A malware creator may have an effective piece of software in their hands. But ultimately getting that software onto victims’ computers is the job of someone else.

With electronic rap music playing in the background, a man stretches his hands forward and leans back into a chair. The camera pans around their alleged apartment: huge floor-to-ceiling windows in a large dining-room, wood-panelled floors and a funky chandelier. In another shot the man opens a laptop, types away, and then takes a sip of what looks like whiskey. The implication: This could be you if we work together.

This is one of a dizzying number of adverts on an underground forum called Lolz where “traffers” gather to look for new recruits. In this case, the man in the video is looking for people to push a fake casino tool that can steal people’s funds. But much of the rest of the “traffers” section is dedicated to proliferating infostealers. The job of these contractors is to help spread the malware or get them traffic, with teams vying for attention in a crowded marketplace.

Each tries to one-up the other with outrageous advertising and branding. They use names such as “Billionaire Boys Club,” “Baphomet,” and “Chemodan.” Their adverts include animated GIFs of computer-generated luxury cars or private jets. Another for “Cryptoland Team” shows a knight in armour looking down at a skeleton in a hood writing on parchment paper. Cryptoland Team say they work with LummaC2 and another stealer called Rhadamanthys.

“Payment by logs or money. We give you a choice: Either you take the logs or we buy them,” one advert from a team called Baphomet, with satanic branding, says.

Each lists the brand of infostealer they use, what split of the profits a collaborator can expect, and whether they allow an associate to take any extra exfiltrated logs. And most explicitly say that anyone they work with is prohibited from targeting the Commonwealth of Independent States (СНГ), or former members of the Soviet Union, which includes Belarus, Ukraine and Russia. Collaborators then leave reviews and screenshots proving they’ve made money working with the team.

Many of these teams take new applications via their own Telegram bots. Some are strict in that they only want to work with people who are already experienced, while others seemingly take anyone on board. 404 Media was able to easily pass an application process for two traffer teams by answering some basic questions. After that, the bots sent links to the teams’ respective manuals, which lay out how to spread the malware.

One manual from Baphomet, for example, recommends bundling the stealer into cheating software for Roblox. It then describes how to set up a YouTube video advertising the cheat, and by extension, help propagate the malware.

Another advert from a traffer team says it works with TikTok, Telegram, Instagram, Twitter, Facebook, YouTube, YouTube Shorts, email newsletters, bloggers and influencers. In the video of the hacker drinking whiskey, at one point his laptop shows a page on TikTok. Many of the manuals reflect this and recommend distributing infostealers via other social media sites or point to GitHub as an effective trafficking method.

Some infostealers are also hidden inside cracked or pirated software. One reason they’re so effective is that users are seeking the software out, not the other way around. People are actively searching for free software, be damned about the consequences.

A Google spokesperson said in an email, “We have policies in place to prevent spam, scams, or other deceptive practices that take advantage of the YouTube community. This includes prohibiting content where the main purpose is to trick others into leaving YouTube for another site.”

Meta did not respond to a request for comment. TikTok acknowledged a request but did not provide a response in time for publication.

And these traffers and others are clearly successful on a massive scale. Recorded Future says it sees 250,000 new infostealer infections every day.

The harvested credentials are then fed into Telegram channels, where a tsunami of cookies and logins are available for purchase. The administrator for LummaC2 told me, “This brings us good income, but I am not ready to disclose specific amounts,” referring to selling the stolen logs. Testing out the Telegram bot, it’s possible to filter by country, the number of cookies, or passwords available. 404 Media saw many US logs available for sale. Over the past few weeks, some of these Telegram channels have been deleted. Telegram did not respond to a request for comment asking if it had taken action against them.

These, in turn, have their own branding, much like the traffers. Many channels also distribute stolen credentials for free, likely in an attempt to advertise their paid offerings. Even the freely available credentials can be devastating for a targeted organisation. Earlier this year, a security researcher used exposed logins to compromise a server belonging to AU10TIX, an identity verification company that works with TikTok, Uber, and X. Those credentials came from a free stream available on Telegram, the researcher showed 404 Media at the time.

Some websites are also dedicated to, or have sections for, selling infostealer logs. Genesis Market is a site where the hackers responsible for the 2021 breach of Electronic Arts sourced a login token for the company’s Slack. In 2023, authorities shut down Genesis Market. But much of the credential selling has moved over to another long-running site, Russian Market, according to Recorded Future.

And this is where the hackers come in. Judische, the hacker linked to breaches at AT&T, Ticketmaster, and other companies that used Snowflake, likely lifted stolen credentials from these sorts of feeds and then used those to log into target servers. In some instances, those companies were not using multifactor authentication. But the power of logs is that they can sometimes bypass that extra layer of protection – a cookie can trick a service into thinking the user is trusted, and not prompt them for an extra login code.

Potentially with no idea how the logs were ultimately sourced, some English hackers ask in large group chats for passwords related to targets in particular countries. One I recently saw said they wanted logs for Canadian victims.

When interviewing Dark X, the alleged Hot Topic hacker, they seemed to sense another potential way to make some money. They mentioned they also sell logs.

“You wanna buy? haha,” they wrote.

• A Tell / Wired report