Why trust Greenbot
A powerful new malware called Acreed has rapidly claimed dominance in the stolen password marketplace after law enforcement dismantled its predecessor in May, cybersecurity researchers warn.
The emergence follows a global police operation that seized over 2,300 domains linked to Lumma Stealer, which had controlled 92% of credential theft logs sold on the Russian Market, the dark web’s leading platform for stolen passwords. Within days of Lumma’s takedown, Acreed uploaded more than 4,000 stolen credential packages to the same marketplace.
“Acreed is the likely next big infostealer threat, surpassing many other established stealers in Q1 2025,” ReliaQuest researchers stated in their latest report examining Russian Market operations.
The swift transition exposes how quickly cybercriminal ecosystems adapt to law enforcement pressure. The Russian Market continues operating as usual, selling stolen login credentials for as little as $2 per package. Each package can contain hundreds or thousands of passwords, cookies, and financial data harvested from infected computers.
ReliaQuest’s analysis of 1.6 million marketplace posts reveals the cyclical nature of these threats. Raccoon Stealer previously dominated before law enforcement action cleared the way for Lumma’s rise in 2024.
The stolen credentials fuel a thriving underground economy targeting businesses worldwide. Corporate cloud accounts have become prime targets, with 61% of stolen logs containing software-as-a-service credentials from platforms like Google Workspace and Zoom. Single sign-on credentials appeared in 77% of analyzed logs.
“Russian Market’s popularity stems from its simplicity, convenience, and longevity—and with infostealer logs priced as low as USD 2, it remains a favourite among cybercriminals,” the ReliaQuest report noted.
Professional and technical service companies face the biggest risk. They made up 30% of all credential theft alerts in 2024. The information sector ranked second at 28% of incidents.
Acreed operates like a typical infostealer, targeting Chrome and Firefox browsers to steal saved passwords, credit card details, and cryptocurrency wallet information. Criminals spread the virus through fake emails, bogus software tutorials on YouTube and TikTok, and harmful ads.
The malware’s rapid success demonstrates how established distribution networks and marketplace infrastructure enable quick scaling. The Russian Market has operated since 2019, outlasting competitors like Genesis Market, which authorities shut down in 2023.
ReliaQuest tracked over 136,000 credential theft alerts linked to the Russian Market throughout 2024. By May 2025, alerts had already reached 50,000, indicating accelerating threat activity.
Security experts recommend that organizations monitor dark web marketplaces for leaked credentials tied to their domains. Enhanced authentication mechanisms and employee training on phishing recognition can help reduce successful infections.
The cycle will likely continue as criminals develop new tools to replace those disrupted by police. Despite repeated takedowns, the fundamental marketplace infrastructure enabling these crimes remains largely intact.
