During the past months, several weeks after Russia began dropping bombs on Ukraine in late February, a talented young computer programmer named Mark Sokolovsky and his girlfriend have been climbing into a Porsche Cayenne to set out on a road trip. The purpose of this was to get away from the fighting as much as possible.
During their trip, the pair passed through Poland and Germany before stopping in the Netherlands. They thought it was their last stop, believing it was their last stop from the sky.
The people in charge of immigration back in the United States had no idea that FBI investigators were monitoring them at all times. They were constantly monitoring their counterparts in Europe as well.
Late last year, somebody named Sokolovsky, 26 was brought into federal court in the state of Texas as a defendant in a sealed criminal indictment. There are allegations in the indictment that allege that he was the primary innovator and/or director of a type of malware known as Raccoon Infostealer. Millions of computers have been infected with malicious software around the world. This allows hackers to steal login credentials to financial institutions and money from an uncountable number of victims.
Sokolovsky entered the Netherlands a few days later and was arrested in Amsterdam. He was charged with computer fraud, wire fraud, money laundering, and identity theft after crossing the border. Upon conviction, he would be sentenced to more than 20 years in prison. He remains in custody in the Netherlands while fighting an extradition proceeding, a process that would send him to the United States of America if convicted.
Sokolovsky's Dutch attorney Niels Van Schaik, who is currently representing him in the extradition proceedings, has not responded to messages left for him.
Sokolovsky's arrest last week was announced as part of a coordinated effort by an auditing agency to find out who the victims might be. The case was under seal until last week when authorities announced Sokolovsky's arrest. According to investigators, shortly after he was arrested, they were able to crack through a giant cache of stolen data summarizing millions of email addresses and login credentials.
An announcement was made earlier this week by the FBI and prosecutors regarding the creation of a website as part of their announcement. As a result of this, it has become possible for victims to be able to check if there is any information about them contained within the data recovered by investigators by doing the following.
Ashley Hoff, U.S. Attorney for the Western District of Texas, described the case as a very, very large case that has implications around the world. "This is a very, very global case," Ashley Hoff said.
There is a saying "we steal you deal":
Maas programs, developed by programmers, do not typically steal information from people. Instead, they license the software to other cybercriminals who then use it to rob the victim of their savings. Moreover, Raccoon's operators ensured that a copy of all the stolen information along with the actual evidence was kept.
According to cybercrime experts, Raccoon Infostealer is just like any other legitimate software. The company offers 24-hour customer service and issues frequent updates to its software every few weeks. A week's rental price would be $75 or a month's rental would be $200.
Raccoon Infostealer is one of the most sophisticated malware tools that was developed by expert cyber criminals and was initially offered for sale on Russian-language platforms popular with cybercriminals as well as English-language ones later on. As a result, it quickly gained attention from cybersecurity experts, and it was marketed under the slogan "We steal, you deal," so it was an instant hit.
There was an early appearance of Raccoon Infostealer in early 2019 and it was first offered for sale on Russian-language platforms, which were popular with cybercriminals at the time, and then it was also made available on English-language platforms. This moniker, "We steal, you deal," is a slogan that was adopted by this company, which quickly rose to prominence among cybersecurity experts when it started attracting attention.
Immediately after Sokolovsky was arrested in March, Raccoon's operators issued a message to their customers, informing them that they needed to shutter their operations. The message explained the fact that the war in Ukraine had disrupted their operations.
Among the most popular types of malicious software is Raccoon Infostealer, which belongs to the Malware-as-a-Service class. It is unfortunate to inform you that, due to the 'special operation,' we will have to close down our Raccoon Stealer project, the group said in a statement. There are several members of our team who were responsible for critical components of the product at one time, but they are no longer with us. It has been a pleasure to work with you, and I am thankful for your time and experience, because, unfortunately, everything comes to an end sooner or later, so I was compelled to continue this conversation.
During the early stages of the invasion of Ukraine, President Vladimir Putin compelled people to refer to the invasion of Ukraine as a "special operation" to distinguish it from other kinds of invasions. It was highly risky for those who called it a war or an invasion, as they would risk serving long prison sentences.
The Raccoon shutdown message has been interpreted as meaning that several senior programmers have been killed before the fighting has even begun. However, it could be a reference to the arrest of Sokolovsky, which many in the cybersecurity space thought was an indication of that.
We left a message on the Raccoon Operators' website asking for comment, but they did not respond immediately. Sokolovsky's arrest last week sparked a statement from them in which they acknowledged that they didn't know him personally, and, when he disappeared in March, "we naturally thought the worst when we heard the news about it.
The software was relaunched a few months later, with some critical changes made to its programming, experts said, with a revised version of the now-compromised software.
On the run
Originally from Kharkiv in eastern Ukraine, Sokolovsky attended university in that city and has remained there ever since. Russian forces started bombarding the city heavily during the early stages of the war, which caused the city to suffer heavy damage.
As reported on the cybersecurity blog run by Krebs, an acclaimed cybersecurity reporter, and analyst, authorities were able to tie Sokolovsky to Raccoon through an account he had set up on his iCloud account with as many as three accounts linked to the Raccoon malware program, available through Apple's AAPL stock price AAPL, -4.25%.
Krebs reported that this allowed authorities to track Sokolovsky's movements for a period of two to three months. The police were also able to retrieve a photograph in which Sokolovsky is seen standing near a large pile of money with his face framed by it.
During the past months, investigators have watched as Sokolovsky bounced back and forth from Kharkiv to the Ukrainian capital, Kyiv, and back and forth between the two cities.
Upon hearing that he had turned up in Poland, near the German border, in late March, the situation changed dramatically. There was a photograph taken of Sokolovsky in a Porsche Cayenne with his girlfriend in the passenger seat as he drove into Germany in a Porsche Cayenne.
During that period, Ukrainian men under the age of 60 were not allowed to leave their country. They were drafted into fighting the Russian invaders, who were invading Ukraine. As Krebs reported, investigators believe Sokolovsky may have blackmailed his way out of the country by offering him bribes.
Krebs reported that a few days after Sokolovsky was caught in Amsterdam, authorities were able to pinpoint him. This is because his girlfriend posted pictures on Instagram of them showing that they were together in Amsterdam.
A Dutch court dismissed the petition for Sokolovsky's extradition to Texas last month, but the Russian has appealed the decision, and he is now in prison in the Netherlands.
Reaching out across the globe
Sokolovsky, the main architect of the Raccoon program is claimed to have received assistance from several accomplices while working on the program. Prosecutors said that both Italian and Dutch authorities participated in the investigation and assisted the authorities in their work.
In addition to recovering some 50 million unique credentials from the FBI data cache, prosecutors said that the FBI also retrieved email addresses, bank logins, cryptocurrency addresses, and credit card numbers as part of the investigation. Even though they don't believe they have recovered all the data stolen by Raccoon Infostealer and are continuing to investigate, they say they may not be able to find all of it.
Court documents indicate that some of the data recovered by the hackers included login information for several U.S. companies in addition to information on military members with access to armed forces computers, according to the documents.