail. Password rotation without session revocation leaves the attacker signed in.
This outside-in exposure model is what Ashetrace is built around. You verify a domain you control, and the assessment surfaces the corporate identities sitting in circulating stealer logs, with no passwords, cookies or tokens ever changing hands.
So the question isn't whether your people show up in a stealer log. At 180,000 logs listed on a single market in six months, some already do. The useful question is how fast you can find them and cut the live sessions before a buyer does.
What are stealer logs?
A stealer log is the bundle of data an infostealer malware pulls from one infected device: saved passwords, session cookies, tokens, autofill and a system fingerprint, packaged for resale. Flashpoint tied 1.8 billion stolen credentials to infostealers in the first half of 2025, an 800% rise over the prior six months.
What information does a stealer log contain?
A log holds saved browser passwords with their login URLs, active session cookies and refresh tokens, autofill records, a device fingerprint, and often crypto wallets or API keys. SpyCloud recaptured 17.3 billion stolen cookies from infected devices in 2024, the live sessions that let a buyer bypass MFA.
Where are stealer logs sold?
Stealer logs trade on criminal marketplaces and Telegram channels, priced per device. Russian Market offered over 180,000 logs in H1 2025 at roughly $10 each (Rapid7 Labs). Genesis Market accumulated about 135 million bot listings before its April 2023 takedown, per The Record.
How are stealer logs different from a data breach?
A stealer log comes from live malware on one device and carries fresh cookies and tokens, while a breach dump is records exfiltrated from one hacked service, often stale. Flashpoint counted 1.8 billion infostealer credentials against 9.5 billion breach records across 3,104 breaches in the same six months of 2025.
Can a password reset fix a stealer log?
No. A reset invalidates the password, but the stolen session cookie is a separate credential that stays valid until it expires or is revoked. SpyCloud recaptured 17.3 billion cookies in 2024, and Mandiant found abused Snowflake accounts lacked MFA, so revoke sessions too.
- Mandiant (Google Cloud), UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion (2024)
- Rapid7 Labs, Inside Russian Market: Uncovering the Botnet Empire (2025)
- ReliaQuest, The Infostealer Pipeline: Stolen-Credential Attacks and the Russian Marketplace (2025)
- The Record (Recorded Future News), Genesis Market Takedown (2023)
- KELA, Over 3,600 Ransomware Victims and 2.67 Million Infostealer Infections in H1 2025 (2025)
- Infosecurity Magazine, Staggering 800% Rise in Infostealer Credential Theft (2025)
- Flashpoint, The Proactive Defender's Guide to Infostealers (2025)
- SpyCloud, 2025 Identity Exposure Report (2025)
Start here
See what is still exposed in your environment
Verify a corporate domain and get a scoped exposure assessment. No passwords, cookies or tokens handed over.
Request an exposure assessment