Using Infostealer Logs to Identify CSAM Consumers

This technical report presents a proof-of-concept analysis utilizing Recorded Future's Identity Intelligence to identify consumers of child sexual abuse material (CSAM) through infostealer malware data. The study successfully identified approximately 3,300 unique users with accounts on CSAM sources, revealing geographic and behavioral trends. The report includes three case studies that detail the identification of two individuals and the discovery of digital artifacts linked to a third individual. The findings suggest that infostealer logs can be instrumental for investigators and law enforcement in tracking child exploitation activities on the dark web. The methodology involved querying a proprietary dataset and collaborating with non-profit organizations focused on anti-human trafficking efforts. The report underscores the potential of infostealer logs to provide evolving insights into CSAM consumer behavior and trends, indicating a growing demand for such data in cyber investigations.