Russian Market Becomes Leading Hub for Stolen Credentials from Info-Stealer Malware

The Russian Market has surged in popularity as a major cybercrime marketplace, offering stolen credentials harvested by info-stealer malware like Lumma and Acreed.
Russian Market Becomes Leading Hub for Stolen Credentials from Info-Stealer Malware
Table of Contents
    Add a header to begin generating the table of contents

    Russian Market Surges in Popularity After Genesis Shutdown

    The cybercriminal platform known as the Russian Market has grown into one of the most active hubs for stolen credentials, largely fueled by information stealer malware. Although the marketplace has been around for about six years, its growth accelerated significantly following the takedown of Genesis Market, creating a gap that Russian Market quickly filled.

    According to new analysis from ReliaQuest, the marketplace is now a go-to destination for cybercriminals buying access to compromised credentials. Despite the fact that 85% of the credentials are recycled, meaning previously breached or resold data, the site continues to attract large volumes of traffic due to its accessibility, wide inventory, and low prices.

    “Compromised cloud accounts afford attackers access to critical systems and present the perfect opportunity to steal sensitive data,” researchers explained.

    Logs sell for as little as $2, making credential theft a low-barrier entry point for attackers of all levels. Each log, which is typically a file or archive created by info-stealer malware, may contain hundreds or even thousands of stolen credentials from a single infected system.

    What’s Inside an Info-Stealer Log?

    Info-stealer malware quietly extracts sensitive data from infected devices. Once harvested, this data is packaged into logs and uploaded for sale on marketplaces like Russian Market.

    A typical log can include:

    • Account passwords
    • Session cookies
    • Credit card information
    • Cryptocurrency wallet data
    • Device fingerprints and system info

    These logs are a goldmine for attackers—particularly those targeting corporate networks—since many now include access to SaaS platforms and SSO (Single Sign-On) credentials.

    ReliaQuest found that:

    • 61% of logs included SaaS credentials (e.g., Google Workspace, Zoom, Salesforce)
    • 77% contained SSO credentials, which can potentially unlock multiple enterprise systems

    Lumma’s Decline and Acreed’s Rapid Rise

    Until recently, Lumma Stealer dominated the Russian Market. After the fall of Raccoon Stealer, Lumma took the lead and was responsible for a staggering 92% of all credential logs on the site.

    However, Lumma’s operations were recently disrupted following a global law enforcement takedown that seized more than 2,300 domains. While Lumma’s developers are reportedly trying to restart operations, its dominance is fading.

    In the vacuum left behind, a new info-stealer named Acreed is quickly gaining momentum. Webz reports that over 4,000 Acreed logs were uploaded to Russian Market within just one week of activity.

    Acreed behaves similarly to other info-stealers. It harvests credentials, credit card data, wallet keys, and browser-stored data from Chrome, Firefox, and their derivatives. Its rapid rise shows how quickly cybercriminals adapt when existing tools are disrupted.

    How Info-Stealers Reach Victims

    Attackers are deploying info-stealer malware through various methods, including:

    • Phishing emails with malicious attachments or links
    • ClickFix attacks that mimic technical support or software fixes
    • Malvertising, especially on fake download sites for popular software
    • Social media bait, such as misleading YouTube or TikTok videos promoting “free” tools or hacks

    Once infected, users often have no idea their data has been compromised until it is sold on platforms like the Russian Market.

    Credential Markets Now Pose a Critical Threat to Enterprises

    The ease of access to enterprise credentials, the low cost of infostealer logs, and the volume of data circulating on markets like Russian Market have made credential-based cyberattacks a growing concern for businesses. With SSO and SaaS logins included in many of the stolen logs, attackers can bypass traditional security and gain access to internal systems without detection.

    As law enforcement continues targeting these marketplaces and malware operations, threat actors are proving resilient—quickly switching to new tools and platforms. The shift from Lumma to Acreed demonstrates just how fast the landscape can evolve.

    Related Posts