Russian Infostealer Gangs Steal 50 Million Passwords

Group-IB cybersecurity researchers recently identified several Russian-speaking cybercrime groups offering infostealing malware-as-a-service (MaaS), resulting in the theft of more than 50 million passwords thus far.

The cybercrime groups are using Raccoon and Redline malware to steal login credentials for Steam, Roblox, Amazon and PayPal, as well as payment records and crypto wallet information. In the first seven months of this year alone, the cybercriminals, using 34 Telegram groups to coordinate their attacks, stole more than 50 million passwords from over 890,000 devices in 111 countries.

That’s a significant increase from 2021, when the stealers accessed almost 28 million passwords from a total of 538,000 devices.

“In 2022, info-stealing malware has grown into one of the most serious digital threats,” Group-IB noted in a statement.

Also read: The Challenges Facing the Passwordless Future

Millions in Cybercrime Profit

According to Group-IB, the first Telegram groups coordinating these attacks appeared in early 2021, with the average distribution group containing about 200 active members. Eight of the groups use Raccoon malware, 23 use Redline, and three use custom stealers. The malware is generally offered as a service for between $150 and $200 a month.

Lower-ranked scammers are employed by the groups to drive traffic to scam websites that trick victims into downloading the malware, using links in reviews of popular games on YouTube, in mining software, on NFT forums, and in lotteries on social media.

Once credentials are stolen via the malware, the attackers either leverage the information themselves, or they sell the stolen data online.

The approximate value of the stolen data, Group-IB says, is $5.8 million.

Gaming Becomes a Target

The type of data being targeted has shifted over time. In 2021, leading targets were PayPal and Amazon login credentials. In 2022, while PayPal and Amazon remain key targets, theft of passwords for gaming services like Steam, Epic Games and Roblox has surged by almost 500 percent.

“The popularity of schemes involving stealers can be explained by the low entry barrier,” Group-IB’s Digital Risk Protection team stated. “Beginners do not need to have advanced technical knowledge as the process is fully automated and the worker’s only task is to create a file with a stealer in the Telegram bot and drive traffic to it.”

“For victims whose computers become infected with a stealer, however, the consequences can be disastrous,” they added.

Aurora Malware

SEKOIA.IO researchers recently published an analysis of a different infostealer, Aurora, which was first advertised on Russian-speaking forums in April 2022, offered as MaaS by a hacker using the handle Cheshire.

In late August, the researchers found Aurora being marketed on Telegram and underground forums as “the best [stealer] on the market,” priced at $250 per month or $1,500 for a lifetime license. Several cybercrime teams began using Aurora as part of their arsenals, some pairing it with Redline or Raccoon.

Like the attackers observed by Group-IB, SEKOIA.IO noted that cybercriminals are distributing Aurora “using multiple infection chains including phishing websites masquerading [as] legitimate ones, YouTube videos and fake ‘free software catalogue’ websites.”

Also read: Complete Guide to Phishing Attacks: What Are the Different Types and Defenses?

How to Stop Infostealer Malware

To minimize risk, Group-IB advises taking the following key steps:

  • Don’t download software from suspicious sources
  • Use isolated virtual machines or alternative operating systems for installation
  • Don’t save passwords in browser
  • Clear browser cookies on a regular basis

Last month, the U.S. Department of Justice indicted Mark Sokolovsky for allegedly offering Raccoon as a MaaS. “This type of malware feeds the cybercrime ecosystem, harvesting valuable information and allowing cyber criminals to steal from innocent Americans and citizens around the world,” U.S. Attorney Ashley C. Hoff said at the time.

In response, the FBI has launched a disclosure page at raccoon.ic3.gov, where potential victims can enter their email addresses to find out if they show up in the stolen data.

Read next: Best Password Management Software & Tools

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Latest articles

Top Cybersecurity Companies

Related articles