Feds say Ukrainian man running malware service amassed 50M unique credentials

A person's hand inserting a key into the lock on a jail-cell door.

Getty Images | Charles O’Rear

Federal prosecutors have charged a 26-year-old Ukrainian national with operating a malware service that was responsible for stealing sensitive data from more than 2 million individuals around the world.

Prosecutors in Texas said on Tuesday that Mark Sokolovsky, 26, of Ukraine helped operate “Raccoon,” an info stealer program that worked using a model known as MaaS, short for malware-as-a-service. In exchange for about $200 per month in cryptocurrency, Sokolovsky and others behind Raccoon supplied customers with the malware, digital infrastructure, and technical support. Customers would then use the service to infect targets with the malware, which would surreptitiously harvest credentials for email and bank accounts, credit cards, cryptocurrency wallets, and other private information.

First seen in April 2019, Raccoon was able to extract sensitive data from a wide range of applications, including 29 separate Chromium-based browsers, Mozilla-based apps, and cryptocurrency wallets from Exodus and Jaxx. Written in C++, the malware can also take screenshots. Once Raccoon has extracted all data from an infected machine, it uninstalls and deletes all traces of itself.

An indictment unsealed on Tuesday said more than 2 million victims had personal data stolen through Raccoon. To date, prosecutors said they have recovered more than 50 million unique credentials and forms of identification taken in the operation and believe there’s more stolen data that has yet to be found.

Prosecutors wrote:

Through various investigative steps, the FBI has collected data stolen from many computers that cyber criminals infected with Raccoon Infostealer. While an exact number has yet to be verified, FBI agents have identified more than 50 million unique credentials and forms of identification (email addresses, bank accounts, cryptocurrency addresses, credit card numbers, etc.) in the stolen data from what appears to be millions of potential victims around the world. The credentials appear to include over four million email addresses. The United States does not believe it is in possession of all the data stolen by Raccoon Infostealer and continues to investigate.

The FBI created a website that allows people to determine if their data was among that recovered to date. The site, raccoon.ic3.gov, allows visitors to enter the email address of an account they control. If the address is included in the recovered data, the FBI will send the address an email notifying the visitor of the theft. Officials are encouraging people who believe they’re victims to complete the complaint form using this page operated by the Internet Crime Complaint Center.

The unsealed indictment listed a host of specific actions Sokolovsky allegedly carried out to help operate the Raccoon service. Those actions included obtaining the transport layer security certificate using one of the web domains that hosted Raccoon, running accounts that advertised Raccoon on online forums, and creating a Git-based source code repository account for use in improving and modifying the Raccoon code.

At the same time that Dutch authorities arrested Sokolovsky last March, the FBI and law enforcement partners in the Netherlands and Italy dismantled Raccoon Infostealer’s infrastructure and took the malware’s existing version offline.

Prosecutors charged Sokolovsky with one count of conspiracy to commit computer fraud and related activity in connection with computers; one count of conspiracy to commit wire fraud; one count of conspiracy to commit money laundering; and one count of aggravated identity theft. If convicted, Sokolovsky faces a maximum penalty of 20 years in prison for the wire fraud and money laundering offenses, five years for the conspiracy to commit computer fraud charge, and a mandatory consecutive two-year term for the aggravated identity theft offense.

The defendant is currently being detained in the Netherlands pursuant to an extradition request by US authorities. In September, a court in Amsterdam granted the extradition request. Sokolovsky remains in Amsterdam while that decision is on appeal.

Leave a Reply