Over the past several years, Sage Infrastructure Solutions Group has invested heavily in building intelligence capabilities within the criminal ecosystem on Telegram. Through our DarkWeb Leak Monitoring service, we’ve successfully infiltrated the majority of criminal marketplaces where infostealer logs — the stolen credentials and session data harvested by malware — are bought and sold. A significant portion of that work has been focused on the Russian-speaking segment of the ecosystem, which has historically been one of the most active and consequential sources of infostealer activity worldwide.
Six days ago, our analysts noticed something unusual: a dramatic and sudden decline in Telegram traffic originating from the Russian Federation. At first, we suspected a technical issue on our end. Our team immediately launched an internal investigation, auditing our collection infrastructure and verifying connectivity to every marketplace we actively monitor. Everything checked out — our systems were functioning exactly as expected.
The cause turned out to be far more significant than a technical glitch.
Why Russia Matters in the Infostealer Landscape
The Russian Federation is the origin point for many of the most prolific infostealer malware families in circulation today. Because these tools are developed and operated primarily by Russian-speaking threat actors, the stolen data they collect — login credentials, browser cookies, cryptocurrency wallet data, and more — frequently flows back to operators within Russia. Those operators then advertise and sell this data on Russian-language Telegram marketplaces, making Telegram a critical chokepoint in the global stolen data supply chain.
What Changed
Despite the Russian military’s own well-documented reliance on consumer messaging platforms like Telegram and WhatsApp for operational communications, the Russian government has moved to block these applications across the entire country. The impact on criminal marketplaces was immediate and severe. Within days, we observed an 80–90% reduction in new infostealer logs being listed for sale across the Russian-language marketplaces we monitor.
This is a significant disruption to one of the largest segments of the stolen credential economy.
What We Expect Going Forward
We anticipate that this disruption will be temporary. Selling stolen data is a livelihood for many of these threat actors, and history has shown that financially motivated cybercriminals are remarkably resourceful when it comes to circumventing restrictions. Whether through VPNs, alternative platforms, or other means, we expect sellers to gradually find ways to re-establish their operations.
That said, we don’t yet know how long this transition period will last. In the meantime, our team is actively expanding our collection efforts — seeking out new sources, monitoring for marketplace migrations, and ensuring that our DarkWeb Leak Monitoring service continues to deliver comprehensive coverage for our customers.
We’ll continue to provide updates as the situation evolves. If you have questions about how this may affect your organization’s exposure, don’t hesitate to reach out to our team.