The underground data theft ecosystem has reached an unprecedented level of organization and automation.
Over the past few years, credential-stealing malware commonly known as stealers has fueled a booming underground economy powered by Telegram channels, data brokers, and automated distribution networks.
Security researchers who spent the last year monitoring these activities revealed that Telegram alone serves as the most significant data driver in this ecosystem, with a single actor capable of distributing up to 50 million unique credentials per day.
Inside the Stealer Ecosystem
The stealer ecosystem consists of several key players operating in interdependent layers. Primary sellers manage public and private Telegram channels where fresh stealer logs are shared or sold.
Aggregators collect and merge logs from multiple sources to create searchable databases, while traffers act as distributors, spreading infostealer malware through malicious software bundles and infected websites.
Researchers observed that aggregators often repackage and repost data, leading to inconsistencies and duplicates across the supply chain.
To maintain control, primary sellers frequently encrypt their data archives with passwords or links directing users back to their original channels. This approach complicates tracking and attribution but enhances visibility within the criminal marketplace.
Building a Scalable Monitoring System
To combat this problem, the research team engineered an advanced collection system designed to ingest, process, and deduplicate massive amounts of stolen data.
Using around 20 Telegram Premium worker accounts connected through a customized fork of the Pyrogram library, the system continuously monitored channels, joined new groups identified through message parsing, and captured shared data archives.
The architecture revolved around a decoupled downloader service that handled file acquisition, extraction, and ingestion. The downloader authenticated independently, parsed stealer logs in multiple formats, and then deleted local files after processing to free up storage.
Each file was hashed and stored using ClickHouse’s ReplacingMergeTree engine, ensuring high-speed deduplication and correlation between reused credentials across different data dumps.
To identify malicious Telegram infrastructure, the system employed a probabilistic ranking model. Channels referenced by known malicious sources received higher risk scores and were automatically prioritized for crawling, significantly improving detection coverage without manual intervention.
Over nine months, the system indexed more than 30 billion Telegram messages and parsed nearly 80 billion credentials, peaking at 600 million credentials processed in a single day.
Due to resource constraints, the team later contributed its dataset to Have I Been Pwned (HIBP), enabling victims to check whether their credentials had been compromised.
By open-sourcing the data through HIBP, researchers hope to empower individuals and organizations to secure their accounts without relying on unregulated data markets that often re-victimize breach victims.
Telegram Spokesperson said that “the company routinely bans groups and channels disclosing private information because it is explicitly forbidden by Telegram’s terms of service. Moderators empowered with custom AI tools proactively monitor public parts of the platform and accept reports in order to remove millions of pieces of harmful content each day.”
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.jpg?resize=1068,580&ssl=1&description=Stealer malware - The underground data theft ecosystem has reached an unprecedented level of organization and automation.){kind=link}