hands in cuffs

Raccoon Stealer admin will be extradited to the US, charged for computer crimes

The US Department of Justice has indicted a Ukrainian national for his involvement in Raccoon Stealer, a noteworthy password-stealing Trojan leased in the underground for criminals to use as part of a malware-as-a-service (MaaS) business model.

According to court documents, Mark Sokolovsky, 26, is currently held in the Netherlands under an extradition request from the US government. Dutch authorities arrested Sokolovsky, known online as “raccoonstealer,” in March 2022. At the same time, the FBI (Federal Bureau of Investigation) partnered with Italian and Dutch law enforcement to dismantle Raccoon Stealer’s digital infrastructure, taking the existing version offline.

In a press release, Deputy Attorney General Lisa O. Monaco said:

“This case highlights the importance of the international cooperation that the Department of Justice and our partners use to dismantle modern cyber threats. As reflected in the number of potential victims and global breadth of this attack, cyber threats do not respect borders, which makes international cooperation all the more critical. I urge anyone who thinks they could be a victim to follow the FBI’s guidance on how to report your potential exposure.”

Sokolovsky is charged with four counts of computer crime: conspiracy to commit computer fraud; conspiracy to commit wire fraud, conspiracy to commit money laundering, and aggravated identity theft.

On September 13, 2022, the Amsterdam District Court ordered Sokolovsky’s extradition to Texas, where many of his victims were located. He is currently appealing for his extradition. If convicted, he will be sentenced to a maximum of 20 years for wire fraud and money laundering, five years for computer fraud charges, and a mandatory two-year term for identity theft offenses.

About Raccoon Stealer

Raccoon Stealer was popular on the dark web from 2019 to early 2022 for its simplicity and customization. Its operations temporarily ceased sometime in March 2022 after an operator revealed that a key developer of the Trojan died at the beginning of the Russia-Ukraine invasion. In June 2022, Raccoon Stealer resumed operations with the release of V2.

Administrators of Raccoon Stealer rent out the malware for $200 per month, paid in cryptocurrency. Cybercriminals use the Trojan to steal data from victim computers. This data includes login credentials, financial and banking information, and personally identifiable information (PII). They trick users into downloading the malware via email phishing campaigns (among others). 

The FBI identified at least 50 million unique credentials stolen by Raccoon Stealer from victims worldwide. Because of this, the agency has created a dedicated website, raccoon.ic3.gov, where potential victims can check if their data has been stolen. All they need to do is to enter their email address. Note, however, that the website only contains data for US-based victims. 

The FBI also encourages potential victims to fill out a detailed complaint and share the harm the malware caused them at the FBI’s Crime Complaint Center (IC3).


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR