Arrested Ukrainian national charged with running Raccoon Infostealer malware

The U.S. Department of Justice charged a Ukrainian national this week over his alleged role in an international cybercrime operation known as Raccoon Infostealer.

Mark Sokolovsky, 26, is accused of being one of the “key administrators” of the malicious software that infects computers and steals personal information, including email addresses, identification numbers, bank account and cryptocurrency information, according to court documents released Tuesday.  

Sokolovsky, also known online as “raccoonstealer,” is charged with four counts, including conspiracy to commit computer fraud, wire fraud, money laundering, and identity theft. If found guilty, he could face up to 20 years in prison.

The FBI has created a website where anyone can check if their data was compromised by Raccoon Infostealer malware. Potential victims are encouraged to fill out a complaint and share any damages experienced from their information being stolen.

“This type of malware feeds the cybercrime ecosystem, harvesting valuable information and allowing cybercriminals to steal from innocent Americans and citizens around the world,” said U.S. Attorney Ashley C. Hoff in a statement.

How it works

From 2018 through early 2022, Raccoon Infostealer was highly popular among threat actors. It was sold as malware-as-a-service on dark web forums like Exploit and was praised by hackers for its simplicity and customization.

Raccoon’s malware targeted popular browsers and desktop cryptocurrency wallets to steal passwords, cookies, and credit card numbers. It could also download files and capture screenshots on victims’ computers. 

In March, Raccoon Infostealer temporarily suspended operations, claiming that one of its administrators died during the war in Ukraine.

Around the same time, Sokolovsky was arrested in the Netherlands at the request of the FBI, and the U.S. is seeking his extradition. Sokolovsky has appealed to a Dutch court to stop his extradition to Texas for trial. Many Raccoon Infostealer victims live in the Western District of Texas — including El Paso, Austin and Killeen.

With the help of Dutch and Italian authorities, the FBI also seized Raccoon Infostealer’s servers, taking them offline. In June, the group launched a new version of its malware.

Raccoon Infostealer administrators rent out its malware for $200 per month in cryptocurrency to steal data from victims’ computers, including log-in credentials, financial information, and other personal records. Malware is installed on the victims' computers through phishing emails.

The stolen information is then sent to one or more servers controlled by the Raccoon administrators. When the operation is completed, Raccoon deletes itself from the infected computer.

According to the indictment, millions of computers worldwide have been infected with the malware and more than 2 million people have had their personal data stolen. 

The FBI has identified over 50 million user credentials stolen with the help of Raccoon Infostealer. The Justice Department said it hasn't yet identified all of the data stolen by Raccoon Infostealer and continues to investigate.