: How Russia’s war in Ukraine helped the FBI crack one of the biggest cybercrime cases in years


Three weeks after Russia started dropping bombs in Ukraine in late February, a talented, young computer programmer named Mark Sokolovsky climbed into a Porsche Cayenne with his girlfriend to get away from the fighting.

The pair made their way through Poland and then Germany, before stopping in the Netherlands, where they thought they were safe. Little did they know, the U.S. Federal Bureau of Investigation and investigators in Europe had been watching them all along.

Sokolovsky, 26, had been named late last year in a sealed criminal indictment in federal court in Texas that alleged he was a key figure behind a pervasive type of malware known as Raccoon Infostealer that prosecutors say has infected millions of computers around the world, stealing financial login credentials and money from an untold number of victims.     

Days after crossing into the country, Dutch police swept in and arrested Sokolovsky in Amsterdam on computer fraud, wire fraud, money laundering and identity theft charges. He faces more than 20 years in prison if convicted and has remained in custody in the Netherlands ever since while fighting extradition proceedings to send him to the U.S.

Messages left with Niels Van Schaik, the Dutch attorney representing Sokolovsky in his  extradition proceeding, weren’t immediately returned.

The existence of the case had been under seal until last week when authorities announced Sokolovsky’s arrest as part of an effort to track down possible victims. Following his arrest, investigators said they managed to crack into a giant cache of stolen data, amounting to millions of email addresses and logins.

As part of their announcement, prosecutors and the FBI announced the creation of a web site,, where people who suspect they may be victims can check to see if their info is contained among the data investigators recovered.

“This is a very, very large global case,” said Ashley Hoff, the U.S. attorney for the western district of Texas, where the case was filed.

‘We steal, you deal’

Raccoon Infostealer is an increasingly popular class of program called Malware-as-a-Service or MaaS. That means that the programmers who developed it don’t typically steal people’s information themselves, but license the software to other cybercriminals who use it to rip people off. A copy of all the stolen info was also kept by Raccoon’s operators.

Like any kind of legitimate software, those behind Raccoon Infostealer offered 24-hour customer support and issued frequent programming updates, cybercrime experts say. The cost was $75 a week or $200 a month. 

Raccoon Infostealer first appeared in early 2019 and was initially offered for sale on Russian-language platforms popular with cybercriminals and later also on English-language ones. Billing itself with the slogan, “We steal, you deal,” it was a hit, and quickly came on the radar of cyber-security experts.

“As it was distributed as MaaS or Malware-as-a-Service, it wasn’t used by just one threat actor or group, but multiple cybercriminals, so it was quite widespread,” said Oleg Skulkin, of Group-IB, a cybersecurity firm based in Singapore. “For most cybercriminals it’s much easier to buy or rent malware. It’s simply cheaper.” 

In March, shortly after Sokolovksy was arrested, Raccoon’s operators put a message out to their customers saying they needed to shut down as Russia’s war in Ukraine had disrupted their operations.

“Unfortunately, due to the ‘special operation,’ we will have to close our Raccoon Stealer project,” the group said. “Our team members who were responsible for critical components of the product are no longer with us. Thank you for this experience and time, for every day, unfortunately everything, sooner or later, the end of the world comes to everyone.”  

While many in the cyber security space interpreted that as meaning that some key programmers had been killed in the early days of the fighting, it may have been a reference to Sokolovksy’s arrest. 

Operators of Raccoon didn’t immediately return a message seeking comment, but issued a statement following news of Sokolovsky’s arrest last week that they didn’t know him personally and that when he disappeared in March, “of course we thought the worst.”

A few months later, a new version of the now-compromised software was relaunched, with some critical tweaks to its programming, experts said.

On the run

Sokolovsky hails from the city of Kharkiv in eastern Ukraine and attended university there. In the early days of the war, the city came under heavy bombardment by Russian forces.

According to an account on the blog run by Brian Krebs, a respected cyber security reporter and analyst, authorities were able to connect Sokolovksy to Raccoon through his iCloud account, which had been used to set up certain accounts attached to the malware program.

This allowed authorities to track Sokolovsky’s movements, Krebs reported. It also allowed them to recover a photograph of Sokolovsky holding up a giant stack of money next to his baby face. 

For months, investigators watched as Sokolovsky bounced back and forth between Kharkiv and the Ukrainian capital of Kiev. But then in late March, he turned up in Poland near the border with Germany. A photograph was taken of Sokolovsky driving into Germany in a Porsche Cayenne with his girlfriend in the passenger seat.   

At the time, Ukrainian men under the age of 60 weren’t allowed to leave as they were being drafted to fight the Russian invaders, so investigators believe Sokolovksy may have bribed his way out of the country, Krebs reported.

A few days later, authorities were able to zero in on Sokolovsky in Amsterdam after his girlfriend posted pictures of them together there on Instagram, Krebs reported.  

In September, a Dutch court granted the U.S. petition to extradite Sokolovsky to Texas to face charges, but he has since appealed the ruling.

Global in reach

Prosecutors say that while Sokolovsky played a key role in developing the program, he had several accomplices. The investigation was helped by authorities in both Italy and the Netherlands, prosecutors said.

Among the data recovered by the FBI were some 50 million unique credentials, including email addresses, bank account log-ins, cryptocurrency addresses and credit card numbers, prosecutors said. They say they don’t believe they have found all the data stolen through the use of the Raccoon Infostealer and are continuing to investigate. 

Some of the data recovered, included login information for several U.S. companies and from members of the military with access to armed forces’ systems, according to court documents. 

Market Snapshot: Stocks trim losses in final hour of trade as investors await outcome of 2-day Fed meeting

Previous article

: Lilly’s new diabetes drug doubled sales expectations. It may also be used to treat obesity

Next article

You may also like


Leave a reply

Your email address will not be published. Required fields are marked *

More in News