Russian-Speaking Stealer Operators Target Foreign Users of Steam, Roblox, Amazon, and PayPal

Group-IB specialists have discovered 34 hacker groups distributing stealers—malicious software designed to steal passwords from gaming accounts on Steam and Roblox, Amazon accounts, PayPal credentials, as well as bank card and cryptocurrency wallet data. While these groups coordinate via Russian-language Telegram bots, their attacks primarily target foreign users in the United States, Brazil, and India.

From “Mammoth” Scams to Stealer Malware

According to the report, experts noticed a migration of “workers” (a term for low-level online scammers) from the popular Russian scam scheme “Mammoth” (also known as Classiscam) to the more dangerous practice of spreading stealer malware. Stealers are malicious programs that extract login credentials from browsers—including email and social media accounts—bank card details, and cryptocurrency wallet information from infected computers. After a successful attack, criminals either use the stolen data themselves to withdraw funds or sell the information on underground forums. Group-IB considers stealers to be one of the most serious threats in 2022.

Growth of Telegram-Based Stealer Groups

The first large-scale groups and Telegram bots for distributing stealers began appearing in early 2021. Investigations confirmed that members of several scam groups previously focused on the “Mammoth” scheme had shifted to working with stealers. In 2021-2022, experts identified 34 active Russian-speaking groups on Telegram. The ten largest groups each received over 30,000 “pings”—messages from infected machines sent to the operator. On average, each group has about 200 members.

Switching from scams to distributing stealers, the criminals copied not only the hierarchy and model but also the technical solutions from “Mammoth.” This includes special Telegram bots that generate malicious content, facilitate communication, and manage underground accounting. The role of “workers” also changed: now, their main task is to drive traffic to a bait website and trick victims into downloading a malicious file.

Distribution Methods and Infection Statistics

Links to download stealers are most often embedded in YouTube reviews of popular games, mining software, NFT files on specialized forums, and giveaways or lotteries on social networks. According to Group-IB, from March 1 to December 31, 2021, users downloaded stealers more than 538,000 times. The situation worsened in 2022: in the first seven months (January 1 to August 1), users downloaded stealers over 890,000 times.

Most Popular Stealers and Their Use

The most popular stealer among these groups is RedLine, used by 23 out of 34 teams. Racoon is in second place, used by 8 teams, while 3 groups use custom-made stealers. Administrators typically provide RedLine and Racoon to their workers for free in exchange for a share of the stolen data or monetary compensation, even though renting these stealers on the black market costs $150–$200 per month. Some groups use up to three different stealers, while others use only one.

Targeted Services and Countries

In 2021, the most frequently attacked services were PayPal (over 25%) and Amazon (over 18%). In 2022, PayPal (over 16%) and Amazon (over 13%) remained the top targets. However, the number of stolen passwords from gaming services (Steam, EpicGames, Roblox) increased nearly fivefold over the year.

The most targeted countries in 2022 were the United States, Brazil, and India. Russia is becoming less of a priority for these criminals: in 2021, Russia ranked 15th in the number of users whose passwords were stolen by stealers, but by the first seven months of 2022, it had dropped to 95th place.

Scale of the Theft and Criminal Profits

In total, over ten months in 2021, analysts estimate that these groups stole 538,982 logs, 27,875,879 passwords, 1,215,532,572 cookies, data from 56,779 cards, and 35,791 cryptocurrency wallets. In the first seven months of 2022, they stole 896,148 logs, 50,352,518 passwords, 2,117,626,523 cookies, data from 103,150 cards, and 113,204 cryptocurrency wallets. By selling just the logs and card data on the underground market, criminals could have earned about 350 million rubles (approximately $5.8 million USD).

Low Entry Barrier and Serious Consequences

“The influx of a huge number of workers into the popular ‘Mammoth’ scam scheme—at its peak, we recorded over 1,100 criminal groups and hundreds of thousands of fake sites—led to competition for resources and the search for new ways to make money,” says Evgeny Egorov, lead analyst at Group-IB Digital Risk Protection. “The popularity of the stealer distribution scheme is due to its low entry barrier: beginners don’t need technical knowledge, as the process is fully automated through a bot, and the worker’s task is simply to create a file with the stealer in a Telegram bot and drive traffic to it. But for victims whose computers are infected with a stealer, the consequences can be very serious.”