Deanonymizing Cyber Threat Actors Using Infostealer-Derived Data. Case Study: MisterSam

About Infostealers.info

Infostealers.info is an OSINT tool developed by Alerts Bar Inc and Farnsworth Intelligence, designed to support ethical investigators in tasks such as profiling, pivoting, and attribution analysis. The data extracted from infostealers represents a valuable intelligence source, enabling the potential deanonymization and tracking of threat actors who operate with medium to high levels of operational security (OPSEC).

This type of data must be handled responsibly and used strictly for lawful purposes. Ethical investigators are encouraged to leverage this information to identify and report malicious actors to the appropriate law enforcement agencies, in compliance with relevant legal frameworks and jurisdiction-specific legislation.

Infostealer data serves as a set of powerful pivot points, helping investigators uncover actionable leads and trace the activities of highly secured threat actors. To support this mission, Infostealers.info offers accessible and competitively priced subscription options, making it easier for legitimate analysts to broaden their data sources for attribution and profiling.

Users are strongly advised to review and adhere to the Terms and Conditions outlined by Alerts Bar Inc to ensure responsible and compliant use of the platform.

Case Study: MisterSam

MisterSam was recently identified as a threat actor involved in selling a Brazilian IPTV panel source code and its associated database through the StealthMole platform. A supporting screenshot is included below.

On 6 March 2025, MisterSam was observed selling this data on BreachForums[.]st. An additional account linked to MisterSam was identified on cracked[.]sh (User ID: 482313; registered on 24 September 2019), where the actor was also offering IPTV accounts targeting Brazil and Portugal.

The Power of Infostealers.info

Using Infostealers.info, we queried the username “MisterSam” which was compromised through the login portal of the Brazilian version of the online game League of Legends in November 2023. This search revealed a total of 135 stealer logs across various platforms. Among the data, one unique IP address was identified and geolocated to Sorocaba, São Paulo, Brazil.

Analysis of the stealer logs allowed us to build a preliminary profile of the user known as “MisterSam”:

• Engages in gaming activity on platforms such as Roblox, Discord, Steam, and Twitch
• Appears to have studied in São Paulo
• Utilizes VPN services, notably ProtonVPN
• Uses cloud storage platforms like Dropbox and Mega.nz
• Operates an Apple device
• Logged into the Centro de Mídias São Paulo (cmspweb.ip.tv) portal
• Shops on MercadoLivre Brazil
• Holds accounts on Google, Facebook, Instagram, Epic Games, Netflix, Microsoft, and PayPal
• A CPF (Brazilian SSN equivalent) was exposed via one of the login portals

Additionally, Gmail addresses associated with this user were clustered based on recurring patterns for continued investigation. These addresses have been redacted due to their origin from stealer log data.

Further investigation can be conducted beyond this point. Our objective was solely to demonstrate the capabilities of Infostealers.info in profiling, pivoting, and attribution. Additional information can be provided to law enforcement authorities in the state of São Paulo upon request.

Conclusion

The use of Infostealers.info as an OSINT tool presents a valuable resource for ethical investigators, particularly in identifying and deanonymizing threat actors who employ mid to high levels of operational security (OPSEC). The data from infostealers serves as a critical set of pivot points that can help link digital identities to real-world actors, supporting more effective attribution and investigative outcomes. However, the use of such sensitive data must remain strictly ethical and within the boundaries of relevant legal frameworks.