SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
SaaS
#
Malware
#
Cloud Security

Russian Market remains key player in cyber credential theft

Tue, 3rd Jun 2025
Author image
By Kaleah Salmon, Journalist

ReliaQuest has published a report examining Russian Market, a platform involved in the distribution of stolen digital credentials.

The report outlines the significant role that Russian Market continues to play in the cybercriminal ecosystem, particularly in relation to the circulation and sale of credentials stolen through malware-based information-stealing attacks. In 2024, the company's GreyMatter Digital Risk Protection system raised over 136,000 alerts for customer domains that were listed on Russian Market.

According to ReliaQuest, the enduring popularity of Russian Market within criminal circles is primarily due to its straightforward operation, ease of use, and longstanding presence. The report states, "Russian Market's popularity stems from its simplicity, convenience, and longevity—and with infostealer logs priced as low as $2, it remains a favourite among cybercriminals. However, 85% of the logs we analysed also appeared in other sources, indicating that Russian Market's content is largely recycled. Despite this lack of exclusivity, its popularity continues to thrive."

The analysis highlights a trend in the tools used for credential theft, noting that the infostealer known as Lumma (also referred to as LummaC2) dominated Russian Market log alerts. The report says, "'Lumma' (aka LummaC2) emerged as the dominant infostealer, accounting for nearly 92% of Russian Market credential log alerts in Q4 2024. Our analysis shows that cybercriminals favour advanced, commercial infostealer tools, which likely drove Lumma's success. In addition, its use of fake CAPTCHA pages for distribution likely further propelled its meteoric rise. But, since Lumma's takedown in May 2025, 'Acreed' is the likely next big infostealer threat, surpassing many other established stealers in Q1 2025."

The report further explains the techniques used by attackers to evade detection. It states, "Infostealers frequently exploit writable directories like Temp, obfuscate filenames, and use living-off-the-land (LotL) techniques to execute payloads, making detection more difficult for defenders. These tactics allow attackers to prolong their presence in compromised systems and steal more sensitive data. Common persistence techniques include registry edits, scheduled tasks, startup folder implants, or abusing legitimate system processes to disguise malicious activity."

Increasing adoption of cloud services by businesses has also broadened the attack surface for cybercriminals. According to the report, "As more and more businesses adopt cloud services, cybercriminals are drawn to the vast amounts of sensitive data these platforms host. Credentials tied to cloud accounts, particularly software-as-a-service (SaaS) and single sign-on (SSO) credentials, have become key targets. In our analysis, SaaS credentials appeared in 61% of logs, and SSO credentials were present in 77%. Compromised cloud accounts afford attackers access to critical systems and present the perfect opportunity to steal sensitive data."

The analysis suggests that password managers will become a primary target for attackers in the future. The report observes, "Password managers are expected to become a key focus for attackers in the medium term. The complexity of modern passwords has made password managers indispensable for managing vast credential inventories, turning them into highly lucrative targets."

There is also an increased risk for organisations allowing staff to use personal mobile devices for work purposes. On this trend, the report states, "Meanwhile, attackers will highly likely intensify their focus on mobile devices for credential theft. As companies increasingly allow employees to use personal mobile devices to access work systems, attackers will exploit the dual-use nature of these devices to identify and exploit security gaps."

The report notes that the Russian Market gained particular widespread usage by 2022 and maintained its relevance even as competitors such as Genesis Market and Exodus Market either disappeared or failed to achieve similar prominence. Its continued activity, despite relying on largely recycled data, underlines the persistent challenges faced by businesses attempting to protect digital credentials against industrialised credential theft and resale.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
CrowdStrike Q1 revenue rises 20% to USD $1.10 billion as ARR grows
Rob Tomlin promoted to lead Northern Europe at Exclusive Networks
ZEST Security partners with Upwind for faster AI-driven cloud fixes
Barracuda launches unified AI platform amid security tool sprawl
Illumio & NVIDIA partner to boost Zero Trust for critical infrastructure
Top stories
KnowBe4 shares tips to spot eco-themed cyber scams
NEXT & Infobip boost security & RCS messaging for shoppers
Cloudflare earns global cross-border data privacy certification
Zscaler unveils new Zero Trust tools to protect cloud & IoT
Commerce sector faces surge in bot attacks, Fastly report warns