Inside the “Stealer Ecosystem”: How the Cybercrime Economy Professionalized Data Theft
Cybercriminal groups are building entire infrastructures to propagate infostealers—malicious programs designed to steal passwords, payment card details, and other sensitive information from infected devices. Analysts describe what they call the “Stealer Ecosystem,” where the key actors are malware developers, administrators of so-called traffic teams, and the so-called traffers—operatives responsible for mass infections.
Traffic teams function much like organized crime syndicates: they distribute malware, sell stolen data logs on darknet marketplaces, and profit directly from these activities. Recruitment of new participants is aggressive and ongoing across underground forums such as Lolz Guru, Exploit, BHF, and especially XSS, where since 2018 more than 8,700 posts about traffers have appeared. Telegram bots are even used to automate the process: candidates undergo a “trial period,” receive a stealer build, and are provided instructions for distribution.
Traffers themselves employ a wide array of tactics. They set up phishing panels (often disguised as online casinos), promote malicious links via YouTube, TikTok, and Instagram, camouflaging them as ads or app giveaways. Their most critical tool is SEO manipulation: attackers game the search rankings of Google, Yandex, and Bing to push poisoned websites. Entire “SEO teams” are found on forums, applying black-hat techniques—CTR manipulation, link farms, and bypassing algorithms such as Panda and Penguin.
Profits are distributed according to formulas spelled out in recruitment ads: most often 79:21 or 65:35 in favor of the traffer, depending on their experience and trust level. Sometimes, teams establish fixed payouts per malware installation. In certain cases, hidden cryptocurrency miners are embedded into infostealer loaders as an additional revenue stream.
A striking example is the Dungeon Team, highly active on Lolz Guru. In promotional posts, the group promises its traffers an FUD Loader (fully undetectable by antivirus), free SEO services, and a crypter to cloak the infostealers. Inside the team, revenue-sharing is carefully tracked: for instance, when a cryptocurrency wallet theft exceeds $30, the traffer receives 65% of the profit while the rest goes to the administrator. Chat screenshots confirm the use of Stealc V2 and Rhadamanthys Stealer, with stolen logs exfiltrated through Telegram bots. Members also report hidden miners embedded in the loaders.
According to research by S2W, stolen logs are globally distributed, with the notable exception of CIS countries. Among the compromised data are also corporate domain accounts, significantly raising the risk of internal network breaches for organizations.
Experts emphasize that traffers increasingly combine techniques: from planting malicious scripts in public GitHub repositories to targeting Web3 wallets via fake NFT minting sites. Exploits of vulnerable university and government websites are also common, inserting redirects to malicious pages.
Researchers advise companies to strengthen monitoring of suspicious domains, implement behavioral detection mechanisms (such as Sigma rules), and closely track underground forums where recruitment of traffers continues unabated. In effect, a resilient “traffic market” has emerged, with its own rules and a clearly defined division of roles—each segment of the ecosystem calibrated to maximize profits from cybercrime.
