A 26-year-old Ukrainian national has been charged in the U.S. for his alleged role in the Raccoon Stealer malware-as-a-service (MaaS) operation.

Mark Sokolovsky, who was arrested by Dutch law enforcement after leaving Ukraine on March 4, 2022, in what’s said to be a Porsche Cayenne, is currently being held in the Netherlands and awaits extradition to the U.S.

“Individuals who deployed Raccoon Infostealer to steal data from victims leased access to the malware for approximately $200 per month, paid for by cryptocurrency,” the U.S. Department of Justice (DoJ) said. “These individuals used various ruses, such as email phishing, to install the malware onto the computers of unsuspecting victims.”

Sokolovsky is said to have gone by various online monikers like Photix, raccoonstealer, and black21jack77777 on online cybercrime forums to advertise the service for sale.

Raccoon Stealer, mainly distributed under the guise of cracked software, is known to be one of the most prolific information stealers, put to use by multiple cybercriminal actors for the extensive features and the customizability offered by the malware.

Active since April 2019, the threat actors behind the operation abruptly halted work on the project earlier this March, citing the loss of a core member due to a “special operation.”

While this was interpreted as the death of a developer in the Russo-Ukrainian war, court documents show that it was indeed Sokolovsky’s arrest and the subsequent dismantling of the malware’s infrastructure by Italian and Dutch authorities that led to the temporary shutdown.

That said, a second version of Raccoon Stealer written in C/C++ has since begun circulating on underground forums as of June 2022, with its authors touting the tool’s ease of use.

“It is so fast and simple that with its help it will not be difficult for a child to learn how to process logs,” the cybercrime gang posted in a message shared on its Telegram channel in May.

According to the U.S. Federal Bureau of Investigation (FBI), the malware is estimated to have facilitated the theft of 50 million unique credentials and forms of identification (e.g., email addresses, bank accounts, cryptocurrency addresses, and credit card numbers) from millions of victims globally.

The credentials allegedly consist of over four million email addresses, prompting the FBI to launch a website raccoon.ic3[.]gov to help users check if their email addresses show up in the Raccoon Stealer data.

Sokolovsky has been charged with one count of conspiracy to commit computer fraud and related activity in connection with computers; one count of conspiracy to commit wire fraud; one count of conspiracy to commit money laundering; and one count of aggravated identity theft.

If proven guilty, the defendant faces a maximum penalty of 20 years in prison for the wire fraud and money laundering offenses, five years for the conspiracy to commit computer fraud charge, and a mandatory consecutive two-year term for the aggravated identity theft offense.

“This type of malware feeds the cybercrime ecosystem, harvesting valuable information and allowing cyber criminals to steal from innocent Americans and citizens around the world,” U.S. Attorney Ashley C. Hoff said.