Cybersecurity firm Recorded Future said it has identified thousands of credentials linked to child sexual abuse material (CSAM) websites within info-stealer logs sold on the dark web.

The researchers have managed to trace these individuals through credentials harvested by info-stealer malware. Typically designed to steal login details for banking services, info-stealer malware also captures credentials for other accounts, including those on .onion websites known for trafficking CSAM. Despite the Tor network's anonymity measures, these logs provide a link between anonymous CSAM website users and their accounts on clear web platforms like Facebook, where real names and personal details are often used.

Info-stealer malware collects sensitive data such as login credentials, cryptocurrency wallets, payment card information, OS details, browser cookies, screenshots, and autofill data. Distribution methods include phishing, spam campaigns, fake update websites, SEO poisoning, and malvertising, with “cracked” software being a popular infection vector.

Recorded Future collaborated with non-profit organizations like the World Childhood Foundation and the Anti-Human Trafficking Intelligence Initiative (ATII) to expand their list of known high-fidelity CSAM domains. They queried their Identity Intelligence data for authentication records linked to these domains from February 2021 to February 2024, de-duplicating by comparing OS usernames and PC names.

The research team identified 3,324 unique credentials used to access known CSAM websites. This data provided statistics on individual sources and users, including usernames, IP addresses, and system information.

In three case studies, the Insikt Group used data from info-stealer logs and open-source intelligence (OSINT) to identify two individuals and found additional digital artifacts, including cryptocurrency addresses, linked to a third individual.

The research found that Brazil, India, and the United States had the highest counts of users with credentials to known CSAM communities.

“Analyzing infostealer logs will likely continue to provide a useful keyhole view into CSAM sources and the use patterns of their members. These insights can be used to track source lifecycles, identify new mirrors and sources, and de-anonymize users,” the researchers wrote. “In the event of source takedowns, such a dataset may provide insights into user migration patterns and platform successors. Ultimately, we believe that utilization of this dataset will facilitate prosecution and takedown efforts and debunk the veneer of anonymity assumed by individuals seeking to harm children.”