Feds go after malware-for-lease operation with Texas victims, including in San Antonio

Indictment against Ukrainian man connected to ‘Raccoon Infostealer’ unsealed; FBI opens website to check email addresses

SAN ANTONIO – As federal prosecutors look for victims of a global malware-for-lease scheme, they’re pulling back part of the curtain to an ongoing investigation into “Raccoon Infostealer.”

Criminals were able to lease access to Raccoon Infostealer for approximately $200 a month in cryptocurrency and secretly steal personal information, like log-in credentials and financial information. Investigators said many victims were the targets of email phishing attempts that included a link that would download the malware.

Stolen data was used by Raccoon Infostealer users and resold on cybercrime forums, prosecutors said.

In San Antonio on Tuesday, federal prosecutors and law enforcement announced the unsealing of a November 2021 indictment against a Ukranian man suspected of helping operate the malware.

Dutch authorities arrested Mark Soklovsky, 26, in March, a few weeks after he left Ukraine. He is currently fighting an extradition request to the US.

Mark Sokolovsky was indicted in November 2021. Dutch authorities arrested him in March 2022, and he is currently fighting an extradition request to the United States. (KSAT)

Federal authorities said law enforcement in Italy and the Netherlands helped dissemble the digital infrastructure for Raccoon Infostealer around the time of Soklovsky’s arrest. However, US Attorney for the Western District of Texas Ashley Hoff said new versions of the malware may have popped up since.

By unsealing Soklovsky’s indictment, Hoff said the government can start the process of notifying victims. To do that, the FBI has created a website for potential victims to see if their email addresses are among the stolen data investigators have recovered.

“We’ll be able to identify whether or not they were compromised in this particular malware scam and to help them forward as victims of this particular malware scam,” Hoff said. “But we’re always vulnerable. We are all vulnerable all the time.”

The website only checks email addresses, though - not other compromised information like bank accounts or credit card numbers.

The FBI’s Austin Cyber Task Force and Army CID are still investigating the case, and FBI agents have identified more than 50 million unique credentials and forms of identification among the recovered stolen data, which appear to include more than 4 million email addresses, according to a news release.

However, federal authorities do not believe they have all of the stolen information.

An attachment from Sokolovsky's indictment shows how cyber criminals could lease access to the malware (U.S. Department of Justice)
The FBI says many victims were compromised through email phishing attempts, like this one shown in Sokolovsky's indictment. (U.S. Department of Justice)

Hoff said victims stretched across the globe, including El Paso, San Antonio, and Austin, which is partly why the federal authorities for the Western District of Texas have the case.

Sokolovsky was indicted in November 2021 on four charges: conspiracy to commit fraud and related activity in connection with computers, conspiracy to commit wire fraud, conspiracy to commit money laundering, and aggravated identity theft.

Though Hoff would not specify Sokolovsky’s suspected role with Raccoon Infostealer, a U.S. Department of Justice victim’s assistance webpage notes that he is “alleged to be one of the key administrators” behind the malware.

Hoff would not comment on whether there were other indictments in the case.

Also on KSAT:

About the Author

Julie Moreno has worked in local television news for more than 25 years. She came to KSAT as a news producer in 2000. After producing thousands of newscasts, she transitioned to the digital team in 2015. She writes on a wide variety of topics from breaking news to trending stories and manages KSAT’s daily digital content strategy.

Recommended Videos