Summary
In this proof-of-concept report, Recorded Future’s Identity Intelligence analyzed infostealer malware data to identify consumers of child sexual abuse material (CSAM). Approximately 3,300 unique users were found with accounts on known CSAM sources. A notable 4.2% had credentials for multiple sources, suggesting a higher likelihood of criminal behavior. The study reveals how infostealer logs can aid investigators in tracking CSAM activities on the dark web. Data was escalated to law enforcement for further action.
Caught in the Net: Using Infostealer Logs to Unmask CSAM Consumers
Background
Infostealer malware steals sensitive user information such as login credentials, cryptocurrency wallets, payment card data, OS information, browser cookies, screenshots, and autofill data. Common distribution methods include phishing, spam campaigns, fake update websites, SEO poisoning, and malvertising. A popular infection vector is cracked software marketed to users seeking to obtain licensed software illegally. Stolen data, known as infostealer logs, often ends up on dark web sources where cybercriminals can purchase it, potentially gaining access to networks or systems.
The anonymity provided by Tor-based websites with .onion domains fosters the production and consumption of CSAM. Studies show that although only a small percentage of .onion websites host CSAM, the majority of dark web browsing activity targets these sites.
Methodology
In this proof-of-concept report, Recorded Future’s Identity Intelligence leveraged infostealer malware data to identify consumers of child sexual abuse material (CSAM), surface additional sources, and uncover geographic and behavioral trends. Our high-confidence assessments stem from the nature of the infostealer log data and subsequent research.
Sample investigations of three individuals with accounts on multiple CSAM sources suggest that having multiple CSAM accounts may indicate a higher likelihood of committing crimes against children. This study demonstrates that infostealer logs can help law enforcement track child exploitation on the dark web, a challenging area to trace. All relevant findings have been reported to authorities.
Our research involved creating a list of known high-fidelity CSAM domains and querying Recorded Future Identity Intelligence data to identify users with credentials to these domains. Collaborating with non-profit organizations like World Childhood Foundation and the Anti-Human Trafficking Intelligence Initiative (ATII), Insikt Group expanded this list by querying the Recorded Future Intelligence Cloud. This iterative process helped identify additional CSAM sources.
Insikt Group then queried Recorded Futures Identity Intelligence, which offers real-time access to infostealer log information, for authentication records linked to known CSAM sources from February 2021 to February 2024. De-duplication was performed by comparing OS usernames and PC names.
Findings
Insikt Group identified 3,324 unique credentials used to access known CSAM websites. This data allowed us to gather statistics on individual sources and users, including their usernames, IP addresses, and system information. This granular data helps law enforcement understand the infrastructure of CSAM websites, uncover techniques used by CSAM consumers to mask their identities, and identify potential CSAM consumers and producers.
In three case studies, Insikt Group used the data contained in infostealer logs and open-source intelligence (OSINT) to identify two individuals and found further digital artifacts, including cryptocurrency addresses, belonging to a third individual.
The PoC study showcases that infostealer logs can be used to identify CSAM consumers and new sources and trends in CSAM communities.
As the cybercriminal demand for infostealer logs and malware-as-a-service (MaaS) ecosystems continues to grow, Insikt Group anticipates that infostealer log datasets will continue to provide current and evolving insights into CSAM consumers.
To read the entire analysis, click here to download the report as a PDF.