The Ukrainian cyberpolice, working in conjunction with U.S. law enforcement, has identified an 18-year-old man from Odesa suspected of running an infostealer malware operation targeting users of an online store in California.
According to the Ukrainian police, the threat actor used information-stealing malware between 2024 and 2025 to infect users’ devices and steal browser sessions and account credentials.
Infostealers are a popular type of malware that harvests sensitive data, including passwords, browser cookies, session tokens, crypto wallets, and payment information, from infected devices and sends it to cybercriminals for account theft, fraud, and resale.
The attacks linked to the young hacker impacted 28,000 customer accounts, of which the cybercriminals used 5,800 to make unauthorized purchases totaling about $721,000. The malicious operation caused $250,000 in direct losses, including chargebacks.
“To carry out the criminal scheme, the attackers used ‘infostealer’ malware that secretly infected users’ devices, collected login credentials, and transmitted them to servers controlled by the attackers,” the police says.
“The information was then processed and sold through specialized online resources and Telegram bots.”
The police say the suspect engaged in cryptocurrency transactions with his accomplices.
Source: cyberpolice.gov.ua
The “session data” mentioned in the police announcement refers to session tokens that can be used to log in to the victim’s account without needing credentials and, in some cases, bypass multi-factor authentication (MFA) checks as well.
The 18-year-old suspect administered the online infrastructure used to process, sell, and utilize the stolen session data, the police stated, indicating that he held a central role in the operation.
The police conducted two searches at the suspect’s residences and seized mobile phones, computer equipment, bank cards, electronic storage media, and other digital evidence that confirm his involvement in the illegal operation.
Evidence includes access to resources used to sell stolen data and to manage compromised accounts, server activity logs, and accounts on cryptocurrency exchanges.
Source: cyberpolice.gov.ua
At this stage, authorities have identified the suspect, conducted searches, and seized devices and other evidence allegedly linking him to the operation.
However, the announcement does not mention an arrest, suggesting that investigators may still be building the case before formally charging him.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
