
Acreed is rapidly emerging as the new go-to infostealer among cybercriminals following the takedown of Lumma in May 2025. This is according to a report by ReliaQuest.
Lumma had dominated the Russian Market with over 92% of credential log alerts by the end of 2024. Its success was attributed to commercial-grade features and distribution through fake CAPTCHA pages.
But with Lumma now out of the picture, Acreed has risen fast—surpassing legacy infostealers and becoming the second most detected in Q1 2025. Security analysts warn that if Acreed scales further, businesses may face overlapping or repeated compromise events.
The malware’s tactics are not fully mapped yet, but researchers anticipate it uses common evasion techniques like obfuscated files, registry edits, and abuse of legitimate Windows tools to remain undetected.
Russian Market remains the center of the stolen credential trade
While Acreed gains ground, Russian Market continues to reign as the top platform for credential theft. The marketplace, known for its low-cost infostealer logs, is at the center of the credential theft economy.
In 2024 alone, ReliaQuest issued over 136,000 alerts tied to domains listed on the platform. By May 2025, that number had exceeded 50,000—signaling ongoing and widespread exposure.
Despite repeated complaints from criminal users about recycled logs and fake entries, Russian Market’s simplicity and scale keep it attractive.
Logs are sold for as little as $2, and buyers can filter them by malware, domain, ISP, or location. This precision makes it easy for low-skilled attackers to exploit stolen credentials without launching their own malware campaigns.
A major concern is the growing number of cloud and enterprise credentials appearing on Russian Market. The report revealed that 77% of the logs included SSO credentials, while 61% contained SaaS logins.
These accounts often grant access to critical systems and data, making them high-value targets for lateral movement and secondary attacks.
The ReliaQuest report highlights that the professional, scientific, and technical services sector remains the most affected, accounting for 60% of all exposure alerts. High digital engagement and complex supply chains make them especially vulnerable to spearphishing and drive-by download campaigns that deliver infostealers like Acreed.
The decline of Lumma has not slowed the overall pace of credential theft. Instead, it has cleared the path for Acreed to potentially become the next major threat. With Russian Market still serving as the primary exchange for stolen credentials, the ecosystem remains highly active—and increasingly dangerous for businesses across all sectors.