Ukraine identifies infostealer operator tied to 28,000 stolen accounts
Source: Bleeping Computer
Investigation Overview
The Ukrainian cyberpolice, in cooperation with U.S. law enforcement, identified an 18‑year‑old man from Odesa suspected of operating an infostealer malware campaign that targeted users of an online store in California. The threat actor used information‑stealing malware between 2024 and 2025 to infect devices, steal browser sessions and account credentials, and monetize the data.
Impact
- Accounts affected: 28,000 customer accounts
- Unauthorized purchases: 5,800 transactions totaling about $721,000
- Direct losses: Approximately $250,000 in chargebacks
Infostealers harvest sensitive data such as passwords, browser cookies, session tokens, crypto wallets, and payment information, which are then sold or used for fraud.
“To carry out the criminal scheme, the attackers used ‘infostealer’ malware that secretly infected users’ devices, collected login credentials, and transmitted them to servers controlled by the attackers,” the Ukrainian police report states.
The stolen “session data” refers to session tokens that can log in to victims’ accounts without credentials and may bypass multi‑factor authentication (MFA).
Methodology
The suspect managed the online infrastructure used to process, sell, and exploit the stolen session data. He also engaged in cryptocurrency transactions with accomplices, facilitating the monetization of the stolen information.
Evidence Seized
Seized Items
Police conducted two searches at the suspect’s residences, seizing:
- Mobile phones
- Computer equipment
- Bank cards
- Electronic storage media
- Other digital evidence confirming involvement
Evidence Includes
- Access to resources for selling stolen data
- Server activity logs
- Accounts on cryptocurrency exchanges
Source: cyberpolice.gov.ua
Source: cyberpolice.gov.ua
Additional documentation can be found here.
Current Status
Authorities have identified the suspect, conducted searches, and seized devices and other evidence linking him to the operation. The announcement does not mention an arrest, suggesting investigators may still be building the case before formally charging him.