If You Used Tor in 2023, TOR_LOG Telegram Dump May Have Your Logins

HEROIC found 3,949 records on 10-Mar-2023 inside a Tor-network stealer log dump labeled TOR_LOG, uploaded by a Telegram user. The file exposed email addresses, plaintext passwords, and target URLs from endpoints that routed traffic through the Tor network at the time of infection.

Why This Stealer Log Is Dangerous

If you used Tor for privacy in early 2023, the irony is brutal: TOR_LOG proves that anonymizing your traffic does not protect saved browser passwords on a compromised device. Once infostealer malware lands on the endpoint, it pulls credentials before any encryption layer ever applies.

What Was Exposed in TOR_LOG

• 3,949 unique email and password pairs
• Plaintext credentials with no hashing
• Login URLs for both clearnet and onion services
• API host strings tied to privacy-focused tools
• Endpoint metadata from each infected Tor-routed machine

Why This Matters

Tor users often reuse passwords across pseudonymous accounts, dark-web forums, crypto wallets, and clearnet services. A single TOR_LOG entry can unmask years of carefully separated identities, expose wallet seeds, and link forum personas to real-world emails in ways that ordinary breach victims rarely face.

How a Stealer Log Like TOR_LOG Works

Infostealer malware infects a victim through a malicious download, cracked tool, or phishing payload. It harvests saved browser passwords, cookies, and crypto wallet files regardless of whether the browser routes through Tor, then exfiltrates the bundle to an operator who tags it with a channel name like TOR_LOG and uploads it to Telegram for resale.

Check If You Are Affected

HEROIC tracks more than 400 billion compromised records across breaches, leaks, and stealer log channels including TOR_LOG. Search your email at heroic.com to confirm exposure, rotate reused credentials, sever links between pseudonymous accounts, and secure any crypto wallets tied to the affected device.