‘Russian Market’ becomes leading hub for stolen logins

A surge in cybercrime activity has pushed the Russian Market to the forefront of stolen credential trading.

What happened

The Russian Market, an underground cybercrime marketplace, has gained momentum as a top platform for buying and selling stolen credentials. Though active since around 2019, its popularity has sharply increased in the wake of Genesis Market’s takedown, creating a power vacuum in the info-stealer economy.

According to cybersecurity firm ReliaQuest, 85% of credentials sold on the Russian Market are recycled from earlier breaches, but the platform remains attractive due to its massive volume and low prices; some logs are listed for as little as $2.

Going deeper

Infostealer malware extracts sensitive data from infected devices, creating logs that contain account credentials, session cookies, payment information, and crypto wallet keys. These logs, sometimes including thousands of credentials each, are uploaded to attackers’ servers and then sold on marketplaces like Russian Market.

The platform’s rise also reflects shifting threat actor behavior. ReliaQuest notes that 61% of stolen logs include enterprise SaaS credentials (Google Workspace, Zoom, Salesforce), and 77% contain Single Sign-On (SSO) logins. These credentials give attackers potential access to highly sensitive corporate systems.

Until recently, the majority of logs came from Lumma, a popular infostealer. However, a global law enforcement operation recently disrupted Lumma’s infrastructure, seizing over 2,300 domains. Its future remains uncertain, though developers are reportedly attempting a reboot.

In Lumma’s absence, a new infostealer named Acreed is quickly rising in popularity. Within its first week, Acreed logs surpassed 4,000 uploads. While Acreed targets the same types of data, browser-stored passwords, cookies, and crypto wallets, it is benefiting from reduced competition and active malware campaigns.

What was said

ReliaQuest researchers discussed the risks associated with compromised cloud accounts, warning that SaaS and SSO credentials are especially valuable for attackers. “Compromised cloud accounts afford attackers access to critical systems and present the perfect opportunity to steal sensitive data,” they noted.

Check Point also reported on Lumma’s attempted comeback, while threat intelligence sources confirmed Acreed’s fast-growing footprint on the Russian Market.

The big picture

The emergence of the Russian Market demonstrates how criminal networks quickly reorganize after law enforcement disruptions. New tools like Acreed are stepping in to replace dismantled malware services, exposing both individuals and organizations to credential theft through phishing, fake software, and malicious ads. The continued focus on cloud-based platforms further stresses the need for strong access controls and regular user education across personal and enterprise environments.

FAQs

Why did the Russian Market become more popular after Genesis Market was taken down?

Genesis Market’s takedown removed a major player from the cybercrime scene, leading buyers and sellers of stolen credentials to shift their activity to remaining platforms like Russian Market.

What are infostealer logs, and how are they created?

Infostealer logs are files generated when malware extracts credentials, cookies, and other data from an infected device. These files are often uploaded to attackers’ servers and later sold or reused.

What are “ClickFix” attacks mentioned in malware campaigns?

“ClickFix” attacks involve fake error messages or pop-ups prompting users to download “fixes,” which are actually malware. These campaigns often exploit user urgency or confusion.

How do threat actors use stolen SaaS or SSO credentials?

These credentials can grant attackers direct access to enterprise cloud platforms, allowing them to bypass traditional login defenses and move laterally within corporate environments.

Are there ways to detect if your credentials are for sale on marketplaces like the Russian Market?

Yes. Users and organizations can use breach monitoring services, dark web scanners, or enroll in identity theft protection programs to receive alerts if their data appears on known underground markets.