Feds accuse Ukrainian of renting out PC-raiding Raccoon malware to fiends

Mark Sokolovsky, 26, a Ukrainian national, is being held in the Netherlands while he awaits extradition to America on cybercrime charges, the US Justice Department said on Tuesday.

Sokolovsky, said to have used the online names Photix, Raccoon Stealer, and black21jack77777, was indicted on November 2, 2021 by a federal grand jury for his alleged role in the creation of Raccoon – a strain of malware that steals data from the Windows machines it infects – and for renting it as a service to others interested in information theft.

“Raccoon was malware as a service, or MaaS,” his recently unsealed indictment [PDF] explains. “Like software as a service, or SaaS, MaaS was operated on a lease basis where customers paid approximately $200 (USD) on a monthly basis to Raccoon – paying via cryptocurrency like Bitcoin – which allowed them to access and deploy Raccoon, then obtain a copy of the data stolen from their victims.”

Those deploying Raccoon used phishing messages and other tricks to get the malware onto potentially millions of victims’ computers worldwide. Once installed, the code provided access to login credentials and other data stored on the compromised system.

According to the US Attorney’s Office for the Western District of Texas this week, FBI investigators have identified more than 50 million unique credentials and forms of identification, including more than four million email addresses, along with bank account details, cryptocurrency addresses, credit card numbers, and the like, in data stolen using the software nasty. And US authorities believe there’s more info ferreted out by Raccoon to be found.

The Feds have created a website at raccoon.ic3.gov that people can use to check to see whether the entered email address is among the data recovered. The FBI will respond with an email if the submitted address is found in the data trove. The FBI and the Department of Justice state in their respective privacy policies that they will not use submitted information for marketing.

Sokolovky was arrested in the Netherlands in March, and around this time the FBI and law enforcement agencies in the Netherlands and Italy took control of the digital infrastructure used to deliver Raccoon. The US Army Criminal Investigation Division was also involved.

Sokolovky has been charged with one count each of computer fraud, conspiracy to commit wire fraud, conspiracy to commit money laundering, and aggravated identity theft. In September, the Amsterdam District Court granted the US extradition request, and Sokolovky appealed the decision.

Separately, the US Attorney’s Office in the Northern District of Georgia announced the arraignment of Daniel Kaye, for allegedly operating The Real Deal, an online market that sold exploit code and login credentials, among other things, and for allegedly laundering payments received through the online site.

Kaye, 34, from the UK, is said to have used a long list of pseudonyms, including Popopret, Bestbuy, TheRealDeal, Logger, David Cohen, Marc Chapon, UserL0ser, Spdrman, Dlinch Kravitz, Fora Ward, and Ibrahim Sahil. He is alleged to have worked with one or more persons going by the name thedarkoverlord to sell in social security numbers. He is also accused of laundering cryptocurrency payments through Bitmixer.io, a Bitcoin mixing service that shut down in July 2017, three days after authorities took down illicit markets AlphaBay and Hansa.

Kaye was indicted [PDF] in the United States on April 13, 2021 of access device fraud, using and trafficking in unauthorized access devices, possession of unauthorized and counterfeit access devices, and money laundering conspiracy. An access device in this context refers to a stolen social security number.

He is said to have been overseas at the time the indictment was issued and, according to American prosecutors, agreed to be extradited to the Land of the Free from Cyprus last month.

Among data said to have been sold through The Real Deal were credentials associated with US government computers operated by the US Postal Service, the National Oceanic and Atmospheric Administration, the Centers for Disease Control and Prevention, the National Aeronautics and Space Administration, and the US Navy.

In early 2019, Kaye was sentenced to two years and eight months in a British prison for creating a botnet (based in the Mirai botnet code) that disrupted a telecom provider in Liberia in 2016. As his scheduled release in early 2020 approached, Bloomberg reported Kaye faced “court-mandated restrictions limiting his access to phones, computers, and encryption software,” but hoped to resume his career in computer security. ®

Leave a Reply

Your email address will not be published.