Three weeks after Russia started dropping bombs on Ukraine in late February, a talented young computer programmer named Mark Sokolovsky climbed into a Porsche Cayenne with his girlfriend to get away from the fighting.
The pair made their way through Poland and then Germany before stopping in the Netherlands, where they thought they were safe. Little did they know that the U.S. Federal Bureau of Investigation and investigators in Europe had been watching them all along.
Sokolovsky, 26, had been named late last year in a sealed criminal indictment in federal court in Texas that alleged he was a key figure behind a pervasive type of malware known as Raccoon Infostealer that prosecutors say has infected millions of computers around the world, stealing financial login credentials and money from an untold number of victims.
Days after Sokolovsky crossed into the country, Dutch police arrested him in Amsterdam on charges of computer fraud, wire fraud, money laundering and identity theft. He faces more than 20 years in prison if convicted and remains in custody in the Netherlands while fighting an extradition proceeding that would send him to the U.S.
Messages left with Niels Van Schaik, the Dutch attorney representing Sokolovsky in his extradition proceeding, weren’t immediately returned.
The existence of the case had been under seal until last week, when authorities announced Sokolovsky’s arrest as part of an effort to track down possible victims. Following his arrest, investigators said, they managed to crack a giant cache of stolen data amounting to millions of email addresses and logins.
As part of their announcement, prosecutors and the FBI announced the creation of a website where people who suspect they may be victims can check to see if their personal information is contained among the data recovered by investigators.
“This is a very, very large global case,” said Ashley Hoff, the U.S. attorney for the Western District of Texas, where the case was filed.
‘We steal, you deal’
Raccoon Infostealer is an increasingly popular class of program called Malware-as-a-Service, or MaaS. The programmers who develop Maas programs don’t typically steal people’s information themselves but rather license the software to other cybercriminals who use it to rip people off. A copy of all the stolen information was also kept by Raccoon’s operators.
Like any kind of legitimate software, Raccoon Infostealer offered 24-hour customer support and issued frequent programming updates, cybercrime experts say. The cost was $75 a week or $200 a month.
Raccoon Infostealer first appeared in early 2019 and was initially offered for sale on Russian-language platforms popular with cybercriminals and later also on English-language ones. Billing itself with the slogan, “We steal, you deal,” it was a hit, and it quickly appeared on the radar of cybersecurity experts.
“As it was distributed as MaaS or Malware-as-a-Service, it wasn’t used by just one threat actor or group, but multiple cybercriminals, so it was quite widespread,” said Oleg Skulkin of Group-IB, a cybersecurity firm based in Singapore. “For most cybercriminals, it’s much easier to buy or rent malware. It’s simply cheaper.”
In March, shortly after Sokolovsky was arrested, Raccoon’s operators put a message out to customers saying they needed to shut down because Russia’s war in Ukraine had disrupted operations.
“Unfortunately, due to the ‘special operation,’ we will have to close our Raccoon Stealer project,” the group said. “Our team members who were responsible for critical components of the product are no longer with us. Thank you for this experience and time, for every day, unfortunately everything, sooner or later, the end of the world comes to everyone.”
In Russia — particularly in the early days of the invasion of Ukraine — President Vladimir Putin compelled people to use the term “special operation” to describe the invasion. Those who called it a war or an invasion risked a significant prison term.
While many in the cybersecurity space interpreted the Raccoon shutdown message as meaning that key programmers had been killed in the early days of the fighting, it may instead have been a reference to Sokolovsky’s arrest.
Operators of Raccoon didn’t immediately return a message seeking comment. They issued a statement following the news of Sokolovsky’s arrest last week that they didn’t know him personally and that, when he disappeared in March, “of course we thought the worst.”
A few months later, a new version of the now-compromised software was relaunched, with some critical tweaks to its programming, experts said.
On the run
Sokolovsky hails from the city of Kharkiv in eastern Ukraine and attended university there. In the early days of the war, the city came under heavy bombardment by Russian forces.
According to an account on a blog run by Brian Krebs, a respected cybersecurity reporter and analyst, authorities were able to connect Sokolovsky to Raccoon through his iCloud
account, which had been used to set up certain accounts attached to the malware program.
This allowed authorities to track Sokolovsky’s movements, Krebs reported. It also allowed them to recover a photograph of Sokolovsky holding up a large stack of money next to his face.
For months, investigators watched as Sokolovsky bounced back and forth between Kharkiv and the Ukrainian capital of Kyiv. Then, in late March, he turned up in Poland, near the border with Germany. A photograph was taken of Sokolovsky driving into Germany in a Porsche Cayenne with his girlfriend in the passenger seat.
At the time, Ukrainian men under the age of 60 weren’t allowed to leave Ukraine, because they were being drafted to fight the Russian invaders. Investigators believe Sokolovsky may have bribed his way out of the country, Krebs reported.
A few days later, authorities were able to zero in on Sokolovsky in Amsterdam after his girlfriend posted pictures on Instagram of them together there, Krebs reported.
In September, a Dutch court granted the U.S. petition to extradite Sokolovsky to Texas to face charges, but he has appealed the ruling.
Global in reach
Prosecutors say that while Sokolovsky played a key role in developing the Raccoon program, he had several accomplices. Authorities in both Italy and the Netherlands assisted in the investigation, prosecutors said.
Among the data recovered by the FBI were some 50 million unique credentials, including email addresses, bank-account logins, cryptocurrency addresses and credit-card numbers, prosecutors said. They say they don’t believe they have found all the data stolen through Raccoon Infostealer and are continuing to investigate.
Some of the data recovered included login information for several U.S. companies and for members of the military with access to armed-forces systems, according to court documents.