A 26-year-old Ukrainian man is awaiting extradition from The Netherlands to the United States on costs that he acted as a core developer for Raccoon, a well-liked “malware-as-a-service” providing that helped paying prospects steal passwords and monetary information from tens of millions of cybercrime victims. KrebsOnSecurity has realized that the defendant was busted in March 2022, after fleeing necessary navy service in Ukraine within the weeks following the Russian invasion.
Ukrainian nationwide Mark Sokolovsky, seen right here in a Porsche Cayenne on Mar. 18 fleeing necessary navy service in Ukraine. This picture was taken by Polish border authorities as Sokolovsky’s car entered Germany. Image: KrebsOnSecurity.com.
The U.S. Attorney for the Western District of Texas unsealed an indictment final week that named Mark Sokolvsky because the core developer for the Raccoon Infostealer enterprise, which was marketed on a number of Russian-language cybercrime boards starting in 2019.
Raccoon was basically a Web-based management panel, the place — for $200 a month — prospects might get the newest model of the Raccoon Infostealer malware, and work together with contaminated programs in actual time. Security consultants say the passwords and different information stolen by Raccoon malware have been typically resold to teams engaged in deploying ransomware.
Working with investigators in Italy and The Netherlands, U.S. authorities seized a replica of the server utilized by Raccoon to assist prospects handle their botnets. According to the U.S. Justice Department, FBI brokers have recognized greater than 50 million distinctive credentials and types of identification (e-mail addresses, financial institution accounts, cryptocurrency addresses, bank card numbers, and many others.) stolen with the assistance of Raccoon.
The Raccoon v. 1 net panel, the place prospects might search by contaminated IP, and stolen cookies, wallets, domains and passwords.
The unsealed indictment (PDF) doesn’t delve a lot into how investigators tied Sokolovsky to Raccoon, however two sources near the investigation shared extra details about that course of on situation of anonymity as a result of they weren’t licensed to debate the case publicly.
According to these sources, U.S. authorities zeroed in on an operational safety mistake that the Raccoon developer made early on in his posts to the crime boards, connecting a Gmail account for a cybercrime discussion board identification utilized by the Raccoon developer (“Photix”) to an Apple iCloud account belonging to Sokolovsky. For instance, the indictment features a picture that investigators subpoenaed from Sokolovsky’s iCloud account that exhibits him posing with a number of stacks of bundled money.
A selfie pulled from Mark Sokolovsky’s iCloud account. Image: USDOJ.
When Russian President Vladimir Putin invaded Ukraine in late February 2022, Sokolovsky was dwelling in Kharkiv, a metropolis in northeast Ukraine that may quickly come below heavy artillery bombardment from Russian forces. Authorities monitoring Sokolovsky’s iCloud account had spent weeks watching him shuttle between Kharkiv and the Ukrainian capital Kyiv, however on Mar. 18, 2022, his cellphone instantly confirmed up in Poland.
Investigators realized from Polish border guards that Sokolovsky had fled Ukraine in a Porsche Cayenne together with a younger blond girl, leaving his mom and different household behind. The picture on the high of this submit was shared with U.S. investigators by Polish border safety officers, and it exhibits Sokolovsky leaving Poland for Germany on Mar. 18.
At the time, all able-bodied males of navy age have been required to report for service to assist repel the Russian invasion, and it could have been unlawful for Sokolovsky to go away Ukraine with out permission. But each sources mentioned investigators consider Sokolovsky bribed border guards to allow them to go.
Authorities quickly tracked Sokolvsky’s cellphone by way of Germany and finally to The Netherlands, together with his feminine companion helpfully documenting each step of the journey on her Instagram account. Here is an image she posted of the 2 embracing upon their arrival in Amsterdam’s Dam Square:
Authorities in The Netherlands arrested Sokolovsky on Mar. 20, and shortly seized management over the Raccoon Infostealer infrastructure. Meanwhile, on March 25 the accounts that had beforehand marketed the Raccoon Stealer malware on cybercrime boards introduced the service was closing down. The parting message to prospects mentioned nothing of an arrest, and as a substitute insinuated that the core members accountable for the malware-as-a-service mission had perished within the Russian invasion.
“Unfortunately, due to the ‘special operation,’ we will have to close our Raccoon Stealer project,” the staff introduced Mar. 25. “Our team members who were responsible for critical components of the product are no longer with us. Thank you for this experience and time, for every day, unfortunately everything, sooner or later, the end of the WORLD comes to everyone.”
Sokolovsky’s extradition to the United States has been granted, however he’s interesting that call. He faces one rely of conspiracy to commit laptop fraud; one rely of conspiracy to commit wire fraud; one rely of conspiracy to commit cash laundering, and one rely of aggravated identification theft.
Sources inform KrebsOnSecurity that Sokolovsky has been consulting with Houston, Tx.-based lawyer F. Andino Reynal, the identical lawyer who represented Alex Jones within the latest defamation lawsuit towards Jones and his conspiracy principle web site Infowars. Reynal was accountable for what Jones himself known as the “Perry Mason” second of the trial, whereby the plaintiff’s lawyer revealed that Reynal had inadvertently given them a whole digital copy of Jones’s cellphone. Mr. Reynal didn’t reply to requests for remark.
If convicted, Sokolovsky faces a most penalty of 20 years in jail for the wire fraud and cash laundering offenses, 5 years for the conspiracy to commit laptop fraud cost, and a compulsory consecutive two-year time period for the aggravated identification theft offense.
The Justice Department has arrange an internet site — raccoon.ic3.gov — that permits guests to verify whether or not their e-mail deal with exhibits up within the information collected by the Raccoon Stealer service.
