Cybersecurity In-Depth: Digging into data about the latest attacks, threats, and trends using charts and tables.

Bot Marketplaces as a Source of Future Data Breaches

Of the four bot marketplaces Cognyte analyzed, the Russian Market is the most dominant, but the others are all active, updated daily, and well-known, too.

Fahmida Y. Rashid, Managing Editor, Features

February 10, 2022

3 Min Read
The Russian Market is the most active marketplace selling login credentials.
Login credentials offers divided by markets.Source: "Rise of Dark Web Botnet Marketplaces" report, Cognyte

The criminal underground is rife with marketplaces – attackers interested in malware, stolen financial and healthcare data, or hacking tools don’t have to look hard to find a willing seller. As adversaries increasingly rely on stolen passwords or compromised login credentials to carry out their cyberattacks, many are shopping on bot markets, security analytics company Cognyte says in a new report.

Bot markets are automated stores that sell stolen login credentials – and Cognyte identified four of the most active bot marketplaces in 2021: 2easy, Amigos, Genesis, and Russian Market. Of the nearly 5.3 million login credentials stolen between 2019 and 2021 that Cognyte looked at as part of its research, 73% were collected in 2021, Cognyte says. The majority of the login credentials offered for sale in 2021 were on the Russian Market, at 71%.

Last year’s data breach at video game publisher Electronic Arts, which exposed sensitive data and the source code for the video game FIFA 21, was reportedly the result of an attacker purchasing access to the company’s internal Slack environment from Genesis Market. The attacker reportedly spent $10 for a Slack credential and, once in, convinced corporate IT to grant access to the rest of the internal network. In Cognyte’s research, Genesis Market accounted for just 5% of login credentials being sold on bot markets in 2021.

Genesis sold 20,000 to 30,000 login credentials each month for most of 2020 and 2021 – its peak was in January 2020, when 52,004 records were offered for sale.

Infostealers supply the stolen wares on these bot markets, Cognyte says. Infostealers are malware designed to collect specific pieces of information from the infected system, such as username and passwords to the system, credentials used to access applications, login information for websites, payment card details, and cryptocurrency wallets. Some infostealers can collect fingerprint information about the compromised system, such as the type of hardware and software applications installed, IP address, and configuration settings, which the attacker can use to masquerade as the compromised system.

Not all markets expose which stealers are behind the login credentials available for sale, but Cognyte’s analysis highlights five most active ones: AZORult, Racoon, Redline, Taurus, and Vidar. These infostealers are sold on criminal forums and are available at prices ranging from a few dollars to hundreds of dollars. Some even offer a subscription model.  

Usage of the infostealers varied throughout the year, Cognyte says. At the beginning of 2021, Vidar was the most used infostealer, followed by Taurus. Racoon was mainly used in March 2021, with 152,508 records. Redline became more widely used in April and has maintained its status as the most-used infostealer. In 2021, Redline provided 32% of the login credentials that was analyzed.

Login credentials offered for sale divided by the infostealers during 2021

“Due to the malware’s accessibility and reliability, we believe we will keep seeing it as a prime source on the bot markets in the future,” the researchers say.

About the Author

Fahmida Y. Rashid

Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights