When the U.S. government revealed charges against 26-year-old Mark Sokolovsky, it stunned more than a few cybersecurity researchers.
After all, they thought he was dead.
As it turns out, the baby-faced Ukrainian national — and alleged cybercriminal — was very much alive, but has suffered a serious reversal of fortune. His days of taking selfies with fistfuls of cash had come to an abrupt end.
Sokolovsky is now in a European jail, awaiting extradition to the United States, accused of being a key player in a massive international cybercrime operation that spawned a notorious Malware-as-a-Service (MaaS) known as Raccoon InfoStealer. The information-stealer targeted Windows® users, seeking out and swiping their stored credentials, which could then be sold on the dark web.
The BlackBerry Research & Intelligence Team previously detailed technical aspects of this threat group and now court documents reveal more about the business side of these attacks.
But a key question must still be answered: How did this cybercrime player convince so many he was dead, and then spring back to life?
On the morning of Feb. 24, 2022, Russian president Vladimir Putin announced a "special military operation" in Ukraine. And for Ukrainian cybercriminals looking to disappear with their piles of profits, the invasion provided an opportunity.
Exactly one month after the Russian invasion, Raccoon Stealer’s darknet page (with the tagline “We steal, you deal”), shared a gut-wrenching message.
Dear Clients, unfortunately, due to the “special operation”, we will have to close our Raccoon Stealer project. The members of our team who were responsible for critical moments in the operation of the product are no longer with us.
To many who were familiar with the group and its exploits, it sounded like the Russian invasion of Ukraine was responsible for the death of Sokolovsky. The post from the group included a crying emoji, and expressed the wish that fellow dark web citizens might, like the mourned Sokolovsky and his colleagues, “find $1,000,000 in profit.” The message ended with a heart emoji, followed by a wistful farewell message: “…unfortunately everything, sooner or later, comes to an end. Peace for everyone.”
The Raccoon InfoStealer operation was dead, many thought, along with its key operator. But things aren’t always as they seem, especially when it comes to cyberthreats and the actors behind them.
According to court documents, Sokolovsky fled Ukraine at a time when his countrymen were prohibited from leaving, because they were needed to help with Ukraine’s defense.
Instead of heading to the afterlife, he headed out on a European road trip, behind the wheel of a Porsche Cayenne. He cruised through Poland, then Germany, and eventually arrived in the Netherlands. At one of the crossings, a border camera snapped a photo of Sokolovsky driving, with his girlfriend in the passenger seat.
His girlfriend posted pictures of the couple’s journey on her Instagram account, which is now set to private.
Did these photos and perhaps sightings in Western Europe eventually lead to Sokolovsky’s arrest? That remains unclear. However, just 16 days after their romantic road trip started, it was over. Dutch law enforcement arrested Sokolovsky on March 20, 2022. (Five days later, the post hinting at the demise of its “key members” was posted to the Raccoonstealer account.)
Since that time, the Dutch court agreed to extradite Sokolovsky to the U.S., and Italian and Dutch police seized Raccoon Infostealer’s digital infrastructure, shutting the malware down for several months. This is why the threat actor went quiet — not because the invasion killed him.
It was a surprising twist for those in cybersecurity and cybercrime circles, yes. But there is something else unusual about this case, and it has to do with the search for potential victims.
As our BlackBerry team reported, Raccoon Infostealer was an incredibly popular MaaS operation, where subscribers could pay less than $100 a month for access to data stolen from millions of infected computers from around the world.
The typical Raccoon Infostealer attack sequence began with phishing emails sent to potential victims. Some capitalized on people’s fears about the pandemic, such as the one shown in the screenshot below. This example claims to have important information about COVID symptoms – but instead, it made your computer sick. Anyone who clicked the link downloaded the group’s malware onto their device.
But Raccoon Infostealer provided subscribers with more than just profits. It also, somewhat surprisingly, provided excellent customer service, according to accounts, and was known in the cybercriminal underground for its responsiveness to customer inquiries. Day after day, malware profits climbed along with the number of victims — and the amount of valuable data — stolen by this digital bandit.
Following Sokolovsky’s arrest, the U.S. government took possession of a veritable mountain of data relating to the case. Like trying to unwind a tangled-up extension cord, the government painstakingly worked to sort the emails, banking information, cryptocurrency wallets, and passwords, in an effort to start notifying victims. The unsealed court documents explain more about the difficulties this task presented for the crimefighters:
“The potential victims in this case — individuals whose personally identifying information and financial information was stolen through the use of Raccoon Infostealer — may number in the millions, and ascertaining the true identities of those potential victims by analyzing the tranches of stolen data in the United States’ possession is an impossible task.”
Because of this, a judge granted the FBI the ability to create a reverse look-up website of sorts, where those who want to know if they are a victim of Raccoon Infostealer can use their email to find out. This is similar to the way https://haveibeenpwned.com/ works, but in this criminal case, your email is compared exclusively to the millions of emails found in the Raccoon InfoStealer database. Check for yourself at https://raccoon.ic3.gov/.
If your email is found in the treasure trove of data, the U.S. Department of Justice (DOJ) will send you a note with additional information on filing a formal complaint if you would like to do so.
The DOJ claims this unusual approach was necessary given the scope of victims. And it also limits the potential for threat actors to abuse news of this attack and launch related phishing campaigns. If you didn’t ask to be notified, then you can assume that any “victim notification” you receive is a phishing email or a scam.
Mark Sokolovsky’s cash-laden selfies and romantic European get-aways are behind him for now. And the road ahead could be rough.
Once he’s extradited to the U.S., he faces up to 47 years behind bars if he is convicted on all charges against him.
In this unusual case, the grim reaper did not get him. But the long arm of the law sure did.
Related Reading
