Ukraine identifies infostealer operator tied to 28,000 stolen accounts

Summary

Ukrainian cyberpolice and U.S. law enforcement identified an 18-year-old from Odesa who operated an infostealer malware campaign targeting a California online store between 2024–2025. The operation compromised 28,000 customer accounts, with attackers using 5,800 to conduct unauthorized purchases totaling $721,000 in fraud. The suspect administered the infrastructure for processing and selling stolen session data and credentials through underground channels and Telegram bots.

Full text

Ukraine identifies infostealer operator tied to 28,000 stolen accounts By Bill Toulas May 20, 2026 05:36 PM 0 The Ukrainian cyberpolice, working in conjunction with U.S. law enforcement, has identified an 18-year-old man from Odesa suspected of running an infostealer malware operation targeting users of an online store in California. According to the Ukrainian police, the threat actor used information-stealing malware between 2024 and 2025 to infect users’ devices and steal browser sessions and account credentials. Infostealers are a popular type of malware that harvests sensitive data, including passwords, browser cookies, session tokens, crypto wallets, and payment information, from infected devices and sends it to cybercriminals for account theft, fraud, and resale. The attacks linked to the young hacker impacted 28,000 customer accounts, of which the cybercriminals used 5,800 to make unauthorized purchases totaling about $721,000. The malicious operation caused $250,000 in direct losses, including chargebacks. “To carry out the criminal scheme, the attackers used 'infostealer' malware that secretly infected users’ devices, collected login credentials, and transmitted them to servers controlled by the attackers,” the police says. “The information was then processed and sold through specialized online resources and Telegram bots.” The police say the suspect engaged in cryptocurrency transactions with his accomplices. Cyberpolice at the suspect's houseSource: cyberpolice.gov.ua The “session data” mentioned in the police announcement refers to session tokens that can be used to log in to the victim’s account without needing credentials and, in some cases, bypass multi-factor authentication (MFA) checks as well. The 18-year-old suspect administered the online infrastructure used to process, sell, and utilize the stolen session data, the police stated, indicating that he held a central role in the operation. The police conducted two searches at the suspect’s residences and seized mobile phones, computer equipment, bank cards, electronic storage media, and other digital evidence that confirm his involvement in the illegal operation. Evidence includes access to resources used to sell stolen data and to manage compromised accounts, server activity logs, and accounts on cryptocurrency exchanges. Suspect's computerSource: cyberpolice.gov.ua At this stage, authorities have identified the suspect, conducted searches, and seized devices and other evidence allegedly linking him to the operation. However, the announcement does not mention an arrest, suggesting that investigators may still be building the case before formally charging him. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Download Now Related Articles: Australia warns of ClickFix attacks pushing Vidar Stealer malwareChatGPT share links abused to host fake outage pages to deliver malwareGreyVibe hackers use ChatGPT, Gemini to power cyberattacksPolice seize “First VPN” service used in ransomware, data theft attacksNew Shai-Hulud malware wave compromises 600 npm packages

Indicators of Compromise

• malware — infostealer

Entities