Summary: A Ukrainian national, Mark Sokolovsky, pleaded guilty to conspiracy to commit computer intrusion as part of his involvement in the Raccoon malware-as-a-service operation, which has stolen millions of credentials from victims. He faces significant financial penalties and restitution as part of his plea agreement following his extradition to the U.S.
Threat Actor: Mark Sokolovsky | Mark Sokolovsky
Victim: Individuals targeted by Raccoon malware | Raccoon malware victims
Key Point :
- Sokolovsky operated the Raccoon malware infrastructure, which sold info-stealing services for $200 to $300 a month.
- Over 50 million unique credentials were identified as stolen through Raccoon, impacting victims’ personal and financial information.
- The malware continues to evolve, with improved versions emerging even after law enforcement efforts to dismantle its operations.
A Ukrainian national pleaded guilty Monday in U.S. federal court to one count of conspiracy to commit computer intrusion in connection to his role in the Raccoon malware-as-a-service info stealer criminal operation.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Prosecutors in 2021 indicted Mark Sokolovsky, 28, on four criminal counts for setting up the technical infrastructure used to sell the info stealer and contributing to its code. Raccoon is one of about two dozen malware-as-a-service info stealers available online, which generally get offered on a subscription basis for $200 to $300 a month.
As part of a plea agreement, Sokolovsky – known online as “raccoonstealer,” “Photix,” and “black21jack77777” – will also forfeit $23,975 and must pay nearly $1 million in restitution.
Dutch authorities extradited him in February after arresting him in March 2022. A joint Dutch-Italian police operation dismantled Raccoon infrastructure used at the time to filch personal data from victims’ computers, including log-in credentials, financial information and session cookies, from dozens of applications (see: Ukrainian Extradited to US Over Alleged Raccoon Stealer Ties).
A digital forensic investigation conducted by the FBI identified more than 50 million unique credentials and forms of identification including email addresses, bank accounts, cryptocurrency addresses and credit card numbers stolen from victims through the Raccoon malware.
Independent journalist Brian Krebs reported European authorities arrested Sokolovsky after tracking his cell phone and the Porsche Cayenne he drove while fleeing Ukraine with a young blond woman shortly after Russia invaded the country in February 2022. His companion regularly posted travel pics on Instagram.
The infrastructure disruption didn’t have a lasting effect, with researchers detecting only months later an improved version advertised in underground forums. Cyberint in August 2023 observed an upgraded version that included an improved search engine for identifying cookies and anti-detection countermeasures.
First detected in 2019, Raccoon – also known as Racealer – emerged into the top ranks of malware-as-a-service info stealers. Competitors include Redline, Vidar and Agent Tesla. Its methods of distribution include phishing and fake installers for legitimate software such as such as VPNs from F-Secure and Proton.
The FBI has a website for potential victims to investigate whether their email is in the original Raccoon database obtained by law enforcement.