
Thermal Intelligence Unveils Methodology to Trace Cybercriminals Using Impostor Logs
The presentation by Thermal Intelligence, a Singapore-based cybersecurity firm with an R&D center in Korea, introduces a methodology for analyzing 'impostor logs'—malware-generated data containing stolen credentials, cookies, and cryptocurrency wallet information—to identify not only victims but also potential criminal suspects. The team manually reviewed 5,000 logs from a larger dataset, uncovering digital footprints linked to romance scams and illegal gambling operations, including scripts, forged documents, and desktop screenshots of gambling site developers. They developed the Stellar Log Analyzer, a tool combining Python parsers and large language models (LLMs) to process 6 terabytes of stealer logs, improving parsing efficiency by 15% compared to Python alone. The tool employs a four-stage pipeline—crime analysis, query formulation, search execution, and verification—to detect suspects, such as online gambling operators running multiple Telegram instances or malware distributors with excessive system.txt files. Key takeaways include techniques for uncovering actionable leads, expanding parsing coverage with AI, and identifying criminals via digital footprints in stealer logs. The logs were sourced from the deep web, dark web, and Telegram, though ethical constraints prevent sharing specifics. Future targets include North Korean IT workers and blockchain attackers.