After he escaped the battle in Ukraine, investigators caught a major suspect behind the malware programme Raccoon Infostealer in the Netherlands.
Sneaking out
Three weeks after Russia started dropping bombs on Ukraine in late February, a talented young computer programmer named Mark Sokolovsky climbed into a Porsche Cayenne with his girlfriend to get away from the fighting.
The pair made their way through Poland and then Germany before stopping in the Netherlands, where they thought they were safe.
Little did they know that the U.S. Federal Bureau of Investigation and investigators in Europe had been watching them all along.
Sokolovsky, 26, had been named late last year in a sealed criminal indictment in federal court in Texas that alleged he was a key figure behind a pervasive type of malware known as Raccoon Infostealer that prosecutors say has infected millions of computers around the world, stealing financial login credentials and money from an untold number of victims.
Possible victims
Days after Sokolovsky crossed into the country, Dutch police arrested him in Amsterdam on charges of computer fraud, wire fraud, money laundering and identity theft.
He faces more than 20 years in prison if convicted and remains in custody in the Netherlands while fighting an extradition proceeding that would send him to the U.S. Messages left with Niels Van Schaik, the Dutch attorney representing Sokolovsky in his extradition proceeding, weren’t immediately returned.
The existence of the case had been under seal until last week when authorities announced Sokolovsky’s arrest as part of an effort to track down possible victims.
Following his arrest, investigators said, they managed to crack a giant cache of stolen data amounting to millions of email addresses and logins.
As part of their announcement, prosecutors and the FBI announced the creation of a website where people who suspect they may be victims can check to see if their personal information is contained among the data recovered by investigators.
“This is a very, very large global case,” said Ashley Hoff, the U.S. attorney for the Western District of Texas, where the case was filed.
‘We steal, you deal’
Raccoon Infostealer is an increasingly popular class of programs called Malware-as-a-Service, or MaaS. The programmers who develop Maas programs don’t typically steal people’s information themselves but rather license the software to other cybercriminals who use it to rip people off.
A copy of all the stolen information was also kept by Raccoon’s operators.
Raccoon Infostealer first appeared in early 2019 and was initially offered for sale on Russian-language platforms popular with cybercriminals and later also on English-language ones.
“As it was distributed as MaaS or Malware-as-a-Service, it wasn’t used by just one threat actor or group, but multiple cybercriminals, so it was quite widespread,” said Oleg Skulkin of Group-IB, a cybersecurity firm based in Singapore.
For most cybercriminals, it’s much easier to buy or rent malware.
In March, shortly after Sokolovsky was arrested, Raccoon’s operators put a message out to customers saying they needed to shut down because Russia’s war in Ukraine had disrupted operations.
“Unfortunately, due to the ‘special operation,’ we will have to close our Raccoon Stealer project,” the group said.
“Our team members who were responsible for critical components of the product are no longer with us.
Thank you for this experience and time, for every day, unfortunately, everything, sooner or later, the end of the world comes to everyone.”
Those who called it a war or an invasion risked a significant prison term.
Operators of Raccoon didn’t immediately return a message seeking comment.
They issued a statement following the news of Sokolovsky’s arrest last week that they didn’t know him personally and that, when he disappeared in March, “of course we thought the worst.”
On the run
Sokolovsky hails from the city of Kharkiv in eastern Ukraine and attended university there.
In the early days of the war, the city came under heavy bombardment by Russian forces.
This allowed authorities to track Sokolovsky’s movements, Krebs reported.
It also allowed them to recover a photograph of Sokolovsky holding up a large stack of money next to his face.
For months, investigators watched as Sokolovsky bounced back and forth between Kharkiv and the Ukrainian capital of Kyiv.
A few days later, authorities were able to zero in on Sokolovsky in Amsterdam after his girlfriend posted pictures on Instagram of them together there, Krebs reported.
Global in reach
Sokolovsky, according to the prosecution, had a number of collaborators even though he was instrumental in creating the Raccoon programme. Prosecutors said that authorities in both Italy and the Netherlands contributed to the inquiry.
Prosecutors claimed that the FBI was able to recover almost 50 million different sets of unique credentials, including email addresses, bank account logins, cryptocurrency addresses, and credit card information. They claim that they have not yet discovered all of the data that was stolen by Raccoon Infostealer and that they are still looking into the matter.
Several American corporations’ login information as well as military personnel with access to armed-forces networks were among the material that was obtained, according to court records.
Did you subscribe to our newsletter?
It’s free! Click here to subscribe!
Source: Market Watch