Infostealer malware operation targeting online store users
Malware Activity
Summary
Hide ▲
Show ▼
A malware operation using infostealer tools infected users’ devices between 2024 and 2025, stealing browser sessions and account credentials that enabled account theft and unauthorized purchases. The operation affected 28,000 customer accounts, making it a significant credential-theft and fraud event. It also shows how session tokens can be abused to bypass normal account protections.
Related Happenings
Icarus Salesforce data-theft extortion campaign
Campaign
H score42
First: 18.06.2026 17:19
Last: 18.06.2026 17:19
Sources 1
About this happening:
The **Icarus** extortion campaign is actively stealing **Salesforce CRM data** from **multiple organizations**, expanding pressure on victims and showing a repeatable cloud-app ab...
Icarus Salesforce data-theft extortion campaign
CampaignAbout this happening: The **Icarus** extortion campaign is actively stealing **Salesforce CRM data** from **multiple organizations**, expanding pressure on victims and showing a repeatable cloud-app ab...
Latest development: 23.06.2026 16:58
LastPass says an unauthorized actor used OAuth tokens stolen from Klue to access LastPass customer data in its Salesforce environment, potentially exposing customer names, phone numbers, email addresses, physical addresses, support case information, and sales/CRM data; LastPass says its products, services, infrastructure, and customer vaults were not affected, rotated the exposed API/OAuth tokens, disabled employee access to Klue, and notified law enforcement.
Kali365 Microsoft 365 device-code phishing campaign
Campaign
H score46
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
An 18-year-old man from had assets seized in suspected infostealer operator investigation
Law Enforcement
H score28
First: 21.05.2026 00:36
Last: 21.05.2026 00:36
Sources 1
How related:
At this stage, authorities have identified the suspect, conducted searches, and seized devices and other evidence allegedly linking him to the operation.
About this happening:
**Ukrainian cyberpolice** and **U.S. law enforcement** identified a suspected **infostealer** operator and executed **searches and seizures** in a cross-border cybercrime investig...
An 18-year-old man from had assets seized in suspected infostealer operator investigation
Law EnforcementHow related: At this stage, authorities have identified the suspect, conducted searches, and seized devices and other evidence allegedly linking him to the operation.
About this happening: **Ukrainian cyberpolice** and **U.S. law enforcement** identified a suspected **infostealer** operator and executed **searches and seizures** in a cross-border cybercrime investig...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
H score39
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
H score82
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Timeline
-
21.05.2026 00:36 2 articles · 1mo ago
Ukrainian cyberpolice identify Odesa infostealer suspect
Initial DisclosureUkrainian cyberpolice working with U.S. law enforcement identified an 18-year-old from Odesa suspected of running an infostealer malware operation targeting users of an online store in California. The operation allegedly used information-stealing malware between 2024 and 2025 to infect devices, steal browser sessions and account credentials, and process stolen session data through online resources and Telegram bots. Authorities said the campaign impacted 28,000 customer accounts, 5,800 accounts were used for unauthorized purchases totaling about $721,000, and direct losses reached $250,000 including chargebacks; police also conducted searches, seized devices and other evidence, and noted that session tokens can sometimes bypass MFA checks.
Show sources
- Ukraine identifies infostealer operator tied to 28,000 stolen accounts — www.bleepingcomputer.com — 21.05.2026 00:36
- Ukraine identifies infostealer operator tied to 28,000 stolen accounts — www.bleepingcomputer.com — 21.05.2026 00:36