U.S. Charges Ukrainian Man With Raccoon Information Stealing Operation Security Matters

U.S. authorities have charged a Ukrainian man with computer fraud for allegedly using Raccoon Infostealer to infect millions of computers.

The U.S. Department of Justice has charged a Ukrainian man, Mark Sokolovsky, 26, with computer fraud, accusing him of using Raccoon Infostealer to infect millions of computers.

The man is currently being held in the Netherlands, where he has been charged for his alleged involvement in an international cybercrime known as Raccoon Infostealer.

First discovered in April 2019, the Raccoon stealer is designed to steal victims’ credit card data, email credentials, cryptocurrency wallets and other sensitive data.

Sold as Malware-as-a-Service (MaaS), Raccoon implements an easy-to-use automated backend panel, and the operator also offers bulletproof hosting and 24/7 customer support in Russian and English. The price for using the Raccoon service is $200 per month.

The Raccoon stealer was written in C++ by Russian-speaking developers who initially only promoted it on Russian-speaking hacker forums. The malware is now being promoted on English-speaking hacker forums, and it works on both 32-bit and 64-bit operating systems.

Analysis of logs sold by underground communities led experts to estimate that the raccoon infected more than 100,000 users worldwide when it was discovered.

The list of targeted applications includes major currencies (Electrum, Ethereum, Exodus, Jaxx and Monero), cryptocurrencies for popular browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, Internet Explorer, Opera, Vivaldi, Waterfox, SeaMonkey, UC Browser) Applications and email clients such as Thunderbird, Outlook, and Foxmail.

Dutch authorities arrested Sokolovsky in March 2022, while the FBI and Italian and Dutch law enforcement partners dismantled the C2 infrastructure used by Operation Raccoon Infostealer.

The FBI identified more than 50 million unique credentials and forms of identification (email addresses, bank accounts, cryptocurrency addresses, credit card numbers, etc.) in the stolen data. While the exact number of victims has not been confirmed, experts believe that millions of potential victims around the world were targeted by the operation.

These credentials appear to include over 4 million email addresses. The US does not believe it has all the data stolen by Raccoon Infostealer and continues to investigate.

“Individuals who deployed Raccoon Infostealer to steal data from victims rented access to the malware for about $200 per month, paid for in cryptocurrency. Using various tricks, such as email phishing, these individuals would Malware installed on the computers of unsuspecting victims.” Read the press release issued by the U.S. Department of Justice. “Raccoon Infostealer then stole personal data from victims’ computers, including login credentials, financial information and other personal records. The stolen information was used to commit financial crimes or sold to others on cybercrime forums.”

Sokolovsky was charged with computer fraud, wire fraud, money laundering and aggravated identity theft.

Sokolovsky faces up to 20 years in prison for wire fraud and money laundering, five years for conspiracy to commit computer fraud, and a mandatory two-year prison sentence for identity theft.

“This case underscores the importance of the international cooperation that the Department of Justice and our partners use to neutralize modern cyber threats,” said Deputy Attorney General Lisa O. Monaco. “As reflected in the number of potential victims and global scope of this attack, cyber threats know no borders, making international cooperation even more important. I urge anyone who thinks they may be a victim to follow the FBI’s guidelines on how to report you guidance on potential risks.”

The man is appealing a decision by a Dutch court to grant his extradition to the United States.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(security affairs Hacker, Raccoon Information Stealer)

Leave a Reply

Your email address will not be published. Required fields are marked *