Ukrainian national Mark Sokolovsky has admitted his role in the Raccoon Stealer malware cybercrime operation. This malware was distributed under a “malware-as-a-service” (MaaS) model, allowing cybercriminals to rent it for $75 a week or $200 per month. Raccoon Stealer was designed to steal a wide range of sensitive information from infected devices, including browser credentials, cryptocurrency wallets, credit card data, email information, and more from various applications. Those renting the malware also gained access to an admin panel to customize it, retrieve stolen data, and create new versions.

Sokolovsky, also known by aliases like raccoon-stealer, Photix, and black21jack77777, was arrested in the Netherlands in March 2022, coinciding with a joint operation between the FBI and law enforcement agencies in the Netherlands and Italy to dismantle the malware’s infrastructure. This action took Raccoon Stealer offline. At the same time, the Raccoon Stealer group suspended its operations, claiming one of their lead developers was killed in the Ukraine conflict. Despite this, the group has since relaunched the operation twice, with newer versions of the malware having enhanced data-theft capabilities.

Following the 2022 takedown, the FBI obtained some of the stolen data and created a website where individuals can check if their information was compromised by Raccoon Stealer. Those who find their data in the U.S. government’s archive of stolen information will receive an email with further instructions and resources.

Sokolovsky was extradited to the U.S. in February 2024 after being indicted in October 2022 on charges of fraud, money laundering, and identity theft. The FBI identified over 50 million stolen credentials, including more than four million email addresses, but believes not all the stolen data has been recovered. As part of his plea deal, Sokolovsky agreed to pay $910,844.61 in restitution and forfeit an additional $23,975.