Cybercrime has always evolved quickly, but recent years have seen a major shift in how stolen data is bought and sold online amongst cybercriminals. Instead of publishing breached information openly on dark forums or messaging channels, many cybercriminals are now moving towards private, subscription-based cloud services. These services operate in a similar way to legitimate online storage platforms. The key difference however is that the content stored on these clouds includes stolen login credentials, personal information, financial records, company data and information gathered from malware infections of data breaches.

Rather than selling stolen data once, cybercriminals are using stolen data as an ongoing service where subscribers pay for access to continuously updated collections of stolen information. They often have search functions, organised databases and exclusive material not publicly available elsewhere. In many ways, this model reflects a criminal version of the subscription-based economy now common across legitimate online businesses.

What are Subscription-Based Cloud and How Do They Work?

These private cloud services are hidden online repositories used to store and distribute stolen data. Access is generally restricted to paying members, invited users or trusted individuals and groups operating withing cybercriminal communities. In many cases, the data is carefully stored and organised to make it easier to search and use. Subscribers are often able to search by email address, country, company name, or account type. Almost all services advertise themselves as having regular updated promising new and fresh data stolen from recent breaches, phishing campaigns or infostealer malware.

This model is becoming increasingly attractive as it allows cybercriminals to repeatedly profit from the same stolen data. Instead of leaking data publicly where it can spread beyond their control, operators can maintain a more stable and profitable system where access is limited to subscribers. The subscription model also provides greater control over who can access the data. By restricting access to paying members, they can reduce the risk of infiltration by law enforcement agencies and journalists. This exclusivity can increase the perceived value of the service and encourage users to maintain long-term subscriptions.

Forums and Telegram channels still play a role with some repositories being hosted on Telegram, however increasingly they act more so as advertising spaces where users promote links to private repositories or subscription services hosted elsewhere. This shift shows how cybercriminals are increasingly separating the promotion of stolen data to where it is stored, making these services both more resilient and difficult to disrupt.

How Stolen Data was Traditionally Sold

Traditionally, stolen data was often shared far more openly. Cybercriminals and hackers would commonly post leaked databases on underground forums and messaging platforms. Databases would sometimes be available for free or more commonly would be behind a ‘credit-wall’ where users would buy credits using cryptocurrency and then use those credits to buy access to individual databases.

However, this had disadvantages for both threat actors and buyers. For threat actors, public leaks quickly attracted attention, and as a result websites hosting the data were more likely to remove the data. In addition, stolen data often lost value once it became widely available. In many cases, the same data would spread rapidly from forum to forum, eventually ending up on Telegram and other sources, usually within days, making it difficult for criminals to continue to profit from it.

For buyers, instead of the older process of repeatedly buying credits and scouring the forums for specific databases, they now subscribe to a model that suits their needs sometimes on a lifetime basis, so they only pay once or on a monthly, quarterly basis and the data is provided to them on a silver platter.

In effect just as the subscription economy is taking place with streaming platforms and ecommerce, it is happening in the criminal data economy for one reason only; both the seller and the consumer benefit from such a model where the process is simplified for the buyer and the seller has a consistent flow of money and the ability to monetise the same datasets repeatedly without having to constantly acquire new customers.

Why Does this Increase Risk?

The growth of subscription-based clouds increases risk to both organisations and individuals in several ways:

Persistence: the biggest of those risks is the persistence. Stolen data no longer disappears or slowly disseminates in interest after the initial leak, instead it remains available for months or years within continuously updated repositories. This means compromised credentials or personal information may continue to circulate long after the original breach took place.

Wider audience: the subscription model also lowers the barrier to entry-level cybercriminals. Individuals with limited technical skill can gain access to large volumes of stolen data instantly by paying a subscription fee.

Accessibility: this accessibility changes the nature of the threat landscape. Previously, obtaining stolen data would require navigating underground forums, building trust within criminal communities, and spending sometimes significant amounts of money on individual databases. Subscription-based repositories simplify this process considerably. For a relatively small fee, users can gain access to vast quantities of information through a single platform. As a result, more threat actors can conduct phishing campaigns, credential stuffing attacks, and account takeovers using data that is readily available and continuously refreshed.

Risks for businesses

For organisations, these repositories can create highly targeted risks. Searchable databases allow attackers to identify employee accounts, corporate credentials or information linked to specific industries. In some cases, this information could then be used to support ransomware attacks or social engineering campaigns – both of which are extremely prevalent now.

Furthermore, the move from publicly available leaks to more private leaks hidden in these private repositories means that organisations have less awareness that their information has been compromised leading to a delay in detection, response efforts and remediation. For example, an attacker may use a repository to identify employees who have reused passwords across personal and business accounts. Even if the original breach occurred years earlier, those credentials may still be useful if the users have not changed their passwords.

Conclusion

The rise of subscription-based private cloud services marks another stage in the commercialisation and professionalisation of cybercrime. Rather than being sold once and forgotten, stolen data can now be continuously monetised through subscription-based repositories that provide ongoing access to fresh and searchable information. For organisations and consumers, this creates a more persistent and difficult-to-track threat landscape where compromised information may remain valuable to threat actors long after a breach has occurred. For cybercriminals, the breach is no longer the end of the transaction – it is the beginning of a recurring revenue stream.

Sources:

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cybercriminal-cloud-of-logs-the-emerging-underground-business-of-selling-access-to-stolen-data

https://www.varonis.com/blog/cybercrime-subscription-business

https://www.europol.europa.eu/media-press/newsroom/news/steal-deal-repeat-cybercriminals-cash-in-your-data

https://www.forbes.com/sites/bernardmarr/2025/06/13/how-crime-as-a-service-turned-hacking-into-a-subscription-business/

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.