Russian Market: The Marketplace Powering Account Takeovers

Introduction

Russian Market has become one of the most dominant places for stolen credentials and credit cards. The platform has continuously operated since around 2019 without any major disruptions from law enforcement, unlike its competitors, such as Genesis Market, XSS, or even sites like RaidForums/BreachForums.

Russian Market really exploded after the seizure and takedown of Genesis market in April of 2023. Reports suggest that activity surged 670% from everyone moving over. The marketplace has evolved from primarily focusing on RDP access to being dominated by CVV and Stealer logs.

Background: The Cybercrime Marketplace Ecosystem

The underground economy for stolen credentials operates on platforms known as autoshops. Unlike traditional forums, where buyers and sellers negotiate deals, autoshops function more like an e-commerce site. Inventory is searchable and categorized, purchases are nearly instant, and the entire transaction requires no contact between the buyer and seller. This frictionless business model has made autoshops the dominant choice in the cybercrime economy, lowering the barrier to entry for financially motivated threat actors. 

Russian Market sits firmly with its autoshop model. Active since 2019, and operating primarily in English despite its name, the platform specializes in stealer logs and credit card data.

What Does Russian Market Sell?

Stealer logs

Bundles of data are harvested by infostealing malware from infected machines. This contains usernames, passwords, emails, session cookies, system data, etc. After scraping the site for all of the listings, we discovered around 10.6 million listings for sale. 

The graph above shows the number of infections listed sorted by the infostealer family. In first place, holding around 66% of the total listings is LummaStealer. Notable names like Vidar, Redline, and Rhamadanthys are also mentioned and make up a significant portion of the listings.

Shown in the graph, some of the most popular and well-known infostealers like Redline and Racoon stealer have seen a dramatic drop off in the number of victims since their shutdown in 2024 and 2022, respectively.

Each infection sells for around $10. Each listing shows information on the infected machine, like the country, type of infostealer used, vendor, and sites where that machine might have accounts. 

Comparing the size of the Russian Market to its competitors creates a clear image of how big this market truly is. 

Based on the number of stealers logs up for sale alone, it shows that Russian Market trumps its competitors. 2Easy is a direct competitor to Russian Market, with only around 14% of the supply that Russian Market has. Genesis was a massive market as well, with 425,000 “bots” for sale at the time of their shutdown. 

There have been some data quality concerns reported by customers, including data duplication rather than 100% unique credentials. Some sellers even inflate listings with false credentials (e.g., example@gmail.com entries).

Credit Card Dumps

Credit cards are the second most popular item sold on Russian Market. We also gathered data from the CVV listing page and saw around 8.5 million cards up for sale. 

We took the top 20 countries from which the cards originated and saw that the majority of stolen cards are from US banks at 7.167 million cards and 84% of the listings. 

RDP Access

Since its inception in and around 2019, Russian Market specialized in offering access to remote desktops (RDPs). This access was used for deploying malware like ransomware onto networks or used as a hop in other cybercrimes. In January 2024, RDP access was discontinued and no longer sold on the site.

In an old screenshot of the sidebar, you can see many options that aren't available today, including RDP access, stolen PayPal accounts, and PROs.

Checkers / Tools

Russian Market offers integrated tools that allow buyers to validate credentials before or after purchase. The two tools offered are the BIN checker, which validates and provides information about the credit/debit card based on the first 6-8 digits of the card number.

Legitimate merchants use BIN checkers for payment processing, validation, and fraud prevention. However, on RussianMarket and other fraud marketplaces, BIN checkers help criminals identify high-value cards, geographic filtering, and card testing.

The second tool offered is a Netscape to JSON Cookie Converter. This tool converts browser cookies from Netscape format (plain text cookie storage) into JSON format, making them compatible with modern browsers or automated tools.

Infostealer logs often export cookies and info in this Netscape format, and this tool helps criminals and attackers import these session cookies into their own browsers. 

Law Enforcement Action

The Law enforcement response to the infostealer ecosystem has increased significantly since 2022. The most infamous case to date was the arrest and conviction of Ukrainian national Mark Sokolovsky, who was sentenced to five years in federal prison in December of 2024 for operating the Racoon Stealer MaaS (Malware as a Service). According to the infostealer stats on Russian Market today, Racoon stealer has drastically fallen off in the number of logs up for sale at under 1%. 

Photo of Mark Sokolovsky, Operator of Racoon Stealer

In May of 2025, Microsoft's Digital Crimes Unit coordinated with the DOJ, Europol, and Japan's Cybercrime Control Center to seize approximately 2,300 domains connected to Lumma Stealer, which currently accounts for 66% of the total stealer logs for sale. A few months later, in November, Operation Endgame dismantled the Rhadamanthys infostealer infrastructure, taking down over 1,025 servers across 226 countries, but its operator is still publicly unknown. Rhadamanthys is currently in 5th place as the most common infostealer variant on Russian Market, at around 5% of the total logs supply. 

Vendors

Each vendor falls into a numerical rating system based on a number of metrics, like sales volume, buyer feedback, etc. 

One of the highest-ranked vendors for the stealer logs section has a rating of 4.46 and 208,908 score. Vendors with the Diamond Status have a score over 10,000 points, and any vendor below that has the Platinum status. 

From our analysis, there are only 39 total vendors listed in the Stealer logs section, while the carding section has 557 vendors at the time of writing this. But a good portion of both sections have vendors with zero listings.

Conclusion

Russian Market has established itself as one of the most durable and popular illegal markets in the modern cybercrime ecosystem. While competitors were dismantled and detained by law enforcement or collapsed under their own weight, Russian Market not only survived, but grew.

The numbers don't lie: with over 10.6 million stealer log listings and 8.5 million credit cards, the platform runs on a scale unprecedented in the industry, dwarfing its competitors.

For businesses and defenders, Russian Market is a persistent and quantitative threat. Monitoring for organizational data on platforms such as Russian Market, along with a larger investment in endpoint security against infostealers, remains one of the most direct approaches to decrease exposure in this threat environment.

Obvane Group - Cybercrime Intelligence