Stolen credentials could unmask thousands of darknet child abuse website users

Thousands of people with accounts on darknet websites for sharing child sexual abuse material (CSAM) could be unmasked using information stolen by cybercriminals, according to research published Tuesday.

In a proof-of-concept report, researchers at Recorded Future said they have been able to identify these individuals from credentials harvested by infostealer malware — a type of malware that typically steals log-in credentials for banking services, which are then exploited by financial fraudsters.

But alongside the log-in details for banking apps are other credentials, including to accounts on .onion websites known for trafficking CSAM. The users of these sites, which run on the Tor network, are anonymized by the network relaying each connection through several hops on an encrypted network. However, the individual infostealer logs contain credentials for other services used by the infected person.

The logs link those anonymous CSAM website users to accounts on clear web platforms, such as Facebook, where they have used their real names — and sometimes even include autofill data stored in a web browser, such as a home address — giving law enforcement agencies the opportunity to investigate offenders and safeguard at-risk children.

“Infostealers are a type of malware that steal data from infected devices. It could be anything from login credentials to operating system information to cryptocurrency addresses, a whole range of data, that these actors then post or share or sell on dark web sources,” explained Hande Guven, a cybercrime researcher at Recorded Future.

The Record is an editorially independent unit within Recorded Future.

The data contained within each individual infostealer log is “immense,” Guven said. “You get visibility into a lot of the login credentials, including their passwords to multiple websites, essentially all paths, all websites that they would have logged on to during that time, or that's saved on their keychain.”

The retailers involved in the ecosystem for trading these stolen credentials include Russia Market and 2Easy Shop, as well as the now-defunct Genesis Market, which was seized by law enforcement last year, leading to more than 120 arrests.

The retailers collect the stolen data from wholesalers. Dmitry Smilyanets, a product manager at Recorded Future, explained that the company legally acquires this wholesale data, often shared in bulk on Telegram, for security purposes.

Recorded Future analyzes these records for domains used by corporate customers to protect compromised employee accounts or identify when customers are impacted to tackle consumer fraud, with around 150 million credentials being ingested by the company every month.

“But then we identified that the criminals self-infect,” Smilyanets said, adding that those who play with matches often get burned.

According to the report, by querying this data alongside partners — including World Childhood Foundation and the Anti-Human Trafficking Intelligence Initiative — the researchers were able to identify approximately 3,300 unique users with accounts on at least one darknet site for the sharing of CSAM.

Recorded Future said it had shared all of its findings with law enforcement in the U.S., including raw data which is not included in the public report.

In three case studies based on the analysis of infostealer logs included in the proof-of-concept announcement, the researchers were able to identify two real-world individuals “who are likely to have committed or to potentially commit crimes against children.”

In one case, the individual had “previously been convicted of child exploitation” and was “arrested in a sting operation where they attempted to meet a minor for ‘lewd purposes’.”

In another case, the “user’s browser autofill data allowed us to pinpoint their full name, physical address, and several phone numbers” which led the researchers to identify a recent obituary for the individual which stated they had been an active volunteer at children’s hospitals in their community.

“This is a person we didn't find any kind of criminal record for, but they had accounts on nine websites that were confirmed to host CSAM,” said Guven. “Even within the scope of our research, that's a high number of accounts. So that's someone that, practically speaking, flew under the radar their whole lives, and was in daily contact with children.”

The aim for the researchers “is to share the methodology as a proof-of-concept of what can be done using the type of data that we have.” 

“So we're doing the best we can and then passing it on to the people who can take more action,” said Guven.

According to Smilyanets, the report is “the jewel in the crown, but it's also the tip of the iceberg.” 

“Because there's so much data, there are different kinds of criminals,” he said. 

“Someone sells drugs, someone sells guns, someone does identity theft, human trafficking, everything, they all are compromised. We have a unique dataset to enable our law enforcement partners to be successful with their mission.”