Skip to Content

Raccoon Stealer malware development

Updated on 2022-11-04: Raccoon Stealer v1

Team Cymru’s S2 research team published a report on Thursday on the infrastructure used by the first iteration of the Raccoon Stealer malware. Researchers said that based on their analysis of the malware’s infrastructure, they tracked Raccoon’s server infrastructure to the city of Kharkiv, Ukraine, and also found that payment card data stolen from user systems through the Raccoon malware was sold on CC2BTC, an underground carding marketplace operated by the Raccoon gang themselves. CC2BTC went down in March, just like the entire Raccoon v1 operation, when one of its core devs, a Ukrainian national, was detained in the Netherlands. Read more:

Updated on 2022-10-30: Ukrainian charged for operating Raccoon Stealer malware service

A 26-year-old Ukrainian national is charged over his involvement with the Raccoon data stealer malware, which bad actors can rent access to. The DOJ accuses Mark Sokolovsky of stealing millions of credentials and other forms of ID, such as email addresses, bank accounts and credit card numbers stolen from victims’ machines. The FBI set up a site “Have I Been Pwned”-style to let anyone check if their information was collected as part of the cache. Sokolovsky is currently awaiting extradition to the U.S. in a Dutch prison after he was arrested in March. Read more:

Updated on 2022-10-27: Raccoon Infostealer arrest and indictment

The US Department of Justice announced the March arrest of Mark Sokolovsky, a Ukrainian national for his role in the Raccoon Infostealer malware-as-a-service operation. Sokolovsky was arrested in the Netherlands in March and the FBI, Dutch and Italian authorities concurrently dismantled Raccoon’s infrastructure. Read more: Newly Unsealed Indictment Charges Ukrainian National with International Cybercrime Operation

Updated on 2022-10-26: Raccoon Stealer dev didn’t die in Ukrainian war; he was arrested in the Netherlands

Back in March, the administrator of the Raccoon Infostealer malware announced they were shutting down their service after “a friend and a great developer” who was responsible for maintaining critical parts of their infrastructure had been “lost” following Russia’s invasion of Ukraine, a month earlier.

The administrator of the Raccoon Infostealer malware announced they were shutting down their service

But—surprise, surprise—it turns out that the developer didn’t die in the war, and he stopped responding to his co-workers because he was arrested in the Netherlands at the request of the FBI.

All of this came to light yesterday when the US Department of Justice unsealed charges against Mark Sokolovsky, 26, a Ukrainian national, for his role in maintaining the Raccoon Infostealer (also known as Raccoon Stealer) malware-as-a-service (MaaS).

The DOJ said that together with Dutch and Italian authorities, the FBI also seized servers operated by the Raccoon gang, effectively taking offline that older version of the Raccoon operation.

The Raccoon gang made a comeback three months later, in June, with version 2.0, most likely after they found a replacement for their “departed” colleague.

DOJ officials said the FBI found approximately 50 million unique user credentials stored on the seized Raccoon Infostealer servers, representing credentials stolen from the browsers of users infected by the Raccoon gang and their MaaS customers.

Authorities said they don’t believe they have the entire list of stolen credentials pilfered by the Raccoon operation, but they are making the entire data set searchable via a dedicated website, so users and companies can see if any of them got infected by the malware in the past and proceed to change credentials.

Raccoon Infostealer Disclosure

Updated on September 2022: Raccoon Stealer v2

Security firm CloudSEK published a technical report on the latest version of the RacoonStealer malware, also known as Recordbreaker. Read more: Recordbreaker: The Resurgence of Raccoon

Cybersecurity firm Zscaler published a technical analysis of the Racoon Stealer v2 malware. A similar report is also available from Sekoia.

Updated on June 2022: Raccoon Stealer is back

A new version of the Raccoon Stealer malware, dubbed V2, is being traded on underground cybercrime forums, per S2W Talon. The malware’s creator suspended operations in late March this year, claiming that a key developer died during Russia’s invasion of Ukraine.

Overview: Several new information-stealers pop up in wake of Raccoon’s shutdown

Threat actors are pivoting to several different, new information-stealing malware families in the wake of Raccoon Stealer shutting down. The creators of Raccoon Stealer, a malware available for purchase, announced it was ceasing operations after one of its developers died in the Russian invasion of Ukraie. Taking its place are several different “as a service” tools attackers can purchase access to infect targets and steal their personal information and login credentials. Security researchers have specifically called out FFDroider and Lightning Stealer, of stealing data and launching follow-on attacks by infiltrating the Telegram messaging app. The operators behind another malware, MarsStealer, claim they’ve received an uptick in requests after Raccoon’s shutdown.


Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.