raccoon operator handcuffed

Raccoon Infostealer operator extradited to the United States

A Ukrainian national, Mark Sokolovsky, has been indicted for crimes related to fraud, money laundering and aggravated identity theft and extradited to the United States from the Netherlands, the US Attorney’s Office of the Western District of Texas has announced.

In March 2022, around the same time of Sokolovsky’s arrest by Dutch authorities, the FBI and law enforcement partners in Italy and the Netherlands dismantled the digital infrastructure supporting the Raccoon Infostealer, taking its then existing version offline.

On September 13, 2022, the Amsterdam District Court ordered Sokolovsky’s extradition to Texas, where many of his victims were located. After the Sokolovsky’s appeal was dismissed in June of 2023, the extradition could take place.

Sokolovsky is suspected of operating the Raccoon Infostealer as a malware-as-a-service (MaaS). This means criminals intent on stealing information could “hire” the malware and the infrastructure to steal data from victim computers.

For this reason Sokolovsky is charged with one count of conspiracy to commit fraud and related activity in connection with computers; one count of conspiracy to commit wire fraud; one count of conspiracy to commit money laundering; and one count of aggravated identity theft. He made his initial court appearance February 9, and is being held in custody pending trial. If convicted, he will be sentenced to a maximum of 20 years for wire fraud and money laundering, five years for computer fraud charges, and a mandatory two-year term for identity theft offenses.

The Raccoon Infostealer operation is a tightly-run ship, to the extent that customers have digital signatures tied to their executables. If files end up on malware scanning services, the malware authors know exactly where the leak originated.

Raccoon’s two most popular delivery methods are phishing campaigns (the tried and tested malicious Word document/Macro combination) and exploit kits. Once data is located on the target system, it is eventually placed into a .zip file and sent to the malware Command and Control (C&C) server.

The main targets of the stealer are credit card data, autofill entries, browser passwords, and cryptocurrency wallets.

The FBI identified at least 50 million unique credentials stolen by Raccoon Infostealer from victims worldwide. Because of this, the agency has created a dedicated website, raccoon.ic3.gov, where potential victims can check if their data has been stolen. All they need to do is to enter their email address. Note, however, that the website only contains data for US-based victims. 

The FBI also encourages potential victims to fill out a detailed complaint and share the harm the malware caused them at the FBI’s Crime Complaint Center (IC3).

Digital Footprint scan

If you want to find out how much of your own data is exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.


We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.