Ukrainian police, working in cooperation with US law enforcement, have identified an 18-year-old man from Odesa who is suspected of creating a malicious program that targets users of an online store in California.
According to Ukrainian police, the threat actor used data-stealing malware between 2024 and 2025 to infect users’ devices and steal browser sessions and account information.
Infostealers is a popular type of malware that harvests sensitive data, including passwords, browser cookies, time tokens, crypto wallets, and payment information, from infected devices and sends it to cybercriminals for account theft, fraud, and resale.
The attack linked to the young hacker affected 28,000 customer accounts, of which hackers used 5,800 to make unauthorized purchases totaling an estimated $721,000. The aggressive performance resulted in a direct loss of $250,000, including back pay.
“To carry out this criminal scheme, the attackers use a malware called ‘directory’ that secretly infects users, collects login information, and transmits it to servers controlled by the attackers,” the police said.
“The information was then processed and sold through special internet services and Telegraph bots.”
Police said the suspect was involved in cryptocurrency trading with his accomplices.
Source: cyberpolice.gov.ua
The “session data” mentioned in the police announcement refers to session tokens that can be used to log into a victim’s account without requiring credentials and, in some cases, bypassing multi-factor authentication (MFA) checks as well.
The 18-year-old suspect was in charge of the internet infrastructure used to process, sell and use the stolen information, police said, indicating that he had a major role in the operation.
The police searched twice at the suspect’s residence and seized mobile phones, computer equipment, bank cards, electronic equipment storage equipment and other digital evidence confirming his involvement in this illegal activity.
Evidence includes access to resources used to sell stolen data and manage compromised accounts, server activity logs, and accounts on cryptocurrency exchanges.
Source: cyberpolice.gov.ua
In the meantime, the authorities have identified the suspect, searched him, seized tools and other evidence allegedly linking him to this operation.
However, the announcement did not mention an arrest, suggesting that detectives may still be building a case before formally charging him.
Automated testing tools deliver real value, but they’re designed to answer one question: can an attacker deploy on a network? They are not designed to check that your controls block threats, your firewall detection, or your cloud configs.
This guide covers the 6 areas you really need to verify.
Download Now
