October 31, 2022

A 26-year-old Ukrainian man is awaiting extradition from The Netherlands to the United States on charges that he acted as a core developer for Raccoon, a popular “malware-as-a-service” offering that helped paying customers steal passwords and financial data from millions of cybercrime victims. KrebsOnSecurity has learned that the defendant was busted in March 2022, after fleeing mandatory military service in Ukraine in the weeks following the Russian invasion.

Ukrainian national Mark Sokolovsky, seen here in a Porsche Cayenne on Mar. 18 fleeing mandatory military service in Ukraine. This image was taken by Polish border authorities as Sokolovsky’s vehicle entered Germany. Image: KrebsOnSecurity.com.

The U.S. Attorney for the Western District of Texas unsealed an indictment last week that named Ukrainian national Mark Sokolovsky as the core developer for the Raccoon Infostealer business, which was marketed on several Russian-language cybercrime forums beginning in 2019.

Raccoon was essentially a Web-based control panel, where — for $200 a month — customers could get the latest version of the Raccoon Infostealer malware, and interact with infected systems in real time. Security experts say the passwords and other data stolen by Raccoon malware were often resold to groups engaged in deploying ransomware.

Working with investigators in Italy and The Netherlands, U.S. authorities seized a copy of the server used by Raccoon to help customers manage their botnets. According to the U.S. Justice Department, FBI agents have identified more than 50 million unique credentials and forms of identification (email addresses, bank accounts, cryptocurrency addresses, credit card numbers, etc.) stolen with the help of Raccoon.

The Raccoon v. 1 web panel, where customers could search by infected IP, and stolen cookies, wallets, domains and passwords.

The unsealed indictment (PDF) doesn’t delve much into how investigators tied Sokolovsky to Raccoon, but two sources close to the investigation shared more information about that process on condition of anonymity because they were not authorized to discuss the case publicly.

According to those sources, U.S. authorities zeroed in on an operational security mistake that the Raccoon developer made early on in his posts to the crime forums, connecting a Gmail account for a cybercrime forum identity used by the Raccoon developer (“Photix”) to an Apple iCloud account belonging to Sokolovsky. For example, the indictment includes a photo that investigators subpoenaed from Sokolovsky’s iCloud account that shows him posing with several stacks of bundled cash.

A selfie pulled from Mark Sokolovsky’s iCloud account. Image: USDOJ.

When Russia invaded Ukraine in late February 2022, Sokolovsky was living in Kharkiv, a city in northeast Ukraine that would soon come under heavy artillery bombardment from Russian forces. Authorities monitoring Sokolovsky’s iCloud account had spent weeks watching him shuttle between Kharkiv and the Ukrainian capital Kyiv, but on Mar. 18, 2022, his phone suddenly showed up in Poland.

Investigators learned from Polish border guards that Sokolovsky had fled Ukraine in a Porsche Cayenne along with a young blond woman, leaving his mother and other family behind. The image at the top of this post was shared with U.S. investigators by Polish border security officials, and it shows Sokolovsky leaving Poland for Germany on Mar. 18.

At the time, all able-bodied men of military age were required to report for service to help repel the Russian invasion, and it would have been illegal for Sokolovsky to leave Ukraine without permission. But both sources said investigators believe Sokolovsky bribed border guards to let them pass.

Authorities soon tracked Sokolovsky’s phone through Germany and eventually to The Netherlands, with his female companion helpfully documenting every step of the trip on her Instagram account. Here is a picture she posted of the two embracing upon their arrival in Amsterdam’s Dam Square:

Authorities in The Netherlands arrested Sokolovsky on Mar. 20, and quickly seized control over the Raccoon Infostealer infrastructure. Meanwhile, on March 25 the accounts that had previously advertised the Raccoon Stealer malware on cybercrime forums announced the service was closing down. The parting message to customers said nothing of an arrest, and instead insinuated that the core members in charge of the malware-as-a-service project had perished in the Russian invasion.

“Unfortunately, due to the ‘special operation,’ we will have to close our Raccoon Stealer project,” the team announced Mar. 25. “Our team members who were responsible for critical components of the product are no longer with us. Thank you for this experience and time, for every day, unfortunately everything, sooner or later, the end of the WORLD comes to everyone.”

Sokolovsky’s extradition to the United States has been granted, but he is appealing that decision. He faces one count of conspiracy to commit computer fraud; one count of conspiracy to commit wire fraud; one count of conspiracy to commit money laundering, and one count of aggravated identity theft.

Sources tell KrebsOnSecurity that Sokolovsky has been consulting with Houston, Tx.-based attorney F. Andino Reynal, the same lawyer who represented Alex Jones in the recent defamation lawsuit against Jones and his conspiracy theory website Infowars. Reynal was responsible for what Jones himself referred to as the “Perry Mason” moment of the trial, wherein the plaintiff’s lawyer revealed that Reynal had inadvertently given them an entire digital copy of Jones’s cell phone. Mr. Reynal did not respond to requests for comment.

If convicted, Sokolovsky faces a maximum penalty of 20 years in prison for the wire fraud and money laundering offenses, five years for the conspiracy to commit computer fraud charge, and a mandatory consecutive two-year term for the aggravated identity theft offense.

The Justice Department has set up a website — raccoon.ic3.gov — that allows visitors to check whether their email address shows up in the data collected by the Raccoon Stealer service.


37 thoughts on “Accused ‘Raccoon’ Malware Developer Fled Ukraine After Russian Invasion

  1. Robert.Walter

    I have no sympathy for this self-centered sociopathic crook and coward.

    Once US justice is done with him, he should go back to stand for cybercrime, draft evasion and bribery, plus whatever else applies. And it will be appropriate and hood for him to spend a stretch in prison at home.

    Slava Ukraini ! And ï !

    Reply
    1. Donatello

      Most people living near Kharkov and other south eatern Ukraine are ethnically Russians and they could not care less about Ukraine that’s why most of them will not want to be drafted and will flee to Europe. Nationalism is something new in Ukraine and most people don’t feel it. No due to the war this nationalist sentiment in pushed through media, but when the war is over we will see how the people of Ukraine are thinking about this conflict.

      Reply
      1. BEC

        > . Nationalism is something new in Ukraine

        Well it’s a pretty new nation after all, hope it lasts

        Reply
      2. Joseph Gurman

        “Nationalism is something new in Ukraine”

        Please tell that to fans of the national poet of Ukraine, Taras Shevchenko (1814 – 1861). Please tell that to the Zaporizhian Cossacks, who unite much of Ukraine in the 16th and 17th centuries, and the Cossack Hetmanate of the 18th century. Tell that to those who briefly set up man Independent Ukraine in 1918. Tell that to those who suffered under the Holodomor of the 1930s. And so on.

        Ukrainian nationalism is only news to Putin.

        Reply
      3. Observer

        You have no clue. The Ukrainians in Kharkiv (with -iv!) and elsewhere are crystal clear about the death and destruction that the Russian terror brought into their lives. Even before these bastards occupied Crimea in 2014. No need to wait for the Russian defeat to see that there’s been a dramatic shift in perception – Russia is nothing but a terrorist state that destroyed thousands of lives. One doesn’t have to join the military to fight against them and their barbaric threats.

        Reply
  2. Reason V.

    While I certainly can understand why this perp fled, it goes to show that with everyone posting everything on the Internet, the days of actually doing research and recon are gone. All that’s necessary now is really to just comb and put puzzles together by checking IG, SC, FB, and other social media platforms.
    People willingly post everything and anything these days…

    Reply
  3. Concerned

    Look, the guy may be guilty as sin with this Racoon thing, however having authorities follow my movements because I have a selfie with “stacks of cash”? I want to have stacks of cash! Pile them high in my room and let me swim in them! That is not a reason to begin tracking someone. There has to be something else that someone is not speaking about, Brian.

    As to Ukraine, I have no love for Putin. But if he eliminates the Nazi party that took over Ukraine in a coup in 2015, so much the better. I know ethnic Russians that were under the recent Nazi party fire-bombings in Western Ukraine and Crimea. It was horrid what they were doing to their own citizens, for me it is on the same level with the Syrian regime and Aleppo. I just want any action to not harm any innocent civilians, just kill off the Nazis. Unfortunately with all the money and military hardware pouring into the Nazi’s coffers, that is not going to happen. Welcome to the topsy-turvey world where the West supports the Nazis and their new holocaust programme, against a dictator – who I remind you has nukes. And is being goaded into using them by a moronic idiot.

    Reply
    1. Vlad

      Well, remember all Russians are Nazis.
      They signed a peace treaty with Hitler, exterminated Jews, and did nothing to help win WW II.
      Putin is well known for his collection of Nazi memorabilia and wearing an SS uniform at home.

      Reply
      1. mealy

        When you have to use obviously false statements to prop up a dictatorship,
        you’re a dork.

        Reply
    2. Amino

      @Concerned
      The article states the cash in hand photo was as a result of a subpoena, which almost certainly means the subpoena included all contents from this guy’s iCloud account and the photo was just part of the contents. The “investigators” were already on his trail.

      As for the Nazis in Ukraine, why would such Nazis allow Zelensky, a Jew, to lead their country?
      Perhaps they embrace DIE (Diversity, Inclusivity, Equity) ideology more than their Nazism?

      Reply
    3. Dmitry

      There are no Nazi parties in Ukraine. Russia is actively introducing this idea to the world community. Please, study the material about it carefully.

      Reply
      1. GermanLeftie

        It’s so true. RTFM is such a clue. Just read the M as inforMation and not just Manual :D. How could any reading-able (including all getting to the core of the information without own reading ability) person ever come to the conclusion the nazi-story could be true.
        Let me take a short and simple recap of information i studied:
        Putin~a [almost wrote Russia, but my believes are that most of the Russians weren’t into that] took Crimea (never mentioned just one Nazi for that), Putin~a invaded Ukraine couple of years later -> then Ukraine fires back. Timeline is showing who is the aggressor. Naming the action a ‘special operation’ while forbidding the ‘war’-narrative is more nazi-like then everything i saw Ukraine is doing.

        Reply
    4. Vladumber

      “I have no love for Putin. But” -phrase needs autoflagged.
      “I have no love for Putin simps.” -the autocorrected verbage.

      Reply
    5. Alex R

      > But if he eliminates the Nazi party that took over Ukraine in a coup in 2015
      Hey, kremlebot, are they still paying you for posting this nonsense? I didn’t know the troll factory is still in operation.

      Brian, they’re using your site to perpetuate disinformation that creates social unrest out of thin air.

      Reply
        1. mealy

          It’s in the 60’s. Down a bit from before April. Not the most comfortable asswipe.

          Reply
      1. Un-realist

        these questions are just indicative how clueless about whole situation you are.
        You can just google USD/RUB exchange rate on Google, and easily see that it is better than before 24 Feb.
        YIKES!

        Reply
    6. PolishKnight

      When Russians refer to “Nazi coup”, what they mean is a free election held to replace the disgraced pro-Russian president found to have stolen 1.5 billion. There were 2 additional elections since then with the current administration being a Jewish former comedian. The argument that Putin is a dictator with nukes would seem to imply Russia is a threat and that NATO and Ukraine needs more funding so good argument, thanks. The firebombings he may be referring to were in Odessa (not west Ukraine) which was stoked by armed Russian citizens in the region (not Ukrainians). Russia has bombed their “liberated” ethnic Russian cities to the ground having poured thousands of civilians into mass graves and then conscripted the young men such as Sokolovsky to become “cannon meat” as they put it on the front to be shot in the back by the FSB/KGB if they attempt to retreat hence it’s Russia depopulating the region. I don’t know of any significant issues in Crimea prior to the covert Russian invasion of the peninsula hence he’s lying when he knows someone who experienced them there.

      Reply
    7. Russian

      Do you live in a cave or something? I am afraid according to the European Union, the Nazi party is Kremlin and their propaganda, it’s pretty official at this point. Russia is going to have to pay for all of the missile strikes, destroyed life and none of the propaganda is going to help.

      Reply
  4. The Sunshine State

    Instead of fighting to protect his own country from invading Russian forces , Sokolvsky wimped out and left the country like a coward . What a loser !

    Good to see that Apple threw him under the bus !

    Reply
  5. BaliRob

    The Government link for racoon does not work here in Indonesia – is there a suffix miss off it please

    Reply
  6. Moonshot

    People: “I use Apple and not Google because Apple respects my privacy and won’t let the feds have my data!”
    Apple: Well, actually, they just need a warrant and we hand it over, so….
    Feds: And we can gin up a warrant for almost any reason. Try us™

    Reply
    1. Realist

      Spoken like a true conspiracy theorist who has no clue about how Law Enforcement actually works.
      Suuuurrre… we have nothing better to do than to “gin” up a warrant.

      I believe your tin foil hat is on too tight.

      Reply
  7. Geraldo Putter

    It doesn’t matter what country these depraved criminals are from, Ukraine, Russia, Nigeria, whatever. If they are destroying people’s lives by stealing their life’s savings, they deserve much more than 20 years in some gulag, maybe even capital punishment.

    Reply
  8. cookie clicker

    This in turn piece has a tendency to redeem considerable potential customers. How you would support it? Getting this done offers a cool uncommon perspective in issues. I suppose utilizing anything at all legitimate possibly major to convey home elevators is the most essential consideration.

    Reply
  9. Dave L

    I happen to live in Rome, Italy. Back in the early days of the war, my wife and I were heading north on the A1. I recall at a toll intersection, the car in front of us was taking a while to pay the toll and the people were out of their car trying to figure it out. If I recall, the car was a Porsche Cayenne and we were struck by the young age of the male driver and young blond woman, and that the plate or some other marking indicated the car was from Ukraine. My wife and I talked about it at length because we thought, ‘Why isn’t this guy back in Ukraine to fight and instead is driving a super nice car in Italy.’ I can’t ever know for sure whether the two are one and the same but it seems coincidental assuming he was actually in Italy at this point in time. Not that it matters but I could probably go back to any credit card/fuel charges back in March to see where the location was more specifically. Definitely 2 to 3 hours north from Rome.

    Reply
  10. Adam

    That guy stole 50 million credentials, but somehow the comment section is about Putin and talks it as if his worst crime is draft evasion. Can you just stop plastering your f*cking Ukrainian propaganda everywhere?

    Reply
    1. Mahhn

      agreed, maybe a suitable punishment would be to deliver him back to Ukraine, handcuffed from 15,000 feet.
      I see no reason to waist resources on a punk that steals from all, abandons his family and country. Just end him.

      Reply
    2. Jon Marcus

      Guy didn’t just evade the draft, he abandoned his elderly mother and the rest of his family to the tender mercies of Russian artillery while he and his girlfriend went on a joyride across Europe. Providing a service used to rip off strangers thousands of miles away might seem dry and distant. The way he treated family makes his scumbaggery more immediate and relatable.

      Re the comment section being about Putin & draft evasion, I see exactly one comment like that, from Sunshine State. Everything else seems to be in response to posts from the “Ukraine doesn’t really exist, and Jews are the real Nazis” trolls.

      Reply
  11. sergi tolstoy

    Everyone is everything, since the beginning of time.
    All colors , all ethnicities, all religions are all the same.
    The human being , in a Matrix.

    Enjoy your life, until the next One.

    Reply
  12. BEC

    “Sources tell KrebsOnSecurity that Sokolovsky has been consulting with Houston, Tx.-based attorney F. Andino Reynal, the same lawyer who represented Alex Jones in the recent defamation lawsuit against Jones ”

    What a stupid idea, I don’t believe that, get a decent lawyer, or one that at least does something beyond being a government plant

    Reply

Leave a Reply

Your email address will not be published.