Feds Arrest Ukrainian of Renting out Raccoon Malware
Reading Time: 3 minutes

US Justice Department on Tuesday arrested Mark Sokolovsky, 26, a Ukrainian national, in the Netherlands, for renting out Racoon Malware. He awaits his extradition to America on cybercrime charges. 

Sokolovsky admitted to using names such as Photix, Raccoon Stealer, and black21jack77777. He was previously indicted on November 2, 2021, for his alleged role in using Racoon Malware to steal data from the Windows system it infected. Further, he rented the malware as a service to others interested in stealing information.

According to the indictment, “Raccoon malware as a service, or MaaS like software as a service, or SaaS, MaaS was operated on a lease basis where customers paid approximately $200 (USD) on a monthly basis to Raccoon – paying via cryptocurrency like Bitcoin – which allowed them to access and deploy Raccoon, then obtain a copy of the data stolen from their victims.”

Raccoon Malware started with phishing messages and other tricks to install their malware onto the computers of potential millions of victims. Once installed, the code provided access to login credentials and other data stored on the compromised system.

According to US authorities, FBI investigators have identified more than 50 million unique credentials and forms of identification, including more than four million email addresses, along with bank account details, cryptocurrency addresses, credit card numbers, and the like. The US Attorney’s Office for the Western District of Texas says that there’s no sign that the information they found is all that Raccoon has — there’s likely more to be found in the future.

The Federal Bureau of Investigations has created a website, raccoon.ic3.gov, which provides access to the data recovered from their email warrant sweeps. Individuals can submit an email address and be notified by email if it matches the information in their data trove. The FBI and the Department of Justice claim that submitted personal information will not be used for marketing purposes.

In March, Sokolovky was arrested in the Netherlands. Dutch law enforcement agencies took control of the digital infrastructure used to deliver Raccoon a few weeks later. The US Army Criminal Investigation Division joined the investigation shortly after.

Sokolovky has been charged with one count of wire fraud, two counts of computer fraud, two counts of conspiracy to commit wire fraud, and two counts of conspiracy to commit money laundering. His sentencing date is uncertain at this time since he appealed the decision in September and the Dutch District Court denied his appeal in November.

The U.S. Attorney’s Office in the Northern District of Georgia announced the arraignment of Daniel Kaye, who is believed to have operated an online marketplace that sold exploit code and access to hacked accounts among other highly valuable goods, for laundering payments received through the website.

Kaye, 34, from the UK, is said to have used a long list of pseudonyms, including Popopret, Bestbuy, TheRealDeal, Logger, David Cohen, and Marc Chapon. He is accused of working with one or more persons going by the name the dark overlord to sell social security numbers and launder cryptocurrency payments through Bitmixer.io. AlphaBay and Hansa were taken down by authorities three days after Bitmixer.io closed its doors.

Kaye was indicted on April 13, 2021, of fraud, using and trafficking in unauthorized social security numbers, possession of counterfeit and/or unauthorized social security numbers, and money laundering. An access device in this context refers to a stolen social security number.

He is reportedly overseas and agreed to be extradited from Cyprus back to the US last month.

The sale of personal information, mostly from The Real Deal, includes credentials associated with US government computers operated by the US Postal Service, the National Oceanic, and Atmospheric Administration, the Centers for Disease Control and Prevention, the National Aeronautics and Space Administration, and the US Navy.

Bloomberg recently reported that Marcus Kaye, who created a botnet based on Mirai code and disrupted a telecom provider in Liberia in 2016, will be released from prison in 2020. After his release, he faces restrictions that limit his access to encrypting software and phones. Further, it mentioned Kaye hopes to resume his career in cyber security.

Related Articles:
European Police Nabs Hacker Gang That Used Wireless Key Fobs to Steal Cars
FBI, CISA, and NSA Explain How Hackers Target Defense Industrial Base Organizations
Canadian Netwalker Ransomware Affiliate Sentenced to 20 years in US Prison