Introduction
Acreed has swiftly become a prominent infostealer in the dark web’s stolen credential market, particularly after the takedown of Lumma Stealer [1]. This shift highlights the dynamic nature of cybercrime, with Acreed quickly surpassing its competitors and posing a significant threat to various sectors.
Description
Acreed has rapidly emerged as a leading infostealer strain, gaining prominence in the dark web’s stolen credential market [1], particularly following the takedown of Lumma Stealer in May 2025 [1] [6]. Lumma had previously dominated the Russian Market [4] [6], accounting for nearly 92% of credential theft alerts in late 2024 [5] [6]. With Lumma’s downfall [1], Acreed has quickly outpaced established competitors such as RedLine, Raccoon [1] [2] [6], StealC [1] [2] [6], and Vidar [1] [2] [6]. In its first week [4] [7], Acreed was responsible for the upload of over 4,000 stolen logs [4], showcasing its swift rise in popularity.
The Russian Market remains a significant hub in the underground economy, issuing over 136,000 alerts related to potential stolen credentials in 2024 [5], with a majority of these linked to SaaS solutions and single sign-on (SSO) accounts. The sectors most affected include professional [1], scientific [1], and technical services [1], which account for 30% of credential logs [1], followed closely by the information sector at 28% [1]. In 2025 alone, there have already been over 50,000 alerts [6], indicating a growing threat [6].
The marketplace boasts a vast inventory of over 5 million logs [5], each containing sensitive information such as passwords and cookies [4] [7], often available for as little as $2 [5]. Acreed’s emergence underscores the resilience of malware-as-a-service (MaaS) models, which are modular and easily replaceable [3], allowing for quick regeneration after takedowns [3]. This infostealer targets popular web browsers like Chrome and Firefox to extract sensitive information [3], including passwords [3], cookies [3] [4] [7], cryptocurrency wallets [3] [4], and credit card details [3]. It spreads through various methods [3], including phishing emails [3] [4], deceptive advertisements for “premium” software [4], malvertising [3] [7], and misleading tutorials on platforms like YouTube and TikTok [3].
The success of infostealers like Lumma was attributed to their advanced features [5], including the use of fake CAPTCHA pages for distribution [5], which may also benefit Acreed as it gains traction in the market [5]. The rise of Acreed signifies a strategic shift in cybercrime [1], with attackers increasingly focusing on high-value credentials that provide extensive access to enterprise systems [1]. The prevalence of SSO credentials indicates a targeted approach towards critical operational gateways [1], complicating breach identification and remediation efforts [1], as 85% of stolen data is often found across multiple sources.
Organizations across various industries [5], particularly those with high digital engagement [5], remain vulnerable to the threats posed by infostealers available on the Russian Market [5], underscoring the urgent need for enhanced cybersecurity measures in response to this evolving threat landscape. As Acreed continues to gain momentum alongside the expansion of the Russian Market [3], a new wave of attacks targeting cloud services and enterprise tools is anticipated [1]. Infostealers are expected to evolve to circumvent modern security measures [3], and attackers are likely to increasingly utilize social media platforms to disseminate malware [3]. Without prompt global collaboration and enhanced user education [3], the cybercrime economy is expected to thrive [3].
Conclusion
The rise of Acreed as a dominant infostealer highlights the evolving threat landscape in cybercrime, emphasizing the need for robust cybersecurity measures [7]. Organizations must prioritize the protection of high-value credentials and enhance their defenses against sophisticated malware. Global collaboration and user education are crucial to mitigating the impact of these threats and preventing the cybercrime economy from flourishing.
References
[1] https://undercodenews.com/acreed-rises-after-lummas-fall-the-next-king-of-credential-theft/
[2] https://www.infosecurity-magazine.com/news/acreed-dominant-infostealer-lumma/
[3] https://undercodenews.com/russian-market-surges-as-top-cybercrime-hub-for-stolen-credentials/
[4] https://blog.tecnetone.com/en-us/russian-market-dark-web-marketplace-for-stolen-credentials
[5] https://reliaquest.com/blog/infostealer-pipeline-stolen-credential-attacks-russian-marketplace/
[6] https://thecyberwire.com/podcasts/daily-podcast/2320/transcript
[7] https://www.hendryadrian.com/russian-market-emerges-as-a-go-to-shop-for-stolen-credentials/
