The Economics of Cybercrime: Why Credentials Are the New Currency

Cybercrime Is a Supply Chain, Not a Scene

To understand modern cybercrime economics, stop thinking about lone hackers in hoodies and start thinking about logistics networks. The stolen credentials market is a supply chain with specialized roles, negotiated pricing, quality tiers, volume discounts, and customer support. Credentials are the raw material that flows through that chain, and like any commodity economy, the behavior of the market is driven by price signals, substitution effects, and margin compression at the edges.

This piece maps that supply chain, walks through the pricing tiers that actually exist on the underground today, traces the platform migration from forum posts to Telegram to fully-automated credential marketplaces, and explains why, if credentials are the new currency, exposure monitoring is the early warning system defenders cannot afford to skip.

The Cybercrime Supply Chain

A single compromised credential may change hands four or five times before it is used in an attack. Each hop adds markup and specialization.

Tier 1: Infostealer Operators

At the top of the funnel are the operators of stealer malware families like RedLine, Lumma, Vidar, Raccoon, and more recently StealC and Meduza. They rent their malware as a service to affiliates for flat monthly fees, typically 150 to 1,000 US dollars depending on the family and feature set. The operators do not distribute the malware themselves. They collect subscription revenue and maintain the command-and-control infrastructure.

Tier 2: Affiliates and Distribution

Affiliates run the actual campaigns. Cracked software, malvertising via Google Ads, YouTube tutorial comments, fake installers, and increasingly sophisticated SEO poisoning all funnel victims to payloads. An affiliate operating at scale can generate tens of thousands of stealer logs per month. Each log is a bundle of the victim's browser passwords, cookies, autofill data, crypto wallets, and system fingerprint.

Tier 3: Log Aggregators and Cloud Sellers

Affiliates rarely sell individual logs. They sell in bulk to log aggregators, who clean, deduplicate, and tag the data before listing it. This is the layer where marketplaces live. A log aggregator may process millions of logs a month and sell access to filtered slices of the data through subscription services, often called cloud of logs, where a buyer pays a weekly or monthly fee for access to a searchable portal.

Tier 4: Initial Access Brokers

Sitting above raw logs is the initial access broker, or IAB. An IAB takes a promising credential, typically corporate VPN, RDP, or SSO access, validates it, enriches it with organizational context like revenue, headcount, and industry, and sells it as a packaged access listing. A log that might sell for 10 dollars raw can become a 5,000 dollar access listing once an IAB has verified it leads inside a Fortune 1000 network.

Tier 5: Final Attackers

Ransomware affiliates, business email compromise crews, and financial fraud groups are the ultimate buyers. They do not want to spend weeks harvesting credentials. They want verified access at a known price, delivered on demand. RaaS operators like LockBit, Akira, and Play have historically sourced a meaningful share of their initial access from the IAB market, not from their own intrusions.

Underground Forum Pricing

Pricing in the stolen credentials market varies by freshness, geography, target sector, and verification status. Based on observed listings across Russian Market, 2easy, BidenCash, and various forum and Telegram sources, the pricing tiers look roughly like this.

• Generic retail consumer credentials: 0.50 to 3 US dollars per log in bulk
• Retail banking access with verified balance: 5 to 50 US dollars per account
• Streaming, gaming, and SaaS account logins: 1 to 15 US dollars
• Corporate email access (small business): 20 to 200 US dollars
• Enterprise VPN or RDP access: 500 to 5,000 US dollars depending on company size
• Initial access to a Fortune 500 network: 10,000 US dollars and up, frequently auctioned

A few patterns stand out. Raw consumer credentials have collapsed in price due to oversupply from stealer logs. Corporate access has appreciated, because RaaS affiliates compete for quality targets and are willing to pay premium. Cookies with active sessions are priced above credentials alone, because they bypass MFA in a way passwords cannot.

The Platform Migration

Where credentials are sold has shifted meaningfully over the past five years. Each generation of platform optimized a different part of the buyer experience.

Generation One: Forums

Classic Russian-language forums like Exploit and XSS were the original venue. Deals were negotiated in threads, escrow was mediated by forum administrators, and reputation was tied to post history. Forums still matter for high-value access listings, but they are slow and illiquid.

Generation Two: Telegram Channels

Telegram became the default logistics layer around 2019 to 2021. Channels with tens of thousands of subscribers advertise daily drops of logs, with pricing in stablecoins and delivery through bot interfaces. Telegram solved the speed problem forums had but introduced its own moderation and takedown risks.

Generation Three: Automated Marketplaces

The most consequential shift was the move to fully automated credential marketplaces. Genesis Market was the landmark example. Until Operation Cookie Monster dismantled it in April 2023, Genesis offered browser fingerprint bundles with session cookies for sale through a slick web interface, letting buyers impersonate victims down to the user agent and timezone. At seizure it contained over 80 million credentials and 2 million unique bots.

Russian Market filled much of the void, and 2easy operates a similar model with a focus on stealer log filtering. BidenCash has taken a different approach, using periodic free credential dumps as a marketing strategy to drive buyers to its paid inventory. The common thread is automation. Buyers self-serve, search, filter, and purchase without ever talking to a seller.

What the Genesis Market Takedown Actually Changed

The Genesis Market takedown was a meaningful law enforcement win but not a market contraction. Within weeks, inventory migrated to Russian Market and 2easy, and Telegram-based cloud of logs services saw subscriber growth. The credential economy proved to be platform-resilient. Take down one marketplace and the supply redistributes. The lesson for defenders is that banking on law enforcement to suppress supply is not a strategy.

RaaS Affiliate Economics

The ransomware-as-a-service affiliate model is the single largest demand-side driver of the stolen credentials market. A typical RaaS arrangement splits ransom payments 70/30 or 80/20 in the affiliate's favor, with the operator providing the encryptor, leak site, and negotiation infrastructure. For an affiliate, the economic question is straightforward.

1. How much does initial access cost?
2. What is the probability of successful deployment?
3. What is the expected ransom payment?
4. What is the operator's cut?

At 5,000 dollars for verified VPN access, a 60 percent deployment success rate, an average payment of 400,000 dollars, and an 80/20 split, the affiliate's expected margin per purchased access is well over 100,000 dollars. That math is why the IAB market exists and why corporate credentials keep appreciating in price.

What This Means for Defenders

If credentials are the new currency, the security problem becomes a cash flow problem. You cannot prevent the printing press, but you can detect when your bills start circulating. Three implications follow.

• Perimeter is irrelevant if credentials are already external. Attackers buy their way past most perimeter controls. Assume initial access is purchasable.
• MFA is necessary but not sufficient. Session cookie theft and MFA fatigue attacks erode its protective value. Cookies stolen by Lumma or RedLine bypass most MFA implementations unless you enforce strict session binding.
• Exposure monitoring is the early warning system. The moment a credential leaves the organization and enters the supply chain, there is a detection window before it is purchased and weaponized. That window is the defender's entire advantage.

Revealer.US exists to shorten that window. Our platform continuously ingests stealer logs and marketplace data, then alerts customers the moment their employee, customer, or partner credentials appear in the wild. You can read more in our documentation on how the detection pipeline works end to end.

Conclusion

Cybercrime economics is not mysterious. It is a supply chain with well-understood roles, measurable pricing, and rational actors optimizing for margin. Credentials are the commodity that flows through it because credentials unlock everything else, bank accounts, corporate networks, ransom payments, and cloud infrastructure. The stolen credentials market has survived forum takedowns, Telegram crackdowns, and the seizure of Genesis Market because the underlying economics reward resilience.

For defenders, the implication is simple but uncomfortable. You are not competing against individual attackers. You are competing against a liquid, efficient market that prices your credentials in real time. The only way to stay ahead of that market is to see your inventory the same way it does, continuously, globally, and before the buyer arrives.

Want to see how your organization looks through the lens of the stolen credentials market? Start a free trial of Revealer.US and turn cybercrime economics into actionable early warning.