Cybersecurity analysts observed a staggering proliferation of stolen credentials originating from the Russian Market, a preeminent darknet automated vending cart platform likened to the “Amazon of Stolen Credentials.”
ReliaQuest’s GreyMatter Digital Risk Protection (DRP) service registered more than 136,000 customer alerts linked to compromised credentials available on this marketplace, underlining the scale and automation of credential theft in the current threat landscape.
Russian Market maintains its dominance due to its extensive inventory, streamlined purchasing process, advanced filtering capabilities, and low entry costs often as little as $2 for a credential log.
The marketplace had amassed over 5 million diverse logs by 2023, each containing tens to hundreds of credentials, catering to attackers seeking to efficiently compromise accounts across a myriad of industries.
Professional services and information sectors, characterized by complex supply chains and high digital exposure, have been particularly targeted by these operations.
A detailed analysis by the ReliaQuest Threat Research team, encompassing over 1.6 million posts since 2022, revealed that cybercriminals’ infostealer malware of choice significantly shapes the scale and efficacy of credential theft campaigns.
“Lumma” (LummaC2) was the principal infostealer throughout late 2024, responsible for nearly 92% of the Russian Market log alerts in Q4 2024, propelled by advanced capabilities and aggressive distribution tactics such as fake CAPTCHA lures.
However, Lumma’s dominance was disrupted following its takedown in May 2025. In the immediate aftermath, researchers have identified “Acreed” as the next significant infostealer, rapidly gaining traction and outpacing several established alternatives.
Attack Vectors
Forensic reviews of Russian Market logs indicate attackers rely on a sophisticated toolkit to infiltrate victim machines and harvest credentials.
Key tactics include:
- Exploiting writable directories (e.g., Temp folders) for staging and exfiltration.
- Leveraging obfuscation techniques such as AutoIt scripts and compressed (archived) malware payloads to evade antivirus detection.
- Hiding malicious executables within less-monitored directories like Windows Fonts or injecting code via legitimate system binaries (e.g., Mavinject32.exe).
- Employing Living-off-the-Land (LotL) techniques, wherein pre-installed system utilities like MSBuild.exe execute malicious scripts camouflaged as legitimate activity.
- Establishing persistence through registry modifications, scheduled tasks, or startup folder implants, ensuring malware survivability across reboots.
A recent containment effort in January 2025, led by ReliaQuest in response to a Lumma malware incident, demonstrated the importance of timely detection and orchestration of automated response workflows.
The organization’s rapid isolation and credential rotation measures prevented exfiltration, highlighting the criticality of layered defense.
Market Dynamics
Despite Russian Market’s reputation, the quality and uniqueness of its credential offerings remain in question.
Analysis of over 300 infostealer logs indicated significant recycling of credentials across platforms, including cross-posting to Telegram channels and reselling of previously acquired logs.
The presence of inflated and often fake credential listings such as generic or placeholder email accounts further complicates trust, particularly as buyers can only see the domain name prior to purchase.
The lack of any transparent seller rating or review system allows dishonest vendors to repeatedly target a revolving door of new cybercriminal buyers, eroding accountability.
Given the efficiency and resilience of infostealer-driven attacks, experts urgently recommend proactive, layered defense strategies. Organizations are advised to:
- Enforce policy restrictions on browser-based credential storage.
- Minimize session persistence and require more frequent multi-factor reauthentication.
- Employ monitoring solutions for early detection of credential abuse, emphasizing anomalous login patterns and device fingerprints.
Addressing infostealer infections at the point of initial compromise, rather than post-abuse, is critical for reducing downstream risk and minimizing the operational impact of widespread credential theft fueled by the Russian cybercriminal marketplace.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
