Infostealer malware operation targeting online store users
Malware Activity
Summary
Hide ▲
Show ▼
A malware operation using infostealer tools infected users’ devices between 2024 and 2025, stealing browser sessions and account credentials that enabled account theft and unauthorized purchases. The operation affected 28,000 customer accounts, making it a significant credential-theft and fraud event. It also shows how session tokens can be abused to bypass normal account protections.
Related Happenings
Kali365 Microsoft 365 device-code phishing campaign
Campaign
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
An 18-year-old man from had assets seized in suspected infostealer operator investigation
Law Enforcement
First: 21.05.2026 00:36
Last: 21.05.2026 00:36
Sources 1
How related:
At this stage, authorities have identified the suspect, conducted searches, and seized devices and other evidence allegedly linking him to the operation.
About this happening:
**Ukrainian cyberpolice** and **U.S. law enforcement** identified a suspected **infostealer** operator and executed **searches and seizures** in a cross-border cybercrime investig...
An 18-year-old man from had assets seized in suspected infostealer operator investigation
Law EnforcementHow related: At this stage, authorities have identified the suspect, conducted searches, and seized devices and other evidence allegedly linking him to the operation.
About this happening: **Ukrainian cyberpolice** and **U.S. law enforcement** identified a suspected **infostealer** operator and executed **searches and seizures** in a cross-border cybercrime investig...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Jinkusu-Starkiller ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 03.03.2026 13:10
Last: 03.03.2026 13:10
Sources 1
About this happening:
**Jinkusu** is marketing **Starkiller** as a phishing-as-a-service platform that proxies live login pages to **bypass MFA** and capture session tokens. The service lets customers...
Jinkusu-Starkiller ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Jinkusu** is marketing **Starkiller** as a phishing-as-a-service platform that proxies live login pages to **bypass MFA** and capture session tokens. The service lets customers...
Timeline
-
21.05.2026 00:36 2 articles · 7d ago
Ukrainian cyberpolice identify Odesa infostealer suspect
Initial DisclosureUkrainian cyberpolice working with U.S. law enforcement identified an 18-year-old from Odesa suspected of running an infostealer malware operation targeting users of an online store in California. The operation allegedly used information-stealing malware between 2024 and 2025 to infect devices, steal browser sessions and account credentials, and process stolen session data through online resources and Telegram bots. Authorities said the campaign impacted 28,000 customer accounts, 5,800 accounts were used for unauthorized purchases totaling about $721,000, and direct losses reached $250,000 including chargebacks; police also conducted searches, seized devices and other evidence, and noted that session tokens can sometimes bypass MFA checks.
Show sources
- Ukraine identifies infostealer operator tied to 28,000 stolen accounts — www.bleepingcomputer.com — 21.05.2026 00:36
- Ukraine identifies infostealer operator tied to 28,000 stolen accounts — www.bleepingcomputer.com — 21.05.2026 00:36