Short answer

Infostealer marketplaces are online platforms where stolen sessions and logs from infected devices are bought and sold. Criminal marketplaces operate across dark web forums (Tor), Telegram, and Discord. Sellers are typically infostealer operators or distributors. Buyers range from individual attackers to organized crime groups and initial access brokers.

How marketplaces work

Marketplaces function like e-commerce platforms for stolen data. Sellers upload logs from infected devices. The marketplace indexes the data by domain, country, operating system, and the types of credentials included. Buyers can search for access to specific organizations or services and purchase individual logs.

Pricing depends on the value of the access: a log with VPN credentials, cloud platform sessions, or banking access sells for more than one with only personal social media accounts.

The shift to Telegram

Criminal marketplaces operate across Tor-based forums, Telegram, and Discord. These platforms differ in accessibility and speed, but serve the same function: connecting sellers of stolen sessions with buyers. Some operate as automated shops where buyers send a command and receive logs instantly.

This shift has made the infostealer ecosystem more accessible, contributing to the growth in attack volume.

Why marketplace monitoring matters

By the time stolen sessions appear on a marketplace, the infection has already happened. But the window between listing and exploitation is where organizations can act. Monitoring criminal marketplaces enables security teams to detect compromised sessions and revoke them before attackers use them. Passguard monitors all major criminal marketplaces and alerts your security team the moment stolen sessions linked to your organization are listed. Start with a free scan at passguard.com to see your current exposure.