This post was originally published on this site
Mark Sokolovsky is accused of being a key figure in the Raccoon Infostealer malware program, which has been connected to the theft of millions of login credentials around the world.
Department of Justice
Three weeks after Russia started dropping bombs in Ukraine in late February, a talented, young computer programmer named Mark Sokolovsky climbed into a Porsche Cayenne with his girlfriend to get away from the fighting.
The pair made their way through Poland and then Germany, before stopping in the Netherlands, where they thought they were safe. Little did they know, the U.S. Federal Bureau of Investigation and investigators in Europe had been watching them all along.
Sokolovsky, 26, had been named late last year in a sealed criminal indictment in federal court in Texas that alleged he was a key figure behind a pervasive type of malware known as Raccoon Infostealer that prosecutors say has infected millions of computers around the world, stealing financial login credentials and money from an untold number of victims.
Days after Sokolovsky crossed into the country, Dutch police swept in and arrested him in Amsterdam on charges of computer fraud, wire fraud, money laundering and identity theft. He faces more than 20 years in prison if convicted and has remained in custody in the Netherlands while fighting an extradition proceeding that would send him to the U.S.
Messages left with Niels Van Schaik, the Dutch attorney representing Sokolovsky in his extradition proceeding, weren’t immediately returned.
The existence of the case had been under seal until last week, when authorities announced Sokolovsky’s arrest as part of an effort to track down possible victims. Following his arrest, investigators said they managed to crack a giant cache of stolen data, amounting to millions of email addresses and logins.
As part of their announcement, prosecutors and the FBI announced the creation of a website, where people who suspect they may be victims can check to see if their info is contained among the data investigators recovered.
“This is a very, very large global case,” said Ashley Hoff, the U.S. attorney for the Western District of Texas, where the case was filed.
‘We steal, you deal’
Raccoon Infostealer is an increasingly popular class of program called Malware-as-a-Service or MaaS. That means that the programmers who developed it don’t typically steal people’s information themselves but license the software to other cybercriminals who use it to rip people off. A copy of all the stolen info was also kept by Raccoon’s operators.
Like any kind of legitimate software, those behind Raccoon Infostealer offered 24-hour customer support and issued frequent programming updates, cybercrime experts say. The cost was $75 a week or $200 a month.
Raccoon Infostealer first appeared in early 2019 and was initially offered for sale on Russian-language platforms popular with cybercriminals and later also on English-language ones. Billing itself with the slogan, “We steal, you deal,” it was a hit, and quickly arrived on the radar of cybersecurity experts.
“As it was distributed as MaaS or Malware-as-a-Service, it wasn’t used by just one threat actor or group, but multiple cybercriminals, so it was quite widespread,” said Oleg Skulkin, of Group-IB, a cybersecurity firm based in Singapore. “For most cybercriminals it’s much easier to buy or rent malware. It’s simply cheaper.”
In March, shortly after Sokolovsky was arrested, Raccoon’s operators put a message out to customers saying they needed to shut down as Russia’s war in Ukraine had disrupted operations.
“Unfortunately, due to the ‘special operation,’ we will have to close our Raccoon Stealer project,” the group said. “Our team members who were responsible for critical components of the product are no longer with us. Thank you for this experience and time, for every day, unfortunately everything, sooner or later, the end of the world comes to everyone.”
Russian President Vladimir Putin, particularly in the early days of the full-scale invasion of Ukraine, insisted — under threat of significant prison term — that it be called not an invasion or war but a “special operation.”
While many in the cybersecurity space interpreted the Raccoon shutdown message as meaning that key programmers had been killed in the early days of the fighting, it may instead have been a reference to Sokolovsky’s arrest.
Operators of Raccoon didn’t immediately return a message seeking comment but issued a statement following news of Sokolovsky’s arrest last week that they didn’t know him personally and that, when he disappeared in March, “of course we thought the worst.”
A few months later, a new version of the now-compromised software was relaunched, with some critical tweaks to its programming, experts said.
On the run
Sokolovsky hails from the city of Kharkiv in eastern Ukraine and attended university there. In the early days of the war, the city came under heavy bombardment by Russian forces.
According to an account on the blog run by Brian Krebs, a respected cybersecurity reporter and analyst, authorities were able to connect Sokolovsky to Raccoon through his iCloud
AAPL,
account, which had been used to set up certain accounts attached to the malware program.
This allowed authorities to track Sokolovsky’s movements, Krebs reported. It also allowed them to recover a photograph of Sokolovsky holding up a giant stack of money next to his baby face.
For months, investigators watched as Sokolovsky bounced back and forth between Kharkiv and the Ukrainian capital of Kyiv. But then, in late March, he turned up in Poland near the border with Germany. A photograph was taken of Sokolovsky driving into Germany in a Porsche Cayenne with his girlfriend in the passenger seat.
At the time, Ukrainian men under the age of 60 weren’t allowed to leave as they were being drafted to fight the Russian invaders, so investigators believe Sokolovsky may have bribed his way out of the country, Krebs reported.
A few days later, authorities were able to zero in on Sokolovsky in Amsterdam after his girlfriend posted pictures on Instagram of them together there, Krebs reported.
In September, a Dutch court granted the U.S. petition to extradite Sokolovsky to Texas to face charges, but he has since appealed the ruling.
Global in reach
Prosecutors say that while Sokolovsky played a key role in developing the program, he had several accomplices. The investigation was helped by authorities in both Italy and the Netherlands, prosecutors said.
Among the data recovered by the FBI were some 50 million unique credentials, including email addresses, bank-account logins, cryptocurrency addresses and credit-card numbers, prosecutors said. They say they don’t believe they have found all the data stolen through Raccoon Infostealer and are continuing to investigate.
Some of the data recovered included login information for several U.S. companies and for members of the military with access to armed forces systems, according to court documents.
