HQ/EMEAFind out how we can help your business
The Russian Market, a well-known cybercrime marketplace, has become one of the top platforms for buying and selling stolen online credentials, according to recent cybersecurity findings. This underground market has been active for about six years and has grown steadily in popularity, especially after the closure of other similar marketplaces.
Following the takedown of Genesis Market, a large gap was created in the cybercrime ecosystem. This gap was quickly filled by the Russian Market, which attracted many cybercriminals with its wide selection of stolen data and low prices. Around 85 per cent of the credentials sold on this platform are recycled from previous breaches, but its extensive offerings continue to draw a large audience.
The stolen credentials come from files called infostealer logs, which are generated by malware that infects victims’ devices. These logs contain sensitive information such as passwords, credit card numbers, session cookies, cryptocurrency wallet details, and system information. Each log may hold thousands of stolen credentials, and once collected, they are uploaded to servers where criminals can use them or sell them on platforms like the Russian Market for as little as two dollars.
The scale of stolen data is enormous, with hundreds of millions of credentials likely compromised. Many of these attacks target businesses. Approximately 61 per cent of logs sold include credentials for cloud services such as Google Workspace, Zoom, and Salesforce. Furthermore, 77 per cent of logs contain Single Sign-On (SSO) credentials, which can give attackers access to multiple company systems.
Cybersecurity experts have noticed changes in the malware responsible for stealing credentials on the Russian Market.
For a long time, the majority of stolen data came from a tool called Lumma Stealer, accounting for 92 per cent of all logs sold. However, a recent international law enforcement action disrupted Lumma’s operations by seizing over 2,300 domains. While Lumma’s developers are reportedly trying to restart their activities, a new malware called Acreed has quickly gained popularity, with over 4,000 logs uploaded in its first week.
Acreed operates similarly to previous infostealers by stealing data from browsers like Chrome and Firefox, including passwords, cookies, and financial information.
Infostealers are usually spread through phishing emails, malicious advertisements for software, and misleading videos on YouTube and TikTok. Security experts recommend being cautious when downloading software and paying close attention to suspicious links and messages.
As the Russian Market remains a key player in the sale of stolen credentials, both businesses and individuals are urged to strengthen their cybersecurity measures and remain alert to potential cyber threats.
