Short answer

Stolen sessions are sold through criminal marketplaces operating across dark web forums, Telegram, and Discord. Infostealer logs containing active session cookies, credentials, and device data are indexed by domain, country, and system type. Prices range from a few dollars for personal accounts to hundreds for active corporate sessions. The process is fast: logs typically appear for sale within hours of infection.

The lifecycle of a stolen credential

• 1. Infection: an infostealer infects a device and extracts active session cookies, saved passwords, and browser data.

• 2. Upload: the stolen data is automatically sent to the operator's infrastructure and packaged into a log.

• 3. Listing: the log is listed on a criminal marketplace or Telegram channel, indexed by domain and metadata.

• 4. Purchase: a buyer searches for access to a target organization, finds a matching log, and purchases it.

• 5. Exploitation: the buyer imports the stolen session cookie into their browser and gains direct access to the victim's systems, bypassing authentication entirely.

Pricing

Prices depend on the perceived value of the access. A log containing only personal social media accounts may sell for $1-5. A log with corporate VPN access, cloud platform sessions, or financial system credentials can sell for $50-500 or more. Bulk access to large organizations commands premium prices.

The role of initial access brokers

Some buyers specialize in acquiring infostealer logs and using the stolen sessions to establish persistent access to corporate networks. They then resell this access to ransomware operators or other threat actors. These threat actors, known as initial access brokers, represent a significant escalation in the threat chain. A stolen session worth a few dollars on a marketplace can be turned into a ransomware incident worth millions. Passguard monitors the dark web, Telegram, and Discord for stolen sessions linked to your organization and alerts your team before that escalation can happen.