Buying access to a bank account for just two dollars no longer sounds like something out of a hacker movie... it's something that's happening right now. What used to be the domain of highly specialized cybercriminals now looks more like an online store where anyone with malicious intent and a little crypto can go shopping. This is how Russian Market works, a hidden marketplace that has become one of the favorite places to obtain stolen credentials using malware designed to steal information.
Although it has been in operation for several years, its fame skyrocketed recently after the collapse of other similar marketplaces. This opened the door to an avalanche of new users looking for easy and cheap access. And yes, many of the credentials being sold were leaked long ago, but that hasn't stopped this platform from growing like wildfire. The reason? Its huge catalog and absurdly low prices: you can buy full access to digital accounts for the price of a cup of coffee.
We're not talking about something distant or rare. Every day, thousands of email accounts, social media accounts, banking platforms, and even business systems end up listed there.
When infostealer malware infects a computer, what it basically does is rummage through the entire system and steal whatever it finds: saved passwords, session cookies, card details, cryptocurrency wallets, and even system profile information. All of this information is stored in what is known as an infostealer log (usually one or more text files containing everything that has been stolen).
And we're not talking about a couple of passwords. Each log can contain dozens, hundreds, or even thousands of credentials. If we add up all those logs from different victims, the total volume of stolen credentials easily skyrockets to hundreds of millions. Once the malware has done its job, it uploads those files to the attacker's server, where they can be used for other attacks... or sold on markets such as Russian Market.
This type of malware has become incredibly popular among cybercriminals, especially since they now target not only ordinary users but also companies directly. The goal? To steal session cookies and corporate credentials, many of which are linked to critical work tools.
In fact, it has been found that on Russian Market, 61% of available records contained credentials for platforms such as Google Workspace, Zoom, or Salesforce. And 77% included access to single sign-on (SSO) systems, which can give attackers the key to many services with a single account.
When a cloud account is compromised, attackers not only enter the system: they can move freely, access sensitive information, and, in many cases, go completely unnoticed. It is an open door to all kinds of more serious attacks.
Rea more: Top 10 Dark Web Markets
During an analysis of more than 1.6 million posts on Russian Market, an interesting change was detected in the world of information-stealing malware: as one falls, another begins to rise rapidly.
Until recently, Lumma was the king of the market. In fact, it was behind 92% of all credential records sold there. Its dominance began right after Raccoon Stealer disappeared following an intervention by the authorities. But it seems that Lumma's time is coming to an end, because it was also recently hit by a global police operation that managed to confiscate more than 2,300 domains linked to its infrastructure.
Infostealer Registers Share of the Russian Market (Source: ReliaQuest)
It’s still unclear whether this marks the end of Lumma, but reports indicate that its developers are trying to get back in the game. In the meantime, a new player is making waves: Acreed.
This new infostealer has quickly gained notoriety, and for good reason: in just its first week, over 4,000 stolen records were uploaded thanks to it, according to data from Webz. That’s a strong start.
As for what it steals, Acreed follows the same pattern as other malware of its kind: it targets passwords, cookies, credit card data, and crypto wallets, especially those stored in browsers like Chrome and Firefox (and their variants).
And how does it infect? Through classic but effective methods: phishing emails, fake ads for "premium" software, ClickFix-style campaigns, and even YouTube or TikTok videos with malicious links. That’s why it's best to stay alert, avoid downloading software from questionable sources, and follow best practices to stay off the radar of this type of threat.