Your passwords run a secret economy in the Russian crime scene

Last updated: 3 June 2025
Russian dark web
Image by Cybernews

Your passwords, logged by infostealers, are being traded on a thriving Russian underground marketplace, sometimes for as little as $2.

Stolen passwords are fueling the underground economy. Cybercriminals upload infostealer logs – consisting of stolen login credentials, browser fingerprints, and session cookies – on the dark web and then sell them to the highest bidder.

One of the most prominent names in the game is the Russian Market. The dark website has been operating at a staggering scale since early 2019. As of early 2023, the Russian Market was sitting on an estimated five million infostealer logs, each containing tens or hundreds of individual credentials.

ADVERTISEMENT

Prices on the site can dip as low as $2 per set of stolen credentials, making access to corporate networks disturbingly easy.

Between January and December 2024, ReliaQuest’s researchers spotted over 136,000 instances of stolen login credentials being uploaded to the Russian Market. According to the report, the number of instances had already reached 50,000 in May this year, showing that this type of cyber threat is booming.

Industries affected the most by credential theft
ReliaQuest customer alerts stemming from Russian Market, 2024

How did the Russian Market become a powerhouse of credential theft?

The Russian Market has quietly become a powerhouse in the underground economy of stolen credentials. After gaining traction through relentless promotion on cybercriminal forums, the platform went mainstream, at least in hacker circles, by 2022.

Since then, it has outlived some of its competitors. Another well-known marketplace, Genesis Market, was taken down in 2023, while Exodus Market never quite caught up.

ReliaQuest researchers say that what makes the Russian Market, so resilient is its simplicity and accessibility, as it provides buyers with a one-click shopping experience.

To sign up, users only need to provide an email and password. That’s quite a different approach from other hacker marketplaces, which often require invites and are hard to get into for newbies.

ADVERTISEMENT
Russian Market logs
Russian Market "LOGS" page. Source: ReliaQuest

The Russian Market’s opus moderandi

According to ReliaQuest, the Russian market's business model is simple: sell access to stolen login details at scale and let threat actors do the rest. Buyers don’t need to run malware campaigns or build botnets – they just browse, filter, and buy.

The platform lets users sort stolen credential logs by country, city, internet service provider, malware type, and even specific domains. Internal domains are a frequent target, offering attackers a direct path into organizational networks.

That level of precision is rare in the criminal underworld, where stolen data is usually dumped chaotically. This has given the site a clear advantage.

Once a purchase is made, buyers receive a zip file that reflects the output of whichever infostealer malware captured the data. These files are methodically organized, typically into the following folders:

  • All Passwords: The main draw: a full list of credentials recovered from the infected machine, often including browser logins, saved session data, and application passwords.
  • Brute: A set of credentials likely curated for brute-force attacks, allowing attackers to attempt unauthorized access across platforms.
  • Processes: A snapshot of all software running at the time of infection, offering clues about what the machine was being used for.
  • Software: A catalog of installed programs that can help attackers tailor follow-up exploits or identify high-value targets.
  • System: Technical details such as the machine’s name, antivirus status, GPU model, and malware version used are useful for profiling the victim or avoiding detection.

While the "All Passwords" folder is the obvious prize, the rest of the package adds significant tactical value. Knowing what software a target uses, or what security defenses they have in place, can shape everything from phishing strategies to lateral movement within a network.

Source of stolen credentials: infostealers

Behind nearly every credential log sold on the Russian Market is an infostealer malware. ReliaQuest’s analysis of more than 1.6 million Russian Market posts dating back to 2022 shows that the tools of the trade change fast, with different malware taking the lead.

ADVERTISEMENT

Law enforcement crackdowns routinely disrupt even the most dominant malware operations, clearing the way for new players to emerge and capitalize on the vacuum.

Once one of the most widely used infostealers on the dark web, Raccoon Stealer, took a major hit in March 2022 when its operator was arrested and its infrastructure dismantled by law enforcement.

ReliaQuest infostealers graph
Percentage of Russian Market alerts attributed to different infostealers by quarter. Source: ReliaQuest

A revamped version briefly returned in August 2023, but the damage had been done. According to the report, alert volumes dropped steadily, suggesting that threat actors had already moved on.In contrast, Lumma Stealer surged into relevance by the latter half of 2024.

Threat actors began spreading it through fake CAPTCHA pages, a clever method that tricked users into infecting their own devices while thinking they were passing a standard verification check.

That tactic, combined with a slick commercial rollout and support model, helped Lumma become the infostealer of choice across key underground forums.

SaaS and SSO credentials are among the most wanted

The Russian Market ecosystem sells stolen data indiscriminately, affecting various industries worldwide. If your organization has an internet-facing system, you might become a victim.

ReliaQuest’s threat telemetry shows that no sector was spared in 2024. However, the professional, scientific, and technical services (PSTS) and information industries absorbed the brunt of the impact, accounting for 60% of all digital risk alerts tied to credential theft.

Credentials tied to SaaS and single sign-on (SSO) accounts are now some of the most sought-after commodities on the Russian Market. Two-thirds of the logs analyzed on the Russian Market contained at least one SaaS or SSO credential.

ADVERTISEMENT
vilius Ernestas Naprys Gintaras Radauskas Paulina Okunyte
Don’t miss our latest stories on Google News.
Google News Follow us

One compromised SSO credential can unlock dozens of connected systems, from internal dashboards to CRM platforms. And while most SSO platforms require multi-factor authentication (MFA), threat actors have evolved to match.

In 2024, every successful business email compromise (BEC) incident ReliaQuest tracked involved session hijacking techniques that bypassed MFA, often through adversary-in-the-middle (AiTM) phishing attacks.

The next big threat

All signs point to Acreed as the next heavyweight in credential theft. According to ReliaQuest’s analysis of Russian Market logs, this newcomer surged past every other infostealer in Q1 2025, second only to Lumma.

With Lumma recently being taken down by law enforcement in mid-May, Acreed suddenly finds itself in pole position, poised to inherit a massive share of the underground market.

While Acreed’s exact playbook is still a mystery, it’s safe to assume that it's following the well-worn paths of its predecessors.


ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
iPhone wingman app leaks 160K chat screenshots
Hackers can target Teslas and other EVs through public chargers
Oh, the irony: Wimbledon’s new automated system plagued by human errors
Over 26,000 Bitcoin Depot customers learn of data breach one year later
Meta continues its $100M AI talent poaching spree: now it's after Apple
Ukraine shoots “special sanctions” at Russian crypto entities
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked