Acreed infostealer poised to replace Lumma after global crackdown

Newly emerged malware called Acreed is gaining ground in the Russian cybercriminal market and is expected to become the go-to infostealer for hackers, following the recent takedown of Lumma stealer, according to a new report.

Acreed, first identified earlier this year, already has surpassed most established infostealers in Russia, trailing only Lumma during the first quarter of 2025, said researchers at U.S. cybersecurity firm ReliaQuest.

With Lumma’s operations now severely disrupted by a global law enforcement crackdown in May, the researchers say Acreed is primed to fill the void.

Lumma, long considered one of the world’s most widely used infostealers, allowed cybercriminals to extract sensitive data from infected devices. Developed by a Russian actor known as “Shamel,” the malware has targeted sectors ranging from airlines and hospitals to government agencies and banks.

In May, authorities seized more than 2,300 domains linked to Lumma in a coordinated international operation. While researchers say Lumma’s developers are attempting to rebuild their infrastructure, its future remains uncertain.

That leaves a clear opening for Acreed. Though little is known about its developers or the full extent of its capabilities, Acreed appears to follow the standard playbook for infostealers — targeting Windows systems and extracting login credentials, browser cookies, and cryptocurrency wallets.

Previous reports said the malware harvests data from major browsers like Chrome, Firefox and Edge. The stolen files often include usernames and passwords for social media, email services, streaming platforms, and local network access credentials.

The broader Russian infostealer market remains robust, according to ReliaQuest, driven by the malware’s ease of use and the demand for stolen data. Infostealer logs — information already captured by the malware — can be sold for as little as $2.