The cybercrime landscape has entered a new era, one where a $2 stolen password can trigger a multimillion-dollar breach.
According to ReliaQuest’s latest report, The Infostealer Pipeline: How Russian Market Fuels Credential-Based Attacks, the underground economy of stolen credentials is thriving, industrialized, and alarmingly easy to access. For organizations today, this isn’t just a threat—it’s a crisis of compromise.
A $2 Price Tag on Your Network?
At the heart of this ecosystem sits Russian Market, a dark web Automated Vending Cart (AVC) where threat actors can buy infostealer logs for less than the cost of a coffee. These logs contain sensitive data, credentials, cookies, credit card details, even crypto wallet info—extracted by information-stealing malware. And business is booming.
In 2024 alone, ReliaQuest’s GreyMatter Digital Risk Protection (DRP) service raised over 136,000 alerts related to stolen credentials listed on Russian market. Fast forward to May 2025, and another 50,000 alerts have already been issued. This is proof that this isn’t a temporary surge but a sustained, industrialized trend.
No sector is safe. From tech to telecom, every industry has been caught in the crosshairs. But some are hit harder than others.
PSTS and Information Sectors
ReliaQuest’s data shows that the professional, scientific, and technical services (PSTS) sector, along with the information industry, bore the brunt of credential exposure, accounting for 60% of all alerts in the reporting period. Why? Two reasons stand out:
- Digital Dependence: These fields rely heavily on web-based research and online collaboration, which increases the chance of encountering drive-by downloads or malicious ads.
- Complex Supply Chains: Employees receive emails from a wide range of senders, including unfamiliar sources, making spearphishing lures harder to detect.
This makes them fertile ground for infostealer infections, and ripe targets for threat actors seeking low-effort, high-reward access points.
Lumma’s Reign and What Comes Next
While numerous infostealer malware families exist, Lumma (also known as LummaC2) dominated the Russian Market scene in late 2024, responsible for a whopping 92% of credential log alerts in Q4. Lumma’s success was due to its technical capabilities and deceptive tactics like fake CAPTCHA pages to infect systems.
However, Lumma was taken down in May 2025, creating a power vacuum. Enter Acreed, a rising contender that’s already outpacing other established malware in Q1 2025. The game of malware king-of-the-hill continues, but the rules stay the same: infect, extract, and sell.
The Attacker’s Playbook: Obfuscation and Persistence
Infostealers are stealthy, persistent, and built for evasion. ReliaQuest’s report shows how they hide in writable directories like Temp, use obfuscated filenames, and “living-off-the-land” tactics to abuse legitimate system processes and fly under the radar.
To maintain access, malefactors use popular persistence tactics such as registry edits, scheduled tasks, or planting files in startup folders. These prolong dwell time, increasing the amount of sensitive data they can harvest, and giving buyers more value for their $2 investment.
The New Crown Jewels
Cybercrooks are like pickpockets, they go where the crowds are. So as entities migrate workloads to the cloud, they follow. Credentials for cloud services, SaaS apps, and SSO systems have become prime real estate on dark marketplaces. According to the report:
- 61% of logs included SaaS credentials
- 77% included SSO credentials
Why does this matter? Because a compromised SSO login isn’t only a foot in the door, it’s a skeleton key to a firm’s entire digital environment.
Russian Market: Recycled But Relentless
Despite its scale, a whopping 85% of Russian Market logs also appear on other platforms, proving that its value isn’t in its exclusivity but its ease of use and reliability. Its longevity, ultra-low pricing, and seamless buying experience make it an irresistible option for practiced threat actors and cybercrime newbies alike.
Action Is Critical
Credential theft has become a business model supported by platforms like Russian Market and driven by malware-as-a-service. As the lines between amateur and advanced attackers blur, it’s no longer enough to “raise awareness.” Busineses need to act.
That means they must prioritize identity and threat detection, harden cloud authentication mechanisms, and train employees in phishing resistance. They should also monitor the dark web for leaked credentials tied to their domain
The pipeline is bursting, and the prices are affordable. On the flip side, the cost of compromise remains sky-high.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.