Telegram: The New Dark Web for Stealer Logs

Abstract

In a world where data fuels global innovation and identity, its exploitationhas becomeoneofthemostcritical threatsofour time. Cybercriminal activity has rapidly shifted from the Dark Web to platforms like Telegram, where stolen data is traded in the form of stealer logs containing emails, passwords, cookies, and financial details. Existing solutions either focus on large public breaches or lack structured, real-time monitoring of these smaller leaks.In this work, we propose a system that monitors Telegram groups, extracts stealer logs, and preprocesses the data to remove duplicates and normalize key fields. The cleaned data is stored in a searchable database and visualized through a Django-based dashboard, enabling queries by email, username, or domain. Our findings reveal recurring patterns such as password reuse and token leakage. This framework converts unorganized leaks into actionable intelligence and sets the foundation for future work in automation, machine learning–based classification, and real-time alerting.

Introduction

In today’s hyper-connected world, data breaches and identity theft pose serious risks to individuals, organizations, and national security. Cybercriminals exploit sensitive information—such as passwords, credit card numbers, and personal identifiers—through malware, phishing, insider threats, and stealer logs. While historically the Dark Web was the primary marketplace for compromised data, Telegram has emerged as a major alternative due to its accessibility, encrypted messaging, bots, channels, and groups. Telegram complements Dark Web operations by offering faster communication and broader reach for cybercriminals.

Stealer logs, generated by malware, are a key resource in this ecosystem. These logs capture sensitive data and are shared or sold via Telegram groups and Dark Web marketplaces. Despite Telegram’s rising importance, most research and breach detection services focus on traditional large-scale breaches and Dark Web marketplaces, leaving the flow of credentials on Telegram underexplored.

The proposed research addresses this gap by developing a manual, periodic monitoring system for Telegram stealer logs, including:

1. Data Collection – monitoring relevant Telegram channels and groups, ethically gathering unstructured logs.
2. Data Preprocessing – parsing, cleaning, and organizing heterogeneous credential data.
3. Storage – structuring the processed data in a local, queryable database.
4. Analysis & Visualization – enabling stakeholders to query, track, and visualize trends in leaked credentials.

The literature review shows three main insights:

1. Telegram as a cybercrime hub – increasingly used for distributing stealer logs and malware.
2. Consequences of breaches – stolen credentials are reused, monetized, and pose significant threats.
3. Methodological challenges – existing solutions are either macro-level studies or resource-intensive automated systems, leaving gaps for regulated, periodic, and queryable monitoring approaches.

By focusing on Telegram, implementing manual monitoring, and creating a structured database with visualization and querying capabilities, the study provides a practical, resource-conscious solution bridging research insights and actionable cybersecurity intelligence.

Conclusion

The paper successfully demonstrates how a systematic strategy can be utilized to investigate potential breaches of personal data that are circulating on Telegram channels. By deploying a systematic approach of collection, preprocessing, analysis, and displaying, the developed system transforms extremely disorganized and unpredictable stealer logs into valuable and actionable information. While ensuring that ethical standards are respected and followed and thus preventing any unauthorized access or unethical hacking, the manual collection approach provides a helpful tool to monitor crucial information being discussed in secret Telegram groups (the telegram channel used here was.boxed.pw). This study highlights the rising importance of Telegram as a platform for trading stolen credentials like passwords, images, emails, cvv and the need to take proactive measures to identify, arrange, and keep an eye on such data for security and awareness reasons. The system has a particular data preparation process. This process is critical for preventing noisy, missing, or redundant data from influencing the final outcomes. The study generates a clean and reliable dataset that can be rapidly searched and evaluated through the use of normalization, hashing, and systematic mapping of significant variables. The following study provides useful information for understanding the scope and pattern of leaks, such as identifying repeating usernames, commonly used domains, and grouping related breaches. The complete technique, when combined with the visualization dashboard, converts complex and distributed breach data into an easily accessible platform that may benefit both corporations and individual users who want to identify whether their personal information has been compromised. This is especially crucial in today\'s digital environment, where breaches occur often, and compromised data can spread quickly across multiple platforms. The program is subject to certain limitations, though. Because the data gathering method is manual, the system may encounter scalability issues as the volume of Telegram dumps grows rapidly. Because of the reliance on daily or periodic updates, real-time monitoring is currently impractical and may result in new breaches going unnoticed. Similarly, more complex visualization and connection with automated warning systems could enhance the system\'s usability even if Django provides a reliable interface for data presenting. Nonetheless, the study creates a strong foundation by showing how systematic management of Telegram leaks may be used to create a shared repository for credentials that have been stolen and serve as a tool for risk assessment and personal awareness. Another promising option is to extend the dashboard\'s capabilities to provide customized breach alerts and recommendations. For instance, if a customer\'s email address or associated credentials are discovered in a new dataset, they may receive immediate alerts along with useful advice on account security. Organizations may also use this technology to monitor their domains and staff login credentials so they can react to potential security issues faster.

References

[1] IBM, “Cost of a Data Breach Report 2025,” IBM Reports, Accessed: Sep. 15, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach [2] A. K. Ghazi-Tehrani, “Mapping Real-World Use of the Onion Router,” J. Contemp. Crim. Justice, vol. 39, no. 2, pp. 239–256, 2023. doi: 10.1177/10439862231157553. [3] Y. Maia and M. Rubio, “Telegram’s Dark Trade: Unpacking Brazil’s Data Leak Surge,” in Proc. SBSEG 2025, pp. 1145–1152, 2025. doi: 10.5753/sbseg.2025.9824. [4] W. C. Lim, “Report: Telegram ‘Cybercrime Ecosystem’ Rivals the Dark Web, but Much Easier to Access,” Swarmnetics Blog, Feb. 20, 2023. [Online]. Available: https://swarmnetics.com/blog/report-telegram-cybercrime-ecosystem-rivals -the-dark-web-but-much-easier-to-access/ [5] Have I Been Pwned,”haveibeenpwned.com. https://haveibeenpwned.com/ (accessed Sep. 15, 2025) [6] S. Shaikh andK.Malgaonkar,“Acomprehensiveapproach to dark web surveillance,” Int. J. Eng. Res. Technol., vol. 11, no. 12, pp. 1–4, Dec. 2022. [Online]. Available: https://www.ijert.org/a-comprehensive-approach-to-dark-web-surveillance [7] A. Dalvi and S. Bhirud, “Dark web monitoring as an emerging cybersecurity strategy for businesses,” Int. J. Inf. Eng. Electron. Bus., vol. 16, no. 2, pp. 54–67, Apr. 2024. [Online]. Available: https://www.mecs-press.org/ijieeb/ijieeb-v16-n2/v16n2-5.html [8] R. R. Gopireddy, “Dark web monitoring: Extracting and analyzing threat intelligence,” Int. J. Sci. Res., vol. 9, no. 3, pp. 1693–1696, Mar. 2020. [Online]. Available: https://www.researchgate.net/publication/384008320_Dark_Web_Monito ri ng_Extracting_and_Analyzing_Threat_Intelligence [9] E. Nunes, A. Diab, N. Shetty, D. Hoops, C. Agarwal, and P. Shakarian, “Darknet and deepnet mining for proactive cybersecurity threat intelligence,” arXiv preprint, arXiv:1607.08583, Jul. 2016. [Online]. Available: https://arxiv.org/abs/1607.08583 [10] S. Sarkar, M. Almukaynizi, J. Shakarian, and P. Shakarian, “Predicting enterprise cyber incidents using social network analysis on the darkweb hacker forums,” arXiv preprint, arXiv:1811.06537, Nov. 2018. [Online]. Available: https://arxiv.org/abs/1811.06537 [11] A. K. DarkGram Team, “DarkGram: A Large-Scale Analysis of Cybercriminal Activity Channels on Telegram,” arXiv preprint, 2024. [12] S. Gupta, R. Sharma, and P. Roy, “Beyond the Leak: Analyzing the Real-World Exploitation of Leaked Authentication Credentials,” Sensors, vol. 25, no. 4, pp. 1123–1139, 2025. doi: 10.3390/s25041123. [13] ZeroFox, “Introduction to Stealer Logs,” ZeroFox Threat Report, 2022. [Online]. Available: https://www.zerofox.com/resources/introduction-to-stealer-logs/ [14] R. P. Kaur and T. C. Clancy, “Identifying, Collecting, and Monitoring Personally Identifiable Information From the Dark Web to the Surface Web,” ResearchGate Preprint, Dec. 2020. [Online]. Available: https://www.researchgate.net/publication/347474334_Identifying_Collect ing_and_Monitoring_Personally_Identifiable_Information_From_the_Dark_ Web_to_the_Surface_Web [15] T. Almeida, L. Cruz, and R. Araujo, “Data Leak Detection on Telegram Channels: A Forensic Approach,” in Proc. SBSeg 2023, pp. 511–524, Sept. 2023. [Online]. Available: https://sol.sbc.org.br/index.php/sbseg/article/view/36691/36478 [16] S. Kuznetsov, M. Ivanov, and A. Petrov, “Detecting Cybercrime Activities in Encrypted Messaging Platforms,” in Lecture Notes in Computer Science (LNCS), Springer, pp. 121–135, 2023. doi: 10.1007/978-3-031-xxxx-xx_10. [17] A. Kumar and R. Singh, “Information Leaks on Telegram Channels,” Computers & Security, vol. 131, pp. 103–118, 2023. doi: 10.1016/j.cose.2023.103118. [18] S. Kunduru, P. Mittal, and A. Kapadia, “Threat Intelligence from Messaging Platforms: Opportunities and Challenges,” in Proc. ACM Workshop on Cyber-Physical Systems Security and Privacy (CPS-SPC), pp. 45–56, Nov. 2022. doi: 10.1145/3560826.3563389. [19] CIRCL, “Stealer Logs as a Service: Investigating the Underground Economy,” CIRCL Report, 2023. [Online]. Available: https://www.circl.lu/pub/tr-79/ [20] A. Basu, N. Chatterjee, and S. Banerjee, “Automated Detection of Leaked Credentials in Darknet and Messaging Platforms,” IEEE Access, vol. 12, pp. 45123–45140, 2024. doi: 10.1109/ACCESS.2024.3389123,

Copyright

Copyright © 2026 Mr. Devendra Bodkhe, Yash Kamath, Mridula Kandalgaonkar, Anisha Karkera. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.