The Rise and fall of Raccoon Infostealer: Inside a Global Cybercrime Operation

In the ever-evolving landscape of cybercrime, malware-as-a-service (MaaS) has emerged as a lucrative business for cybercriminals. One of the most notorious examples is Raccoon Infostealer, malware designed to harvest personal and financial information from unsuspecting victims worldwide. The mastermind behind this operation, a Ukrainian national named Mark Sokolovsky, recently pleaded guilty in a U.S. federal court to his role in the cybercrime network.

A Closer Look at Raccoon Infostealer

Raccoon Infostealer was first detected in April 2019. It was engineered to steal a wide range of sensitive data, including:

Screenshot 1 shows the announcement of Raccoon Stealer on a cyber forum.

Screenshot 2 shows the announcement of Raccoon Stealer on a cyber forum.

Written in C++ by Russian-speaking developers, Raccoon initially gained traction on Russian hacking forums. However, it quickly expanded to English-speaking cybercriminal circles, where it became a prominent player in the MaaS industry. For $200 per month, subscribers could access this malicious software to infiltrate computers worldwide, utilizing an easy-to-use automated backend system.

The malware primarily targeted applications that deal with cryptocurrency and personal data, such as:

How Raccoon Infostealer Operated

Raccoon Infostealer was not just a piece of malware; it was a service designed to make cybercrime accessible to even low-skilled hackers. The malware was sold as a subscription service, complete with 24/7 customer support and bulletproof hosting to keep it undetectable by cybersecurity defenses. This model attracted a wide range of cybercriminals looking to profit from stolen data, allowing them to access detailed user credentials and sensitive financial information.

At its peak, Raccoon had infected over 100,000 computers worldwide, with stolen data being sold on underground forums. The FBI and cybersecurity experts estimate that over 50 million< unique credentials were harvested by the malware. This data included:

Screenshots show the Raccoon Stealer account page UI.

The Resurgence of Raccoon Infostealer

In an announcement made on August 14, 2023, Raccoon malware operators declared their return after a six-month hiatus from cybercrime forums. They expressed their gratitude to loyal users and claimed to have learned from past mistakes. They unveiled an update, version 2.3.0, which included significant enhancements based on user feedback and market trends.

Screenshots show updates for Raccoon Stealer 2.3.0

Key Updates in Version 2.3.0

Despite the law enforcement efforts to dismantle Raccoon Infostealer, this announcement indicates that the malware continues to adapt and re-emerge, posing ongoing threats to individuals and organizations alike.

The Fall of Sokolovsky and the Dismantling of Raccoon Infostealer

In March 2022, Sokolovsky was arrested in the Netherlands, marking the beginning of the end for the initial Raccoon Infostealer operation. His arrest was part of a coordinated effort involving the FBI and law enforcement agencies in Italy and the Netherlands, which resulted in the dismantling of the malware's digital infrastructure.

The arrest also led to the discovery of the stolen data, which law enforcement found on infected computers. The data collected included more than four million email addresses and vast amounts of sensitive information that cybercriminals had been using for fraudulent activities.

Despite the successful takedown of Raccoon Infostealer, the criminal operation was not over. By April 2023, new operators relaunched the malware with enhanced features, making it even harder to detect and more convenient for cybercriminals to use. This highlights the persistent nature of the threat, as the same tools and tactics resurface under different leadership.

On October 2024, Sokolovsky pleaded guilty to conspiracy to commit computer intrusions. As part of his plea deal, he agreed to forfeit nearly $24,000 and pay $910,844 in restitution to victims affected by the malware.

The U.S. Department of Justice (DoJ) released a statement emphasizing the impact of Sokolovsky’s actions on millions of victims worldwide. Despite the dismantling of the Raccoon Infostealer infrastructure, the investigation continues as authorities believe they have not yet recovered all of the stolen data.

The Ongoing Threat of Malware-as-a-Service

Raccoon Infostealer’s story serves as a stark reminder of the dangers posed by malware-as-a-service operations. Even after law enforcement successfully disrupts one network, the rapid evolution of malware technology means that new versions can quickly emerge. The return of Raccoon with upgraded features only a year after its takedown is proof of how resilient and adaptable cybercrime can be.

For businesses and individuals, this emphasizes the need for vigilance and up-to-date cybersecurity practices. With sensitive data being a primary target for these types of attacks, securing personal information should be a top priority for anyone using online services.

As the battle against cybercrime rages on, law enforcement agencies worldwide are continuing their efforts to track down and hold accountable the perpetrators of these crimes. The guilty plea of Mark Sokolovsky is a significant victory, but it’s clear that the fight against malware and cybercrime is far from over.

Final Thoughts

The case of Raccoon Infostealer sheds light on the global scale of cybercrime operations and the devastating effects they can have on millions of victims. While Sokolovsky’s arrest and guilty plea mark a major victory for law enforcement, the resurfacing of Raccoon malware shows how resilient these operations can be.

To stay safe in an increasingly connected world, individuals and organizations must adopt robust cybersecurity measures and stay informed about the latest threats in the digital space.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.